What's the safest way to store confidential user info?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
bschaeffer
Forum Newbie
Posts: 24
Joined: Thu Apr 30, 2009 9:10 pm

What's the safest way to store confidential user info?

Post by bschaeffer »

I'm pretty new to PHP and not knowing how to securely handle confidential information really scares me, and I'd kind of like to know if the idea I had for storing user info is a good one.

I'm working with Flickr's API because I've never worked with APIs before and I wanted to get a feel for them. Anyway, when a user returns from allowing you access to their account information, you have to send a getToken request to Flickr, who, in turn, sends some user information back to you.

The most important info is the token, which associates that specific user with your specific api_key.

The token is pretty important when authenticating write requests, so I really want to be able to store it and some other user information for when they return to the site instead of making the getToken call each time.

I was thinking of creating a single string full of the user information, then hashing it using md5 and storing it as a cookie, that way, everytime they come back, I'll check the stored md5 against xml file and just return the information that matches against it.

Is this a terrible idea? I have a feeling it is. I am completely new to securely storing information and I just want to get this right.

Thanks in advance.
User avatar
jazz090
Forum Contributor
Posts: 176
Joined: Sun Apr 12, 2009 3:29 pm
Location: England

Re: What's the safest way to store confidential user info?

Post by jazz090 »

the way to go would be to use a hash depending on the level security, for low security use md5 or sha1 and for higher maybe use whilrpool or sha256, once you has the data, just save it into a mysql database or if you also have files, just stoe them outside of your htdocs folder, also NEVERRRRRRRR in a million years store confedential information as a cookie becuase they can be bypassed. what i would do is to give them a key that is just a key that you can create by:

Code: Select all

$code = md5(rand());
and then store this as a cookie and also store it in a mysql database. then when a user goes on it just run a mysql query to obtain user information using that key:

Code: Select all

SELECT user_info FROM users where code = $COOKIE['code']
making sure that COOKIE['code'] is escaped with addslashes() or mysql_real_escape_string()

then see if any matches have returned, if not, the key doesnt exist or its an attack. your best bet would beto store uer info on a mysql database.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: What's the safest way to store confidential user info?

Post by kaisellgren »

Okay.

I have no idea about Flickr API, I only know what the site is all about. I think you should show us your code once it is done so that we can evaluate it.
jazz090 wrote:for low security use md5 or sha1 and for higher maybe use whilrpool or sha256
A thing such as "low security" makes no sense. If you use hashes, just use SHA-256 and forget MD5 or SHA-1. And for those who do not know how to do it, just call hash('sha256',$wtvr).
jazz090 wrote:

Code: Select all

$code = md5(rand());
That is poor.
bschaeffer wrote:I was thinking of creating a single string full of the user information, then hashing it using md5 and storing it as a cookie, that way, everytime they come back, I'll check the stored md5 against xml file and just return the information that matches against it.
Use a stronger hash. Do not store any information on cookies, store only identifiers that point to the place where data is held. XML files are not probably very efficient for this situation and like already stated, you should use an SQL database instead. If you use files, those files should locate absolutely outside of the document root.
jazz090 wrote:Is this a terrible idea? I have a feeling it is.
Well I guess you should show us your code when you are done. Even if your idea is not terrible, you can implement it in an insecure way and in fact, you might have vulnerabilities or other problems in your code that are not related to the whole scenario at all.
User avatar
jazz090
Forum Contributor
Posts: 176
Joined: Sun Apr 12, 2009 3:29 pm
Location: England

Re: What's the safest way to store confidential user info?

Post by jazz090 »

kaisellgren wrote:That is poor.
i know, i was just pointing that user in the right direction.
kaisellgren wrote:A thing such as "low security" makes no sense. If you use hashes, just use SHA-256 and forget MD5 or SHA-1. And for those who do not know how to do it, just call hash('sha256',$wtvr).
what i meant by low security is that the importance of data, i mean if its just a token, no point wasting space storing a 128bit information and of course whirlpool and sha256 take longer to create the hash compared to md5 so we are also talking performace as well.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: What's the safest way to store confidential user info?

Post by kaisellgren »

Using SHA-256 over SHA-1 is not really a big deal. I'm sure you have worse bottlenecks out there. Besides, if you want to make your token into more meaningful or useful format, just use base64 encoding or any other encoding that suits your needs rather than hashing. If you are generating your random token by using a proper random source like /dev/urandom or CSP then you are not leaking any information about your random source.
User avatar
bschaeffer
Forum Newbie
Posts: 24
Joined: Thu Apr 30, 2009 9:10 pm

Re: What's the safest way to store confidential user info?

Post by bschaeffer »

Thanks to both of you.

I haven't finished the code yet, but I'll post it as soon as I do.

BTW, I wasn't going to store the user info into a COOKIE, just the hash from the string created by the "user info".

Anyway..... I think I can get started feeling like I have the right idea... still have to go through REGEX and docs and validating input and stuff, but this site, which is really just a personal project, only uses query results. I'm rambling, though.....
Post Reply