I am developing a database that will store Social Security numbers, driver license information, etc. I would like to post the security measures I am implementing in regard to the database and accessing it, and I am looking for feedback on whether it's sufficient or not, and I also have 2 questions:
- I have encrypted senstive fields in the database using AES. When you access the database through phpAdmin console provided by the hosting company, all you see in these fields in [BLOB - 16 b].
- To access the database , there's a 'console' you can get to from the website. I have password protected this folder, using the control panel in the website.
- Any link that deals with viewing the database contents is prefaced with https
Question 1: Is it advisable to put the 'key' for the AES_ENCRYPT function in the script itself, or should it be somewhere else? Here's what I mean - the format for the AES_ENCRYPT is as follows: AES_ENCRYPT('dbField', '$encKey'). You choose a 'key' and it goes in that second field. Right now, I have the key field delcared in my script. SHould I leave it there?
Question 2: The web hosting company gives you the ability to password protect folders - does anyone know if this is sufficient security, or is it easy to get past?
Thanks
Database Security
Moderator: General Moderators
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: Database Security
I am far from an expert, but you should definitely store the key out of the public directory.
Which sort of AES encryption are you doing?
Password protected directories through the control panel are done using .htaccess files - is this on https? Otherwise the details are probably sent over plain text.
Which sort of AES encryption are you doing?
Password protected directories through the control panel are done using .htaccess files - is this on https? Otherwise the details are probably sent over plain text.