Database Security

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
WhiteWolf
Forum Newbie
Posts: 7
Joined: Tue Jun 17, 2008 4:10 pm

Database Security

Post by WhiteWolf »

I am developing a database that will store Social Security numbers, driver license information, etc. I would like to post the security measures I am implementing in regard to the database and accessing it, and I am looking for feedback on whether it's sufficient or not, and I also have 2 questions:
- I have encrypted senstive fields in the database using AES. When you access the database through phpAdmin console provided by the hosting company, all you see in these fields in [BLOB - 16 b].
- To access the database , there's a 'console' you can get to from the website. I have password protected this folder, using the control panel in the website.
- Any link that deals with viewing the database contents is prefaced with https

Question 1: Is it advisable to put the 'key' for the AES_ENCRYPT function in the script itself, or should it be somewhere else? Here's what I mean - the format for the AES_ENCRYPT is as follows: AES_ENCRYPT('dbField', '$encKey'). You choose a 'key' and it goes in that second field. Right now, I have the key field delcared in my script. SHould I leave it there?

Question 2: The web hosting company gives you the ability to password protect folders - does anyone know if this is sufficient security, or is it easy to get past?

Thanks
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Database Security

Post by jaoudestudios »

I am far from an expert, but you should definitely store the key out of the public directory.

Which sort of AES encryption are you doing?

Password protected directories through the control panel are done using .htaccess files - is this on https? Otherwise the details are probably sent over plain text.
Post Reply