Jump to content

DB and Code Security Question


PHPDude

Recommended Posts

Hello Everyone,

My company currently offers a solution based on the LAMP stack to clients who will install the entire stack including our software on their server. Because of the costs associated with purchasing and deploying our software, we are looking to ease customer burden by offering our software to clients as a hosted service. But in transitioning our software we ran into a problem and I'm hoping someone can give me some clues on how to solve it.

Since the hosted application will be on a shared server, security is an absolute must (this application also falls under HIPAA regulations). What we need to do is encrypt the information in the database (MySQL) but still have it accessible to properly authenticated users. That way, if our server is hacked, the data is safe as it's encrypted.

How can I go about implementing this in the real world? Is it even possible?

Thanks,
Anthony Papillion
Link to comment
Share on other sites

I'm not really the expert on this but...

Zend offers "Zend encoder" (Zend Guard). You'll have to use a host that supports it. Also place your library files outside of your publishing directory. That should protect your code. There are companies that provide better protection, but you'll probably pay for the difference. There aren't that many hosts employing their software.

http://palisade.plynt.com/issues/2005Jun/database-encryption/

General recommendations for protecting db data: only use a decryptable algorithm on something that needs to be fetched intact. Some identifying properties (like passwords) only need to be COMPARED, not decrypted. Use an uncompromized hash algoritm like SHA256, currently bundled with php.

Next, choose an decryptable algorithm to encrypt all data at application level. That way the data is send encrypted over the network. The mcrypt extention provides you with with quite some algorithms to choose from. Again, your host has to support it.

Hope that helps a little.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.