revjim.net

"Aaron Wormus":http://www.wormus.com/aaron/ brings up an "interesting point":http://www.wormus.com/aaron/stories/2004/09/22/dangers-of-sqlite-ignorance.html that may be obvious to the more seasoned web programmers, yet may not even cross the mind of those beginning PHP programmers, especially those just starting with the powerful PHP5/SQLite combination.

bq. I’ve been going through the Zend Contest Entries and have been very surprised to see that only one of the five software packages that I have reviewed so far which used SQLite, does anything at all to protect their database. Due to the fact that many of these packages use SQLite because of the "no-installation-necessary" factor, it is very unlikely that the end user will bother securing the database themselves.

Allow me to explain.

When an SQLite database is stored on the file system of your server, if it's stored in a location that is "web accessible" (whether this URL is announced or not) it is possible that this could be found, downloaded, and exploited. If you don't keep sensitive information in an SQLite database, and don't mind that others see the stucture of your backend databases, this might not be an issue for you. However, in most cases, it is.

When you select a location for storing your SQLite databases, it is best to choose a location outside of your web server's document root. If this isn't possible for you, for whatever reason, you can use ".htaccess" files (or your webservers equivalent) to forbid access to these files universally.