[UPHPU] store sensitive data in mysql + php web application

CarSign utahphp at forsalesticker.com
Tue Jun 30 11:52:11 MDT 2009


> 1. Are you absolutely sure you need to store the data at
> all?


Good question.  But as is often the case when management is asked about these things - they say yes :)





--- On Tue, 6/30/09, Lonnie Olson <lists at kittypee.com> wrote:

> From: Lonnie Olson <lists at kittypee.com>
> Subject: Re: [UPHPU] store sensitive data in mysql + php web application
> To: utahphp at forsalesticker.com
> Cc: uphpu at uphpu.org
> Date: Tuesday, June 30, 2009, 11:48 AM
> On Tue, Jun 30, 2009 at 11:00 AM,
> CarSign<utahphp at forsalesticker.com>
> wrote:
> > I am needing to store sensitive data like a Social
> Security Number in our database that will be used by our web
> application.
> >
> > Should the data be encrypted by PHP before it is
> passed to mysql OR should it be encrypted by mysql OR should
> I encrypt in both places so that it is double encrypted?
> 
> It depends on why you need to store the data.
> 
> 1. Are you absolutely sure you need to store the data at
> all?
> 2. Need to store the data for user's eyes only.
>     Look into using mcrypt or openssl functions
> to encrypt the data
> using the user's own password/secret key.  Then you
> can only decrypt
> it when the user requests the data.
> 3. Need to store the data for multiple users eyes.
>     Look into encrypting the data using multiple
> keys, possibly openssl or pgp
> 
> Just be a bit careful as your business may have different
> requirements
> based on industry, laws, etc.
> 
> Best bet always is #1 if possible.
> 
> --lonnie
> 


      



More information about the UPHPU mailing list