Make sure that you don't overkill here....
To make the communication between browser and web server secure, use a
digital certificate. Will cost, though not much these days... Will
significantly slow the rate at which you can serve pages, although it's
generally not noticeable to end users.
To make access to your database secure (from external people, e.g.
hackers) you need to lock down your database. Think about things like
firewalls etc. on your web server. Again, will slow the server down, but
that's a price most people will pay.
To make the contents of your database secure (from external and internal
people), encrypt it as has been suggested. This'll significantly slow
data access, though.
If you're worried about confidentiality, I'd argue that points 1 & 2 are
all that's needed in most scenarios.
Point 3 is fine, but I work in this area and to be honest, you very
rarely see this approach in the commercial world. If things are
encrypted it's generally only 1 or 2 fields (e.g. cc no & expiry), not
the whole record. Or it might be because you don't trust your internal
staff, let alone external people, to see the data (internal people won't
necessarily use your web site to look at the data so points 1 & 2 are
useless, though if this is an issue you'll probably need to think about
file system security here too). Or maybe you do trust your internal
people, butthey're simply not allowed legally to see the data (e.g.
restrictions between financial jurisdictions).
If you're going about this as a programming exercise, fine. Cryptography
is great fun to find out about. (Applied Cryptography, by Bruce Schnier,
is one of the best technical books I've ever read and I'd highly
recommend it.) But if you're doing this commercially, think about what
you actually need before you dive in.
*** Sent via Developersdex
http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!