search

zeruniverse / Password-Manager

An online keepass-like tool to manage password. client-side AES encryption!
Other
170 stars 44 forks source link

Database #38

Closed nickbe closed 8 years ago

nickbe commented 8 years ago

We're on a server with limited Mysql databases.

Also it would be great to be able to run the site with just php -S which seems to work perfectly except the current need for mysql. Is it difficult to use Sqlite instead.

I suggest for such a database with only a few tables and few - one tiny sqlite database per registered user would be very handy solution.

zeruniverse commented 8 years ago
  1. I think most server with PHP would have MySQL database. What do you mean by limited Mysql databases?
  2. Think about cloud computing platform that does not give write permission to disk, but ask you to store files to their file server using some API...
nickbe commented 8 years ago

We're on a managed server here, where we have only a limited amount of mysql databases available. And I'm not allowed to mix tables from different apps into one database like with prefixes. Additionally I saw a guy hacking into mysql based sites. Took him only a couple of minutes to hack several seemingly secure sites. Since we're talking about real secure stuff here I would prefere either sqlite or just plain text storage.

zeruniverse commented 8 years ago

Hi,

Actually, this project only need a SQL server instead of MySQL server. If you think SQLite is good, just modify function/sqllink.php to connect to SQLlite server. That's the only file you need to edit. But I won't put this into my project for following reasons:

For your second question, I use PDO in my implementation with data sent separately from query. I don't think SQL injection is likely here. Yes, all old technology for connecting database in PHP is insecure. By the way, you will have no less trouble using SQLite. Because you still use SQL. SQL injection is not something just for MySQL.

For your first question, I think you're using a really special environment. You even don't need a server/VPS. All PHP web hosting you can buy online nowadays is with MySQL. So it's reasonable to use it. But there's some platforms making their code folder not writable. In this case. your SQLlite and plaintext won't work. I never used SQLite before, but I think it supports SQL query just as MySQL do. So if you really need SQLite, just modify function/sqllink.php to connect to your SQLite.

On Sunday, 20 March 2016, nickbe notifications@github.com wrote:

We're on a managed server here, where we have only a limited amount of mysql databases available. And I'm not allowed to mix tables from different apps into one database like with prefixes. Additionally I saw a guy hacking into mysql based sites. Took him only a couple of minutes to hack several seemingly secure sites. Since we're talking about real secure stuff here I would prefere either sqlite or just plain text storage.

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/zeruniverse/Password-Manager/issues/38#issuecomment-198887375

nickbe commented 8 years ago

I'll try to implement an alternative in sqlink.php. Maybe let the user choose in the config. Php which database to use. If everything works as expected I let you know anyway. Maybe it's at least worth to consider an optionaö alternative.