Robyn Renwick wrote:
> I use a MySQL database for the back end of our e-commerce site. We take
> credit as one method of payment and the last 8 digits of the card number
> are stored in the database. There is a web interface to the database from
> which I can get order information, but not the card number. I also can
> access the database through a MyODBC connection and MyAccess.
I usually do security in very stupid-proof way: I separate all logical
boxes from each other into separate computers:
- web server
- business logic
- database
and have very strict rules to move data between them. Then follow
manuals to exactly escape and clean up data between them. Escape special
characters plus verify/clean all datatypes. Cut off data from specified
length, drop all character info from numeric fields, CR/LF-s from
one-line datatypes and so on. And you get pretty secure solution. And of
course encrypt everything and do not keep any sensitive data on
webserver at all.
--
MySQL Development Team
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Tonu Samuel <[EMAIL PROTECTED]>
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Tallinn, Estonia
<___/
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php