最受支持的保护平面文件(sqlite db)免受 HTTP 访问的方法?
我正在开发一个使用 SQLite 作为数据库管理系统的 PHP 应用程序,MySQL 和 PostgreSQL 等不是替代方案(尽管我真的很想使用 pgsql),因为我希望设置对初学者非常友好且零头痛。 现在很多人使用共享主机,其中很多只提供对 htdocs 目录的直接 FTP 访问,但不提供高于该目录的访问。 这意味着客户必须将 SQLite 数据库文件放入他们的 htdocs 中,这意味着全世界都可以访问它,任何人都可以下载它。
为客户提供某种保护的最佳方法是什么,既简单又受所有 HTTP 服务器支持?
I am developing a PHP application that uses SQLite as database management system, MySQL and PostgreSQL etc. is not an alternative (although I would really like to use pgsql), because I want the setup to be very beginner-friendly and zero-headache alike.
Now many people use a shared hosting, and alot of them only offer direct FTP access to the htdocs-directory, but not above that. That means the customers would have to put the SQLite-Database-File inside their htdocs, meaning that it is accessible to the world and anyone can download it.
What is the best way to give the customer some kind of protection from that, that is simple and also supported on all HTTP servers?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
默认情况下(对于我运行过的 Linux 安装),Apache 实际上会阻止直接提供以
.ht开头的任何内容:如果您更愿意使用像
sqlite.db 这样的文件名对于您的数据库文件,那么您可以使用以下规则来阻止它:当然,要在大多数托管提供商上实施此规则,您必须分发包含该规则的
.htaccess文件。 这些有时可能会被错过,因为默认情况下它们不会出现在 *NIIX 目录列表(或 FTP 客户端)中。我不知道有任何类似类型的规则可用于共享托管环境中的 Microsoft IIS 服务器。
By default (for Linux installations that I've run across), Apache actually blocks anything that begins with
.htfrom being directly served:If you'd rather use a filename like
sqlite.dbfor your database file, then you could block it by using this rule:Of course, to implement this rule on most hosting providers, you will have to distribute a
.htaccessfile containing the rule. Those can be missed sometimes because they don't show up in *NIIX directory listings (or in an FTP client) by default.I'm not aware of any similar type of rule that can be used for the Microsoft IIS server in a shared hosted environment.
没有任何保护措施适用于所有正在使用的 HTTP 服务器软件。 您能做的最好的事情就是将其移到文档根目录之外,因为无论使用哪个 Web 服务器,都永远不会提供服务。
实际上,保护文件免于在文档根目录内提供服务需要了解服务器软件并更改其配置。
There is no protection which will work on all HTTP server software being used. The best you can do is to move it outside the document root as regardless which web server is being used it should never be served.
Actually protecting files from being served inside the document root requires knowledge about the server software and changing its configuration.
如果是 Apache Web 服务器,则使用 .htaccess 文件。 我不知道如何在 IIS 上执行此操作。
我想首先您应该放置空的index.html 文件或等效文件以防止在浏览器中列出目录。 如果名称和路径已知,这不会阻止访问该文件,但如果您不确定该文件将位于哪个 Web 服务器上,则总比没有好。
If it would be Apache web server then use .htaccess file. I'm not sure how to do it on IIS.
I guess as first thing you should put empty index.html file or equivalent to prevent listing directory in browser. That won't prevent to access that file if the name and path is known but it's better than nothing if you not sure what web server it's going to be on.
您可以使用 .htaccess 文件并锁定数据库名称,以便外部无法访问它。 许多服务器已经对所有以“.”开头的文件名执行此操作。 当然,这适用于 Apache,但您仍然需要修复其他 Web 服务器。
最好的选择是真正将其设置为可以托管在 htdocs 之上。 也许您可以使用安装脚本来检查文档根目录并在可能的情况下将 sqlite 文件移动到更高的目录。
不幸的是,由于 sqlite 是由与 Web 服务器相同的用户读取和写入的,因此没有简单的方法来锁定它以防止外部访问。 隐藏它并移动它是我能想到的唯一真正的解决方案。
You can use a .htaccess file and lock down the database name so it's not externally accessible. Many servers will already do this for all filenames starting with a ".". This will work on Apache of course, but you'll still need fixes for other web servers.
Your best bet is to really set it up such that it can be hosted above htdocs. Maybe you can use an installation script that checks the document root and moves the sqlite file to a higher directory if possible.
Unfortunately, because sqlite is read and written to by the same user as the web server, there's no easy way to lock it down from external access. Hiding it and moving it are the only real solutions I can think of.