Jump to content

storing sensitive data

l0ve2hat3

By l0ve2hat3
in PHP Coding Help

 Share

Recommended Posts

l0ve2hat3 Member

l0ve2hat3

Posted
Posted

what is the best way to store sensitive data in a mysql db using PHP.... i dont need a hash i need encryption.. is something like this ok?

 

function encrypt($text,$key){
    return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))));
}

function decrypt($text,$key){
    return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($text), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)));
}

 

if so... where is the best place to keep the key?

Link to comment
https://forums.phpfreaks.com/topic/154095-storing-sensitive-data/
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted

Yeah, and major companies have good lawyers and a lot of money.

 

Anyway, here you go:

https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

 

Why do you need to store it anyway? You're just asking for trouble. Might as well let the well renowned payment gateways do it.

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Are your servers in a secured location where the only people that have physical access to them are specific employees of yours that you trust (not the cleaning crew) and where the only administrative access is through a local terminal that is equally secured? If so, then you might have a chance of satisfying your agreement with your merchant account provider. Your agreement with your CC processor will specify where, how, and with what level of security and encryption you may store CC numbers electronically without violating that agreement. It would be much better, easier, and less costly to arrange for such information to only be stored in the merchant account provider's secure servers.

ToonMariner Advanced Member

ToonMariner

Posted
Posted

be careful nesting encryption like that - it can lead to th eprobability of MORE collisions rather than less. personally  encrypt using mysql's AES_ENCRYPT DES_ENCRYPT.

 

this is do in a class and the file that class is in is encoded with ion cube so the keys I use wouldn't be instantly available should someone get hold of that file. get notification if that file has been accessed or ftp or what ever - by the time they have decoded the file you should have updated your key and the fields dependant on it...

 

the cost of security is eternal vigilance!!!!!!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.