webapp folder structure for securing plaintext passwords and sqlite database

Question

Im building a simple web app in Python using web.py - and was wondering what best practices are in terms of securing the application.

I had two main questions at this stage:

1. I want the application to be able to send email - its not hosted on GAE, but I thought a simple solutions might be to write / find a s script that is able to send pop/imap mail, and use a gmail account. This would require me to save the login and password in the script, in plaintext. This seems wrong and very insecure - I wonder what is the better way to do this?

2. The webapp needs a sqlite db, which out of the box do not provide any security. How can i ensure that people just cant download the whole database file?

I imagine both of the questions above come down to file structure and permissioning - i havent been able to find a rigorous tutorial, and really curious to how people typically go about structuring webapps?

Many thanks

Answer 1

Obviously there must not be any direct access to the file system via an HTTP request.

And I'm pretty sure that's impossible if you're using web.py anyway. When you create an application using web.py, you create a list of regular expressions for URLs which map to a class to send the request to. As long as every request to your web server gets sent to web.py, then you shouldn't have any issues, as everything is white-listed by this URL list.

http://webpy.org/tutorial3.en#urlhandling

Because of that fact I wouldn't worry about storing passwords in config files or source-code too much.