1

i wanted to use SQLite with .net application. It only works if the DLL and the Database file are in the BIn folder and the permissions of BIN are set to read / Write. Is that a security risk ?

MPelletier
  • 16,256
  • 15
  • 86
  • 137
abbyyUser
  • 117
  • 2
  • 9
  • 5
    Are you speaking of a restriction you're imposing through your application? Because SQLite definitely **doesn't** impose that restriction. – Michael Petrotta Jun 01 '12 at 04:35

3 Answers3

0

Yes, allowing read/write permission for the IIS worker process to the bin folder would allow anyone that can gain adequate permissions to your system (running as the generally low-privilege account running IIS) can now change your application binaries.

If indeed SqLite poses that requirement (but I would tend to agree with Michael P's comment), I would not use it under IIS. Whether you should use it depends on the security risk you expect your application to be at and the cost of a security breech (managing your stamp collection vs managing credit card data).

I do suspect that SqLite will allow you to place your data file in App_Data, where such data belongs. In fact, the answer to the question below outlines how to do just that:

How do I reference the Sqlite db file in the App_Data folder for my ASP.NET Web Application?

Community
  • 1
  • 1
Eric J.
  • 147,927
  • 63
  • 340
  • 553
0

Yes, it's a security risk, and what's more, every time a file in the Bin folder is updated, it will cause your application to restart. So you put the database file in the App_Data folder.

Tuan
  • 5,382
  • 1
  • 22
  • 17
  • Does IIS have a file watcher on file types that it cannot load (e.g. not DLL's and not web.config)? – Eric J. Jun 01 '12 at 04:39
  • The OP claims it must be in the BIN folder, though I agree with Michael P's comment that the OP is probably misinformed. App_Data would indeed be the appropriate location. – Eric J. Jun 01 '12 at 04:40
  • Yep, that's where my SQLite database is, and my .NET application can talk to it just fine. – Michael Petrotta Jun 01 '12 at 05:04
  • what i am really trying to do is make an application that a user can put on their server and does not need access to any other database i.e mySQL, SQL etc.. – abbyyUser Jun 01 '12 at 13:18
0

It only works if the DLL and the Database file are in the BIn folder

Well that sounds like a blocker. There is a free commercially licensed Microsoft SQL Server CE. It fits perfectly and securely into ASP.NET. Runs as DLL with database in single file up to 4GB. The limitation is file size and no stored procedures capabilities.

  • 3
    It would be a blocker, but it's not accurate. See http://stackoverflow.com/questions/1421247/how-do-i-reference-the-sqlite-db-file-in-the-app-data-folder-for-my-asp-net-web – Eric J. Jun 01 '12 at 04:52