Sag Rising

Notes to Myself

Sqlite Web Security

Posted by Richard Cockrum on January 26, 2008

One thing that concerned me about using an Sqlite database on a website was security. An Sqlite database is a single file. The only security is has is based on file system security, which makes it subject to compromise when kept in a section of the file system open to the world, like your web folder.

I thought about putting it outside the webfolder, but haven't been able to figure out how. The examples I found on the web were on the order of storing it in

$_SERVER['DOCUMENT_ROOT'] . '/../database.sqlite'

where database.sqlite is the name of your database. This essentially stores the database in a directory one level above the web directory.

However, all hosts, including mine, apparently, don't allow data files to be stored outside the web directory, at least for subdomains.

My second thought was to deny access through the htaccess file. I found this configuration, which should do the trick:

<Files ~".ext"> 
Order deny,allow 
deny from all 

Here ext is the extension with which you have named your Sqlite database. This can be used on any host that allows per-directory htaccess files.

This entry is filed under . You can follow any responses to this entry through the feed . New comments are currently closed.

2 Pingbacks to Sqlite Web Security

What do you think?
Comments for this post are disabled.