So, how would you go about protecting a SQLite database file. I'm working on a couple PHP scripts using SQLite, and I'm not sure how to protect the database. It seems to me that someone could download the file since it is the directory right next to the script. How do I prevent this?

Make an index.php for that folder and set your condition.
For example:

if ($_GET["key"] != "randomstringhere") {
dostuffhere();
}
I do it for redirections on my site if someone puts in a wrong page address.

Move the file out of the web root.

Why would it be in the web root in the first place? SQL files are in the MySQL/Other database's directory by default.

Not MySQL, boxxertrumps. SQLite. :)

SQLite databases consist of a single file, no server, and can be placed wherever they're needed.

Yup... in fact, I have no idea where my MySql path is. That is a plus for SqlLite, but also a fault because of the security leak.

It's only a real security leak if the data is stored in the root directory (or one accessible from the web). If it was stored even one level higher than the web directory, it would be safer.

Yeah, I know. But it's still on the web one way or another. Get some super hacker and see how far she/he goes with it :p

Another option (best used in tandem with moving it out of the web root) is to encrypt the file in some manner.
Yeah, I know. But it's still on the web one way or another.Not really. It's on a server that's connected to the Internet, certainly, but it's not on the Web, per se. Besides, so is any database. It's remarkably tricky to return data when requested without storing said data :)

Yea, maybe make up some kind of encryption/decryption method in one of the scripts used to access the data. That should be fairly easy (or extremely complex) depending on how you do it.

Pfft... screw that, just encrypte the stored data (passwords for example). If someone does hack it, they won't know what encrypted it, so it would be impossible to reverse.

Move the file out of the web root.
I thought of this, but was hoping someone would know of an easier way. When the code is deployed on a couple different servers, it gets annoying to have to change the SQLite file path.

Another option (best used in tandem with moving it out of the web root) is to encrypt the file in some manner
The passwords are already encrypted with md5, are you talking about encrypting everything. I can imagine that would cause a performance hit.


Pfft... screw that, just encrypte the stored data (passwords for example). If someone does hack it, they won't know what encrypted it, so it would be impossible to reverse.
Not really. It wouldn't take them long to realize it is a PHP script, and that there aren't that many reversible encryption schemes out there for PHP, and I don't have the knowledge to write my own.

Since I stick to Apache servers could .htaccess be used? I'm not sure how.

I thought of this, but was hoping someone would know of an easier way. When the code is deployed on a couple different servers, it gets annoying to have to change the SQLite file path.You could also put it in a directory under the web root without read or execute privileges, and take those privileges from the file itself too.
The passwords are already encrypted with md5, are you talking about encrypting everything. I can imagine that would cause a performance hit.I was, and it would.
there aren't that many reversible encryption schemes out there for PHPThere are plenty.
Since I stick to Apache servers could .htaccess be used? I'm not sure how.Yes, you could:
<Files mydatabase.db>
Deny From All
</Files>... or similar.

:
<Files mydatabase.db>
Deny From All
</Files>... or similar.
Thanks Twey, that's perfect.