Home > Archive > PHP SQL > October 2005 > Security? looking for some insight...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Security? looking for some insight...
|
|
| Shawn Wilson 2005-10-11, 6:57 pm |
| I've recently been trying to be as 'proper' and secure as possible when it
comes to what I write in PHP and when I store information in mySQL. I'm
looking for some suggestions in regard to how I store sensitive data to
protect it as well as I possibly can.
First, in regards to sensitive information like social security numbers,
credit card numbers, and the like - SSL is a given. Also, encrypting that
information when stored in the DB is a given.
As for a good practice, I've been told to put my main library that contains
my DB username and password in the parent directory to the main WWW
directory so it's not possible to get to it via a browser. That makes sense
and I've begun to do that.
My questions really deal with what if someone happens to brute force my FTP
password? Or what if a malicious employee at my ISP decides to pry?
Once someone has access to my files via FTP or a local console - they could
very easily get my database credentials and also my encryption seed and then
have access to all the secure data in my DB. I can use one-way encryption I
guess, but I'm wanting to remember credit card numbers for future
transactions much like Paypal or eBay, so I need two-way for that right?
Besides the obvious of using a 'strong' password, how can I protect this
data so I can with some certainty believe that my client's data is secure?
Even a strong password won't keep the ISP employee out of it though, so is
there anything I can do to ward off the curious or malicious employee?
Thanks in advance!
--
Shawn Wilson
| |
| Jamie Davison 2005-10-12, 8:02 am |
| Have a look at . . .
http://dev.mysql.com/tech-resources...ecurity-ch3.pdf
On 10/11/05 7:56 PM, in article
tiY2f.122181$WT5.37039@fe07.news.easynews.com, "Shawn Wilson"
<firstinitial_lastname@dvigroup.net> wrote:
> I've recently been trying to be as 'proper' and secure as possible when it
> comes to what I write in PHP and when I store information in mySQL. I'm
> looking for some suggestions in regard to how I store sensitive data to
> protect it as well as I possibly can.
>
> First, in regards to sensitive information like social security numbers,
> credit card numbers, and the like - SSL is a given. Also, encrypting that
> information when stored in the DB is a given.
>
> As for a good practice, I've been told to put my main library that contains
> my DB username and password in the parent directory to the main WWW
> directory so it's not possible to get to it via a browser. That makes sense
> and I've begun to do that.
>
> My questions really deal with what if someone happens to brute force my FTP
> password? Or what if a malicious employee at my ISP decides to pry?
>
> Once someone has access to my files via FTP or a local console - they could
> very easily get my database credentials and also my encryption seed and then
> have access to all the secure data in my DB. I can use one-way encryption I
> guess, but I'm wanting to remember credit card numbers for future
> transactions much like Paypal or eBay, so I need two-way for that right?
>
> Besides the obvious of using a 'strong' password, how can I protect this
> data so I can with some certainty believe that my client's data is secure?
> Even a strong password won't keep the ISP employee out of it though, so is
> there anything I can do to ward off the curious or malicious employee?
>
> Thanks in advance!
>
> --
> Shawn Wilson
>
>
| |
| Shawn Wilson 2005-10-12, 6:57 pm |
| "Jamie Davison" <nospam@foregospam.org> wrote in message
news:BF72717D.2124%nospam@foregospam.org...
> Have a look at . . .
>
> http://dev.mysql.com/tech-resources...ecurity-ch3.pdf
>
Thanks for the input, however I'm not really looking for input validation
security... I don't have any user user input that isn't strictly controlled.
(ie I only have credit card entry fields and they only allow numerical
input, etc...) I think I've taken care of tha tpart well.
Good read though, I'll definately go through it to make sure I've got that
part covered. It just doesn't address my question.
--
Shawn Wilson
| |
| Shawn Wilson 2005-10-12, 6:57 pm |
| "Jamie Davison" <nospam@foregospam.org> wrote in message
news:BF72717D.2124%nospam@foregospam.org...
> Have a look at . . .
>
> http://dev.mysql.com/tech-resources...ecurity-ch3.pdf
>
Sorry about that, I didn't read far enough... they do address the DB
credentials question.
Thanks.
--
Shawn Wilson
|
|
|
|
|