>Sorry to be slightly OT, but I've prolly answered 1000 OT posts in the last >year, and this IS related for all those without mycrypt, so... > >I'm on a shared server which does not have mcrypt... not good, since i want >to temporarily store credit card numbers in an encrypted manner, either in a >MySQL database, or in a text file. > >So I started google'ing for a class or something that someone may have >written for two-way encryption WITH A KEY TO UNLOCK. > >Couldn't find much, then did a search on MySQL.com, and found the ENCRYPT(), >DECRYPT(), ENCODE() and DECODE() functions. > >Am I barking up the wrong tree, or can these be used for storing sensitive >information (credit card, etc etc) in a mysql table? > >The MySQL manual isn't particularly in-depth about it all: >http://www.mysql.com/doc/M/i/Miscellaneous_functions.html
You're barking down the wrong well. :-) If PHP can *DECRYPT* the data in your database, then it's not very secure AT ALL. It's just too easy for a hacker to get a script uploaded/installed and then run it and snatch all the cc #'s To answer your question: ENCRYPT will not help, as it's one-way. You could ask somebody to re-enter their CC# and see if it's the same as before or not, but not "un-do" the ENCRYPT. Plain old ENCODE and DECODE don't even tell you which algorithm is used, so that's useless. AES_ENCRYPT/AES_DECRYPT is using 128-bit encryption, which would be fine, but *ANYBODY* who manages to read your "password" (aka "key_string" in the arg_list) could snatch the CC#s. Since PHP can read the source to execute to get the password, that makes this suitable *ONLY* if: 1. You are using SSL (HTTPS) 2. You *NEVER* store the password anywhere -- It must be typed by a human into the web-page to store/retrieve the CC#s. That doesn't sound like what you want. DES_ENCRYPT/DES_DECRYPT is using DES which doesn't totally suck, but, again, the issue is the des_key_files. If *THOSE* are secure from prying eyes, but MySQL can still read them somehow, it might be "okay"... But making it possible for MySQL to read them, but not "too open" for other users is somewhat of an oxymoron, maybe. I dunno enough about how MySQL accesses these files and if it starts as 'root' like Apache and then does 'su' or what, but I'd be very, very careful figuring out *exactly* how MySQL can read these files safely, but a rogue user should have *NO* *CHANCE* at getting to them. Bottom line -- You've *GOT* to make sure you have no chinks in the armour. -- Like Music? http://l-i-e.com/artists.htm I'm looking for a PRO QUALITY two-input sound card supported by Linux (any major distro). Need to record live events (mixed already) to stereo CD-quality. Soundcard Recommendations? Software to handle the recording? Don't need fancy mixer stuff. Zero (0) post-production time. Just raw PCM/WAV/AIFF 16+ bit, 44.1KHz, Stereo audio-to-disk. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
