发表新帖
发表新帖

How can I store sensitive data securely in a MySQL database?

后端 未结
关注
3 1020
一生所求
一生所求 2020-12-15 23:07

I am making an employment application for a company I am working for. I\'ve got it to protect against SQL injection and some XSS techniques. My main issue is keeping sensiti

相关标签:
3条回答
  • 甜味超标
    2020-12-15 23:18

    SQL query with key in it (as Wesley Murch suggests) is not a good idea. If you do:

    update mytable set myfield = AES_ENCRYPT('some value', 'your secure secret key');

    ... and the query gets logged (slowlog for inst.) your secure secret key is captured in plain text, which should never happen. Such a query with the secret key would be also visible when you run query like SHOW PROCESSLIST.

    Next problem where to store the secure key? In PHP file? It is again plain text.

    Encrypt data:

    Use private/public key encryption (http://en.wikipedia.org/wiki/Public-key_cryptography). PHP has quite good support for it.

    • Public keys can be stored with the user in DB, it is public.
    • Private key can be encrypted with user's password. When user logs in, you decrypt the private key and store it in his cookies (if you use SSL, it is not that bad place) or session. Both are not perfect but better than plain text in php file.
    • Use the public key to encrypt, private key to decrypt.
    • Only user will have the access to his data.

    If you want to learn more, you can google "user controlled encryption" or "zero knowledge privacy".

    SQL inserts / XSS:

    The best protection is secure app. No doubt. If you want to secure it, you can use for inst PHP IDS to detect attacks: https://github.com/PHPIDS/PHPIDS

    I have quite good experience with it.

    0 讨论(0)
  • 耶瑟儿~
    2020-12-15 23:20

    As implied in the comments, you are asking a huge question. You are going to need to research a number of separate issues:

    • SQL Injection and how to prevent it
    • XSS and how to prevent it
    • encrypting submitted form data using SSL
    • best practices for storing sensitive information in a database

    It would be hard to address all of them in one answer. I would suggest performing some searches on this site for the topics mentioned above.

    0 讨论(0)
  • 醉话见心
    2020-12-15 23:39

    This is an overly simplified answer and should be taken with a grain of salt, as most answers about security:

    • Use SSL everywhere.

    • Use a secure encryption key

    For storage of encrypted data, you could use a BLOB field, and use MySQL's built in encryption functions. Example:

    update mytable set myfield = AES_ENCRYPT('some value', SHA2('your secure secret key', 512));

    If you prefer to do the encryption/decryption in the application code, take a look at PHP's Mcrypt functions.

    • Encrypt the user input
    • Store in the database
    • Decrypt it after fetching it

    This is by no means a complete guide, but it's a start and better than doing nothing.

    You may be able to learn more on https://security.stackexchange.com/

    0 讨论(0)
 看不清?
提交回复
热议问题