Can people view the contents of a Replit DB?

I would like to use Replit DB to create an account system for a website. This will store sensitive information. I would like to know if other users (people not on the Repl) can access the contents of the Replit DB (thus compromising security). If they can, are there any viable free alternatives that would achieve this result?

1 Like

It is possible (I can make a demo of such) to view the contents of someone else’s/some other repl’s DB, also, unless you use a “database proxy” (IE: multi-repl), then the DB only exists for that specific copy/fork/cover page of the repl.

1 Like

I would like to see a demo and I would like to know how multi-repl would solve the problem. Wouldn’t you just be able to find the other Repl (unless private, which I cannot do) and access its DB?

1 Like

I apologize, you seem to have paritally misunderstood my response, allow me to repharase:

  1. Replit DBs are (intentional or not) resticted to that specific fork/cover page/copy of the repl, and the only way to work around this is to set up a “proxy”/multi-repl database to my knowledge.
  2. If you so chose to use a “proxy”/multi-repl database, then it is possible for anyone to link to said proxy and modify/read/etc. data.
  3. I will make a demo, will notify you when I have one ready.

I thought that the DB would allow all users to access the same set of data. That’s how the Cactus Pinger works. Any URL put in to the input box is then added to the DB and then the site pings them. Or did anyway; last I checked it was down.

True, but I believe this method of accessing the DB requires everyone to access the same copy of the repl (IE: web hosting repls).

Yes I will make a website. That was the point. I thought you were in the comment chain on Replit talking about that. Maybe I remember wrong.

So are we saying that if I make a game and the data is in the database, that database is local to the user instance of the repl?
This is an important detail if I ever want to share any of my stuff.

I was in the comment chain, give me a minute to see about doing it on web-based repls, as my idea of how to access the database requires console access.

As far as I am aware, yes. Unless it hosts a webpage, it is user-local copies of the database.

I know/can figure out how to use the DB. My main concern is other people accessing it and thus getting sensitive information.

Ok. This means I have been moving from files to db for nothing … maybe I should just use mongodb atlas instead as that would solve all issues

I understand that, I meant I was going to see about how to/if it’s possible with a webpage.

No, it is still possible to do so, if you’re doing this anyways just use a “proxy”/cross-repl database as I have mentioned, as it will allow all the game instances to connect to the same database.

I know but than i rather connect to an Atlas free account probably instead of paying for an always on repl.

Better yet can we encrypt the DB info so that not even the Repl’s owner can view the values? Only the account holder (who has a password).

This could theoretically be possible, and would prevent the ability for people to (possibly) read/write the database.

1 Like

By all means offer advice. Even if it’s a broken code. But use Python please as my JS skills are lacking. I’m making this with Flask.

I’m messing with seeing if I can figure out how to read the database, all I need to get is the DB Url from the site, and it’s modifiable. After I finish up here, I’ll tinker with the idea of encryption. Regardless, I’ll go ahead and invite you to the repl where I’m testing this.

Just be aware that anybody has access to the encryption algorithm and there are ways to crack passwords/keys. If you go that route you best enforce passwords of at least 16 comprising alphanumeric and symbols.