sqlite 用户/密码安全 [英] sqlite user/password security

问题描述

我正在开发一个简单的网站，我正在尝试使用 sqlite 数据库.与 MySQL 不同的是，当你连接到一个数据库时，你不需要说和用户/密码，而在 MySQL 中你可以.

I'm developing an easy website and I'm trying a sqlite database. In contrast to MySQL, when you connect to a db you don't say and user/password, and with MySQL you do.

所以，任何人都可以访问它.保留敏感信息难道不是一个安全漏洞吗?

So, anybody can access it. Isn't it a security hole to keep sensitive information?

即使隐藏您的 db.sqlite，从第三方程序/网络查询此 db 以获取信息也不难.

And even hiding your db.sqlite, it shouldn't be that hard to query this db from a third-party program/web to get information.

感谢您的时间.

推荐答案

sqlite 依赖文件权限来保护数据，正如您所提到的，它不需要登录.来自 IBM

sqlite relies on file permissions to secure the data, as you've mentioned it doesn't require a login. From IBM

SQLite 没有用户帐户的概念，而是依赖于所有数据库权限的文件系统.这使得实施存储配额变得困难，并且不可能实施用户权限.

SQLite has no concept of user accounts, and instead relies on the file system for all database permissions. This makes enforcing storage quotas difficult and enforcing user permissions impossible.

保护数据库的方法是设置文件权限，以便只有特定用户才能访问数据.如果您在 Linux 上运行网站，您可以使用 chmod 设置这些.通常，您将 Web 服务器设置为在其自己的用户，例如 www-data，然后将 sqlite 文件的访问权限限制为只有该用户.例如:

The way you secure your database is to set file permissions so that only specific users can access the data. If you're running a web site on Linux, you can set these using chmod. Typically, you set the web server to run under its own user, such as www-data, and then restrict access to the sqlite file to only that user. For example:

chown www-data database.db    # set ownership of the database.db file.
chmod 600 database.db         # allow only read-write by the owner.

这通过利用文件系统安全性来防止第三方程序或任何外部方读取数据库.

This prevents third party programs or any external parties from reading the database by leveraging the file system security.

这篇关于sqlite 用户/密码安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！