On Tue, Jun 30, 2009 at 11:00 AM, CarSign<[email protected]> wrote:
> I am needing to store sensitive data like a Social Security Number in our
> database that will be used by our web application.
>
> Should the data be encrypted by PHP before it is passed to mysql OR should it
> be encrypted by mysql OR should I encrypt in both places so that it is double
> encrypted?
It depends on why you need to store the data.
1. Are you absolutely sure you need to store the data at all?
2. Need to store the data for user's eyes only.
Look into using mcrypt or openssl functions to encrypt the data
using the user's own password/secret key. Then you can only decrypt
it when the user requests the data.
3. Need to store the data for multiple users eyes.
Look into encrypting the data using multiple keys, possibly openssl or pgp
Just be a bit careful as your business may have different requirements
based on industry, laws, etc.
Best bet always is #1 if possible.
--lonnie
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
