468,107 Members | 1,394 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,107 developers. It's quick & easy.

PHP/MySQL encryption/protection of sensitive info

Hello all.

I'm currently working on a new site that encompasses the registration
of members. The registration is taking place through PHP interaction
with MySQL. The site is just going to be for my friends and I, but I
have run into an issue that I have often wondered about before. Any
insight would be appreciated.

The database contains semi-sensitive information. Not CC numbers, but
think more like usernames/passwords to other sites. I've done sites
before in which I would create user accounts/passwords. In that case,
I would just to straight encryption, and then decipher the input
password against the db encrypted one to verify login credentials. No
problem. But, what about the case in which my underlying programs
will need to use the usernames/passwords that are in the database
(exactly as they appear) to POST logins to other sites using that
information?

Ideally, I want to keep the info as secure and protected as possible
in the database. I can't really encrypt() the passwords because I
need to decrypt them again in order to POST them on respective sites
for respective users. I don't think that's how it works when you
encrypt since the idea is not to be able to decrypt with ease.

Do I need to write my own encryption function? The idea of storing
unencrypted semi-sensitive information makes both me and my friends
nervous.

Any thoughts on how to tackle this?

Thanks in advance,
Chris
Jul 16 '05 #1
1 9464
Hello,

On 07/09/2003 10:04 AM, Chris wrote:
I'm currently working on a new site that encompasses the registration
of members. The registration is taking place through PHP interaction
with MySQL. The site is just going to be for my friends and I, but I
have run into an issue that I have often wondered about before. Any
insight would be appreciated.

The database contains semi-sensitive information. Not CC numbers, but
think more like usernames/passwords to other sites. I've done sites
before in which I would create user accounts/passwords. In that case,
I would just to straight encryption, and then decipher the input
password against the db encrypted one to verify login credentials. No
problem. But, what about the case in which my underlying programs
will need to use the usernames/passwords that are in the database
(exactly as they appear) to POST logins to other sites using that
information?

Ideally, I want to keep the info as secure and protected as possible
in the database. I can't really encrypt() the passwords because I
need to decrypt them again in order to POST them on respective sites
for respective users. I don't think that's how it works when you
encrypt since the idea is not to be able to decrypt with ease.

Do I need to write my own encryption function? The idea of storing
unencrypted semi-sensitive information makes both me and my friends
nervous.


There isn't much you can do because if the user of your scripts can read
the passwords from somewhere, anybody logging as that user can access
the data from those scripts. Encription won't help because you still
have to decrypt and pass it to MySQL. Actually encryption will make it
slower because decryption takes time.

What you may want to do to make it more difficult is to use an encoder.
Encoders do not use encryption, just compile your scripts and encode the
resulting byte codes in binary format. The side effect is that encoded
scripts run faster because they just load pre-compiled scripts.

There are several commercial solutions but you can use also use Turck a
free encoder/loader without real disadvantages compared to commercial
solutions:

http://www.turcksoft.com/en/e_mmc.htm

Here you may even find a Web frontend to compile and encode your scripts:

http://www.phpclasses.org/phpcoder

--

Regards,
Manuel Lemos

Free ready to use OOP components written in PHP
http://www.phpclasses.org/

Jul 16 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

9 posts views Thread by elyob | last post: by
3 posts views Thread by Chuck P | last post: by
2 posts views Thread by veg_all | last post: by
7 posts views Thread by Steven Cliff | last post: by
9 posts views Thread by Ben | last post: by
7 posts views Thread by Walter Sobchak | last post: by
1 post views Thread by Solo | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.