[UPHPU] store sensitive data in mysql + php web application
CarSign
utahphp at forsalesticker.com
Tue Jun 30 11:52:11 MDT 2009
> 1. Are you absolutely sure you need to store the data at
> all?
Good question. But as is often the case when management is asked about these things - they say yes :)
--- On Tue, 6/30/09, Lonnie Olson <lists at kittypee.com> wrote:
> From: Lonnie Olson <lists at kittypee.com>
> Subject: Re: [UPHPU] store sensitive data in mysql + php web application
> To: utahphp at forsalesticker.com
> Cc: uphpu at uphpu.org
> Date: Tuesday, June 30, 2009, 11:48 AM
> On Tue, Jun 30, 2009 at 11:00 AM,
> CarSign<utahphp at forsalesticker.com>
> wrote:
> > I am needing to store sensitive data like a Social
> Security Number in our database that will be used by our web
> application.
> >
> > Should the data be encrypted by PHP before it is
> passed to mysql OR should it be encrypted by mysql OR should
> I encrypt in both places so that it is double encrypted?
>
> It depends on why you need to store the data.
>
> 1. Are you absolutely sure you need to store the data at
> all?
> 2. Need to store the data for user's eyes only.
> Look into using mcrypt or openssl functions
> to encrypt the data
> using the user's own password/secret key. Then you
> can only decrypt
> it when the user requests the data.
> 3. Need to store the data for multiple users eyes.
> Look into encrypting the data using multiple
> keys, possibly openssl or pgp
>
> Just be a bit careful as your business may have different
> requirements
> based on industry, laws, etc.
>
> Best bet always is #1 if possible.
>
> --lonnie
>
More information about the UPHPU
mailing list