Jump to content
  • Advertisement
Sign in to follow this  
Witchcraven

PHP encryption

This topic is 4883 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I know there is a php encryption lib, but that only solves on of my security problems. I am doing a web stie that stores confidential information, and I will encrypt it, but I am not usre where I should store the key. The 2 options I see are internal to the source, or in a database or file. I would use public key so it was not all that important, but I do not have that option. What is a good method? (or does anyone know of free public key encrption compatible with php?) I mean, if the server was hacked and they got the encrypted files, they would also have the key, so it would not matter if it was encrypted at all.

Share this post


Link to post
Share on other sites
Advertisement
First of all, the server should not be the weak point. Starting with the assumption that it isn't, examine other possible locations of attack: The client side (not your problem), and the transmission of the data. The transmission can be secured via SSL, so that is taken care of.
Now, to ensure the server is secure, you'll need an administrator that knows what they're doing. Once the server is secured, you need to secure the scripts. Make sure you verify all user data and never use anything given by the user (or ANYTHING from forms, HTTP header info, etc) without processing it first (such as properly quoting the data before pasting it into an SQL statement).
Once that is taken care of and all data is properly verified and processed by the script, then you can worry about storing confidential data.

If you can at all avoid it, I'd suggest against storing such data. You don't need to remeber credit card numbers, for example, and customers wouldn't dislike it that much if explained the reason for not keeping such information around. Otherwise, it doesn't really matter whether you store it encrypted or not, because once things have been compromized so much that the hacker has arbitrary access to your database, they can likely get access to any keys you store as well. The best you can do is to store any keys on a seperate hard drive than the data base is on, but the scripts will need access to both drives so they're still the weakpoint.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!