Good evening,

So I am working on a php application powered with a mySQL. I feel I am an intermediate programmer in php and intermediate with dealing with mySQL. I have begun to research security as it is or should be in my opinion the core fundamental when building anything that contains protected information on a database. Security methods seem to be a personal preference, usually involving salt (when dealing with php) along with md5, sha1 or sha256 or a combination. I originally planned on using salt along with md5 and SSL, but I'm not sure if this is the best way to go about all of this.

So I am wondering what languages and methods users prefer to protect their databases with? The reason I am asking is because I see alot of online banks using cgi scripts and I am curious if maybe cgi scripting is a better alternative for more sensitive information.

I have never really gotten this in depth with security on the web, so I figured I'd rack some of the communities opinions on this topic.

Sorry forum mods if I am in the wrong section, couldn't find a security section to post this in and since it relates to protecting databases I figured this was as good of a spot as any.

I assume you're asking about data level encryption?

I personally wouldn't encrypt database data, instead I would make the environment where it lives very secure instead. After all, once you decrypt the data, if that is sent across the wire, that can be intercepted. The other thing is, if this was a big database, encrypting and decrypting data would really make the database unuseable quickly.

I have never come across any application that really needs the database to be encrypted, as quite simply it can be hacked. Once someone gets the key, that data is compromised and would need to be decrypted and re-encrypted - hardly maintainable. The better thing to do is to tend toward server hardening, and improve on your security measures when accessing the databases - so if you need to, very fine grained security permissions.

However, if you were going to what to do that, you could do a number of things, asymmetic encryption with a certificate would seem like a good place to start. If you were going to do this, you'd want to design the database so that all the identifyable data would be in reference tables and encrypted, and all the surrogate keys and other non-identifyable data be left as is. I can't see how that would be a good solution though at all.

Also a good advice is to not trust the next or the previous layer and always verify then input. After all even encrypted dbs in the most secure environments can be cracked open with SQL injection.

Thank for you for the input. First off I have been very diligent in the design client side.

I have removed error reporting, done my best to eliminate the potential for SQL injection, using require_once I have hidden alot of my files to try and reduce the possibility of a malicious user trying to get my source code, put as many of the site settings in the DB as possible, tried to prevent directory traversal AND lastly also worked on eliminating the potential for session hijacking. For passwords and other sensitive information I am using various salts (randomly generated and static and a mixture of both depending on how private the information must stay) and sha256 which from everything I know is one of the more secure ways to go.

Now granted a hacker with enough intent could in theory get into any website on the internet if they have the will and the need.

Thats client side, I am right now working on double, triple and quadruple checking my source to make sure I havn't left any leaks. Now server wise with the mySQL - thats where I am still kinda shaky, I understand that because this will eventually generate a massive database that to encrypt everything is just unrealistic (would be nice, but lets also be realistic).

Do any of you have any resources about actual database security?

I see alot of web resources saying the biggest threat are buffer overflow attacks, but are there any other major threats that I should be weary of?

I always consider the greatest threat is the one you haven't take precautions for. Even sites locked down with the most secure ways have been hacked with the oldest tricks in the book, read here for an example: http://www.daniweb.com/web-development/databases/ms-sql/news/247659

I know that this doesn't offer any help, but the message is never feel safe and periodicaly verify your security.

clean, validate and verify all data and users, never trust any input
hash all your passwords and salt them with well long and random salt
each time there is database access operation requiring critical data, verify user by asking password
forms should have expirable tokens
there are many angles to conside and I would suggest you check with owasp.org sql cheetsheet

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.