Bug: SQLite3 database file created in /public folder

[ramiresviana]

Describe the bug
When using database with SQLite3 as DBDriver parameter, the database file is created in the /public application folder.

CodeIgniter 4 version
4.0.3

Steps to reproduce

1. Set database and DBDriver parameters in database configuration file.
2. Create new table with CodeIgniter Forge;
3. Database file is created in /public folder.

Expected behavior
Database files can contain private information and should not be created in the public folder by default.

Context

• OS: Ubuntu 18.04.2
• Web server: CodeIgniter Spark
• PHP version: 7.2.24

[lonnieezell]

You can change the location of the file using the $database value in the configuration for that connection. Give it a path and filename.

[ramiresviana]

@lonnieezell the problem is not being able to change the location of the file, but rather the default path being the public folder. This is a undocumented behavior and can add a security flaw on applications that use CodeIgniter, not every developer is going to check where is the database is going to be write.

If a framework offers me sqlite support, i would expect that it will take some measures to protect the file from being leaked on the internet.

[lonnieezell]

That's a fair point. And I guess it is default behavior inherited from CI3. I don't recall it having ever been changed, honestly.

We should set the default location in the writable folder somewhere that makes sense.

Thanks.

[samsonasik]

I think the directory can be named "writable/data"

[MGatner]

Cross-referencing my opinion: #3151 (comment)