Printable View
Hi friends,
I have completed the basic things of coding in PHP programming language. Now I have turned towards creating the database. I have somehow created it but I don't know anything about an encryption that takes place in PHP. So thought that you guys can help me on this topic. Please explain me how to Encrypt Database in PHP? Detailed information is very appreciable. :rolleyes:
The SSL / SSH protects data traveling between server and client, but SSL / SSH does not protect data once in the database. SSL is a protocol in line. It is recommended to establish connections to the server with SSL to encrypt client / server exchanges, to improve security. You can also use an SSH client to encrypt the connection between client and server databases. If any of these protections is in place, it will be difficult to monitor your traffic and understand the information exchanged. Even if web-server and DBMS are on the same physical machine one can separate networks by setting database in virtual server inside the main system.
I would like to tell you some basic things about creating the database, since I think that you don't have much knowledge about it. After creating the Database, only the owner and the superuser can do anything with the tables of the database and requires that it gives rights to all stakeholders who will work on this basis. Applications should never connect to the server database under the name of the owner or administrator, as these users have very important rights, and can run any application. You can create different user databases for each aspect of your application with very limited rights to planned actions. It must then ensure that the same user has the rights to several use cases.
Encrypting data is a good solution to reduce this threat, but very few databases offer this type of encryption. The easiest way to circumvent this problem is to create your own encryption software, and use in your PHP scripts. PHP can assist you in this task thanks to the many extensions available to it as Mcrypt and Mhash, who know a wide range of encryption methods. The PHP script will encrypt the data to be stored and read when they are replayed.
In the case of very sensitive data if the original representation is not necessary using a hash is a good solution. The classic example is the storage of passwords in the database, after having passed the MD5. The following is an example that explains the same :
PHP Code:<?php
$query = sprintf("INSERT INTO users(name,pwd) VALUES('%s','%s');",
pg_escape_string($username), md5($password));
$result = pg_query($connection, $query);
$query = sprintf("SELECT 1 FROM users WHERE name='%s' AND pwd='%s';",
pg_escape_string($username), md5($password));
$result = pg_query($connection, $query);
if (pg_num_rows($result) > 0) {
echo 'Welcome, $username!';
} else {
echo 'Authentication failed for $username.';
}
?>
You can claim that the attacker must first obtain information on the scheme of the database, in most cases injections. True, but you never know how or when this information has filtered, and If this happens, your database will be in great danger. If you are using an open source, or a base that is public domain, or a pattern that belongs to a content management or forum, the hacker can easily obtain a copy of the code that you use. This may be a risk if it is a poorly conceived.