Reputation: 65
DB Data Encrypting, SQL injection and Intranet
Quick question:
Is it worth the extra time and effort to encrypt Dbase data and guard against SQL injection when you are working on code that will serve only on a local intranet and where only two employees (non coders) are authorized to make use of it?
Upvotes: 0
Views: 121
Answers (2)
Reputation: 29629
Short answer - yes, it is.
Attackers look for weak links, and you don't want your application to be a weak link. For instance, if you do not encrypt user credentials in your database and don't guard against SQL injection, an attacker who can get onto your internal network can easily steal the credentials of your users; if they have re-used passwords, this means the attacker can now use those credentials stolen from your "weak" system to gain access to a much "stronger" system.
Also - this is the way we're building web applications now; any framework you use will make the additional effort almost minimal - arguably, not doing these things is more effort than doing them if you use tools like Ruby on Rails, the Zend framework etc.
Upvotes: 1
Reputation: 4329
Its not about one or two user but basic sanity. You don't need to encrypt complete data but only sensitive data like user credentials. Secondly for sql injection its very minimal line of code that you have to use, instead of normal statements use preparedstatements for query. I don't see any hurdle here.
If you store data in normal format, anyone having access to DB can retrieve operator credentials and anyone having access can jeprodise the user data by using sql injections.
Upvotes: 1
Related Questions
- Encryption inside database
- Encryption and Security with C# and SQL
- Database data encryption in SQL Server for web application
- SQL and security issues
- Encrypting mssql queries
- Encrypted database query
- Data Encryption
- Encrypted SQL database?
- Encrypting Communication with SQL Server Database
- database encryption