Database Security
Posted: Tue Mar 17, 2009 9:12 pm
I am developing a database that will store Social Security numbers, driver license information, etc. I would like to post the security measures I am implementing in regard to the database and accessing it, and I am looking for feedback on whether it's sufficient or not, and I also have 2 questions:
- I have encrypted senstive fields in the database using AES. When you access the database through phpAdmin console provided by the hosting company, all you see in these fields in [BLOB - 16 b].
- To access the database , there's a 'console' you can get to from the website. I have password protected this folder, using the control panel in the website.
- Any link that deals with viewing the database contents is prefaced with https
Question 1: Is it advisable to put the 'key' for the AES_ENCRYPT function in the script itself, or should it be somewhere else? Here's what I mean - the format for the AES_ENCRYPT is as follows: AES_ENCRYPT('dbField', '$encKey'). You choose a 'key' and it goes in that second field. Right now, I have the key field delcared in my script. SHould I leave it there?
Question 2: The web hosting company gives you the ability to password protect folders - does anyone know if this is sufficient security, or is it easy to get past?
Thanks
- I have encrypted senstive fields in the database using AES. When you access the database through phpAdmin console provided by the hosting company, all you see in these fields in [BLOB - 16 b].
- To access the database , there's a 'console' you can get to from the website. I have password protected this folder, using the control panel in the website.
- Any link that deals with viewing the database contents is prefaced with https
Question 1: Is it advisable to put the 'key' for the AES_ENCRYPT function in the script itself, or should it be somewhere else? Here's what I mean - the format for the AES_ENCRYPT is as follows: AES_ENCRYPT('dbField', '$encKey'). You choose a 'key' and it goes in that second field. Right now, I have the key field delcared in my script. SHould I leave it there?
Question 2: The web hosting company gives you the ability to password protect folders - does anyone know if this is sufficient security, or is it easy to get past?
Thanks