I thought more about the issue last night and I guess it can be summaried as thus:
In skilled hands an SQLite DB can be potentially more secure than a standard DB - but in unskilled hands the reverse is true, and SQLite becomes seriously insecure. Standard DBs don't vary to the same extent.
Could we have SQLite DB creation "option" that creates the DB with a header that begins <?php? (SQLite DBs are close to normal text in the first 20 chars anyway... ) - either way, I'm going to do some testing of Ilia's create table option and see if I can get around it.
Wow I can't believe I might be able to use an SQLite DB after all.
I still don't understand this entire thread. If you insist on making the file accessible from your DocRoot why can't you simply block any direct access to it via an Apache rule?
Something like:
<Files ~ "\.sql$">
Order allow,deny
Deny from all
</Files>And then name your sqlite files whatever.sql
And no, we are not going to mangle every sqlite DB we create by sticking <?php in it and suggesting that people feed their sqlite DB files through the PHP parser. What if someone comes along and comes up with a hack that changes the first table name to <?system("rm *") ? I would hate to have to explain to people that we promoted that sort of idiotic hack.
-Rasmus
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
