Time waste? Encrypt mySQL with openssl?

[ChenXiu]

I have an ecommerce site on shared hosting enviroment. My ecommerce site stores customer data (name, address, email, phone, and item purchase) in mySQL database.

(No super private data like credit card numbers or social security numbers.)

Using openssl (openssl_cipher, iv, etc.), I've been encrypting this customer data and storing the encrypted data in mySQL.

Today, I'm thinking "what's the point." It's like having a lockbox with the key on the wall above...

My thoughts:
1. The "secret cyphers" are located on my server, so if someone hacks my server, they'll get the secret cyphers anyway.
2. Encrypting the Customer Data will add, at the most, 5 extra minutes, for the hacker to find.
3. Perhaps if mySQL was stored on a different server, encrypting may be useful... but mySQL is on same server.
4. On the flipside, if I did get hacked, at least I could demonstrate I tried my best to encrypt what I could...

What do you all think?

Sorry for my bad english. I am not from around these parts.

 

[requinix]

Most "hacks" are people gaining access to a database by way of SQL injection. Encryption would help because they can't get the encryption key - just the data.
Of course the problem with encryption is that if you lose your key then you lose everything. Irrevocably. Plus the obvious drawbacks of having to encrypt and decrypt stuff all the time.

Shared hosting is itself a risk, too. Can you move off it? Besides the dedicated environment being more secure, you can also mitigate SQL injection attacks by moving the database off to another server - one not exposed to the internet - and on this same server you also put a simple webservice that gets and stores customer data. Essentially, you make API calls to yourself when you need that data.