Store user messages

Question

Is it secure to store user chat messages in database as plain text?

And another question: Where to store page content - in database or in files? Wordpress holds blog entries in database, but it takes 25 requests to database to display a page, so website perfomance decreases.

Answer 1

Summary of comments:

• Considering the nature of the application (a chatroom on the Internet), I feel that saving the chats as plain text is acceptable assuming that the users do not chat about private/sensitive/confidential information.
• The above assumption can be made given some faith and optimism in the human race (i.e.: that it is smart enough to realize that a chatroom or a PM session is not the time or place to give out passwords, SINs, credit card numbers, etc.).
• Concerning the, well... concerns surrounding the situation in which a person betrays the above assumption, I am of the belief that no amount of foolproofing is enough for the most ingenious fool. While encrypting the chat is most definitely more secure than not, the cost of encrypting each and every chat as opposed to the applicability of the added benefit to chats (that is, none whatsoever unless the chat contains sensitive information, which is a rare case at best) provides little incentive to encrypt those chats. A much simpler solution would be to simply disclaim any responsibility for private information leaked from the chats.
• One last tidbit on handling sensitive information (this one's for Internet users everywhere): don't do it through email, chat, or any unsecured connection. Try as much as possible to avoid putting sensitive information where it will be logged, unless you have absolute confidence the logs won't be breached.

Answer 2

Database storage ends in files too. Compression is in use - less memory for saving in the end.

Answer 3

Is it secure to store user chat messages in database as plain text?

Depends on how sensible is the information and how secure is the database itself. Example: Can the database be accessed from outside or only from localhost? However if you feel that you need an extra layer of security, then it doesn't hurt to use some simple way of obfuscation.

---

Where to store html page content - in database or in files?

Most of the times, accessing files is quicker than accessing the Database.

Database should be used to store/access information in a structured way, enabling elaborated searches, data changes, etc... Static HTML is probably better to save in the filesystem. However, sometimes it might be best to store html content in the database. Examples:

Storing in database makes it easier to change database information from an admin page, than changing the file system (also, it's safer). So for dynamically created pages, or in a CMS (such as Drupal or Wordpress) it might be best to store content and "layouts" in the database.

Forum posts contain "content" as well as markup (styling). You don't usually separate one from the other.

Answer 4

Separate questions really ought to be posted as separate questions...

And neither question is sufficiently well-defined to give anything but the broadest of answers...

But here we go:

1. Whether or not something is "secure" depends on your threat model (i.e. your definition of "secure"). But what alternatives are available to you? If you encrypt the messages, where will you store the decryption key?

2. Where to store data depends on the structure of such data and how you intend for it to be used. If it is "static" and will always be queried in predictable ways, a filesystem may provide sufficient structure for good performance; however, if the data is "dynamic" (i.e. your application will modify it), then a database may offer greater flexibility or better performance. As with most problems in computing, the design decision you take is a trade-off for which the best answer will depend on your own requirements (and indeed, your metric of what is "best").

Answer 5

As long as you keep your database credentials safe with you, It is fine to keep them in database. I do not see any reason to keep them encrypted.

What kind of page content are you talking about ? If it is a CMS kinds stuff, If you keep page contents as Pages, How many pages you are going to keep. God !!!!

You should use a database to keep such things. It makes things easier to update the content in the future etc. And you do not need to worry about Querying your database. Find out items which are not being updated frequently and cache it. when your page needs those contents , get it from the cache layer instead of the DB tables.