Application & Mysql Database Security

[jonnyo]

I am building an application that is for holding my clients customer data and I have some questions regarding security. I realize that I have to get a security certificate so that is not the question. I am authenticating data before being sent into the server and the only form of submission is using javascript after everything has been validated. So, I believe on the input side of things that I am ok. I do have some questions regarding storing that data, and data structure.

 

1. I wonder though, since not all devices support security certs, if I should implement an encryption with javascript on the client end first. So at least the data in transit is not easily readable?

 

2. An Ntiered system is not currently in the budget, so I was considering encrypting the client customer data fields in the database. The problem though is that the customer still needs to actively work with the data and the application will need to support joins from perhaps even hundreds or thousands of records per client. While I will not be storing credit cards, the customer information per client information is quite valuable.

 

Any suggestions on security and encryption of data. Also, the way I have set this up thus far is, all client customers in one table with joins. Should this perhaps be done differently?

 

Thankyou

[fenway]

Assuming you're sending via HTTPS (or some other SSL-aware protocol), you don't have to worry about the data "in transit".  That, of course, includes MySQL.

 

Protecting the data in the database on the server side is a bit different.  Assuming you're the only with shell access, and you've locked down the box properly, you don't have to worry about localhost vectors.  That leaves with you with the user accounts that you use to connect to MySQL from the server (hopefully localhost or private network).

 

MySQL does support AES encryption.