SQLite Database Security Using File Name

Question

I am making a distributed PHP application, and am planning to use Sqlite to store the data. The database will be in a public accessible directory.

What is the best way to secure this database from the public? I am thinking of using an obfuscated file name. How effective would this be?

Answer 1

I just found this while Googling for a similar question.

The way to keep your SQLite data secure is simple. Encrypt the data with PHP BEFORE inserting it and decrypt it when you query the database. Don't worry about hiding the file just make it unusable to unintended users.

Answer 2

Can you include a .htaccess file? That can be used to place per-file access restrictions, but will only work for users using Apache and compatible web servers, not for users using e.g. nginx.

As long as you can reliably prevent people from getting a directory listing, and you can place the database at a different, non-predictable location for each installation, it could be pretty secure, I think.

It is ugly, but I'd imagine creating a directory with a securely random name, putting an .htaccess and empty index.html in there, putting another randomly-named directory in there and putting the database into the second directory would be pretty effective. As long as you only have one subdirectory, you (but not the attacker) will be able to list the directory, find the subdirectory, and get access to the DB. Just make sure you don't leak the DB path through error messages...

And I disagree with claims that this is security by obscurity. As long as the location is non-predictable, knowing and understanding the code will not allow attackers to gain access.