CODEWITHSUNDEEP
phpmysqlsecurity
Odyss3us
Odyss3us

Reputation: 6635

Securing mySQL data

I am inserting data into a mySQL database, but I am inserting banking details so it is very sensitive, how can I secure it and protect against it getting into the wrong hands?

At the moment the code is still very basic, without any preventative measures in place,

mysql_connect("localhost", "user", "pass") or die(mysql_error());
mysql_select_db("db") or die(mysql_error());

$result = mysql_query("INSERT INTO table (id, name, surname) 
VALUES (NULL, '".$_SESSION['name']."', '".$_SESSION['surname']."' )")
or die(mysql_error());

Thanx in advance!

Upvotes: 1

Views: 419

Answers (7)

Brian
Brian

Reputation: 6450

If you're seriously storing banking details please read as much as you possibly can in this area; consider hiring someone with a lot of expertise in the field.

Sensitive data's like landmines, you don't want to touch it unless you really know what you're doing.

Edit - I want to clarify I'm being deadly serious here, not flippant. If I were given a project like this I would raise a big "out of my depth" flag to protect myself and my company. IMO this is one of these projects where failure to provide adequate infrastructure and process could lead to a company-destroying compromise.

I could well be overreacting here, but I'm trying to offer genuine advice that I'd give to a friend or colleague who came to me with the same question.

Upvotes: 7

Marcus Adams
Marcus Adams

Reputation: 53830

These are just suggestions that I didn't see anybody else make.

  1. Since you're using $_SESSION, make sure that register_globals is off to avoid SQL injection.
  2. Secure your MySQL database. It shouldn't even be on the Internet. Only your web server should be able to access it.

Upvotes: 0

Ryan
Ryan

Reputation: 178

You'll need to encrypt the sensitive data before it goes into the database. Mcrypt is a common way of doing so within PHP.

Mcrypt manual on php.net

Upvotes: 2

Raj More
Raj More

Reputation: 48016

You should look for security in the following places:

  • Script on the website: No Inline SQL - use stored procedures or prepared statements
  • Data transfer from website to database: Use HTTPS
  • Data storage in the database: You can either encrypt some tables, or the entire database
  • Database and Key backups: If a backup falls into the wrong hands, it will be compromised. Backups should be kept secure.

Read this thread and it will teach you a lot about building websites

https://stackoverflow.com/questions/72394/what-should-a-developer-know-before-building-a-public-web-site

Upvotes: 1

Maz
Maz

Reputation: 3375

It appears that you are writing a PHP application (which I'll assume will be deployed to the web)

  • Use HTTPS for web communication
  • Do NOT use the default port for MySQL
  • Have a different user account (in MySQL) for each operation (each with different passwords) for example, you might have a mytable1_select account which can only perform selects on mytable1
  • Use random string generators for usernames and passwords. Although this will make the code harder to understand, this will make it harder for a malicous person to gain access because they will need to guess both the username and the password
  • Protect against SQL injection by escaping all user-inputted strings

Upvotes: 4

Sarfraz
Sarfraz

Reputation: 382696

You should really use Prepared Statements to secure yourself.

Your sample code is way too risky !

Upvotes: 3

robdog
robdog

Reputation: 486

You need to prevent SQL injections. Use mysql_real_escape_string() around all your variables you're inserting. Better yet, use PDO and prepared statements. Even better, use PDO and stored procedures.

Upvotes: 0

Related Questions