|
|
Posted by Jamie Davison on 10/12/05 14:53
Have a look at . . .
http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf
On 10/11/05 7:56 PM, in article
tiY2f.122181$WT5.37039@fe07.news.easynews.com, "Shawn Wilson"
<firstinitial_lastname@dvigroup.net> wrote:
> I've recently been trying to be as 'proper' and secure as possible when it
> comes to what I write in PHP and when I store information in mySQL. I'm
> looking for some suggestions in regard to how I store sensitive data to
> protect it as well as I possibly can.
>
> First, in regards to sensitive information like social security numbers,
> credit card numbers, and the like - SSL is a given. Also, encrypting that
> information when stored in the DB is a given.
>
> As for a good practice, I've been told to put my main library that contains
> my DB username and password in the parent directory to the main WWW
> directory so it's not possible to get to it via a browser. That makes sense
> and I've begun to do that.
>
> My questions really deal with what if someone happens to brute force my FTP
> password? Or what if a malicious employee at my ISP decides to pry?
>
> Once someone has access to my files via FTP or a local console - they could
> very easily get my database credentials and also my encryption seed and then
> have access to all the secure data in my DB. I can use one-way encryption I
> guess, but I'm wanting to remember credit card numbers for future
> transactions much like Paypal or eBay, so I need two-way for that right?
>
> Besides the obvious of using a 'strong' password, how can I protect this
> data so I can with some certainty believe that my client's data is secure?
> Even a strong password won't keep the ISP employee out of it though, so is
> there anything I can do to ward off the curious or malicious employee?
>
> Thanks in advance!
>
> --
> Shawn Wilson
>
>
Navigation:
[Reply to this message]
|