Here is the simple truth, if you are using a shared hosting solution that is not VPS (Virtual Private Server) it would be relatively trivial for other users of the system to access any file that the webserver has access to.
The point is that hosting companies, especially those using chroot, have to make sure that they don't force their users to store the database files in web-accessible locations, since the server is most probably designed to be able to serve files owned by the user, and these database files fall under that category.
Your <? trick is a cool idea though :)
Zeev
Now, because webserver will need access privileges to various PHP configuration file that means that those users can read then and consequently grab your passwords.
The only exception to this rule being if PHP is used as CGI or a separate Apache process is running for each user. In this case given proper file permissions (Ex. 0600) it would be nearly impossible for other users of the system to read yourfiles without 1st gaining root access on the machine.
An Sqlite database is nothing more then a binary file, and you should treat it
such. If you do not want to have people being able to download it, do not put
it inside a web accessible directory.
Another trick you can do is to give your sqlite database a .php extension and create a table that would cause PHP to generate a parse error when trying to send the database to the user. Ex. create table '<?php' (a);
This will make it impossible for people to download the data inside your database.
Ilia
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
