> 1. Are you absolutely sure you need to store the data at > all?
Good question. But as is often the case when management is asked about these things - they say yes :) --- On Tue, 6/30/09, Lonnie Olson <[email protected]> wrote: > From: Lonnie Olson <[email protected]> > Subject: Re: [UPHPU] store sensitive data in mysql + php web application > To: [email protected] > Cc: [email protected] > Date: Tuesday, June 30, 2009, 11:48 AM > On Tue, Jun 30, 2009 at 11:00 AM, > CarSign<[email protected]> > wrote: > > I am needing to store sensitive data like a Social > Security Number in our database that will be used by our web > application. > > > > Should the data be encrypted by PHP before it is > passed to mysql OR should it be encrypted by mysql OR should > I encrypt in both places so that it is double encrypted? > > It depends on why you need to store the data. > > 1. Are you absolutely sure you need to store the data at > all? > 2. Need to store the data for user's eyes only. > Look into using mcrypt or openssl functions > to encrypt the data > using the user's own password/secret key. Then you > can only decrypt > it when the user requests the data. > 3. Need to store the data for multiple users eyes. > Look into encrypting the data using multiple > keys, possibly openssl or pgp > > Just be a bit careful as your business may have different > requirements > based on industry, laws, etc. > > Best bet always is #1 if possible. > > --lonnie > _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
