Posted by Ahmed Saad on 07/13/05 13:43

Hi jeffrey,

On 7/13/05, Jeffrey <jeffreyb@ungodly.com> wrote:
> Is it worth encrypting data on the database tables when anyone who can
> access the application itself - or better still the server - could
> readily access the encrypted data? Assuming SSL connections, secure
> server, etc, would you also encrypt on the DB?

What type of encryption you mean? For one-way encryption algorithms
(widely employed to store passwords) the data can't be recovered
(except by brute force attacks, a time- and resource-consuming process
that can take forever). For two-way encryption algorithms, the data
has to be decrypted at some point for a "legitimate" controlled use.
If the decryption process is done inside your web application code,
then why wouldn't the attacker (assuming he/she has gained access to
the server) read your source code to find out how to decrypt the data?
I haven't been through this before so this is just what i think about
it.

-ahmed

• Next in forum: Re: [PHP] Session problems
• Prev in forum: PHP error_log format doesn't include timestamp?
• Thread view: Re: [PHP-DB] Security question [was Searchable/Sortable Database Fields with MySQL/PHP]

[Reply to this message]