Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

What is more secure ?

Encrypt data using php functions before send it to database (mysql), or
Encrypt directly on database, using encryption functions of database
server ?


$key = "this is a secret key";
$input = "Let us meet at 9 o'clock at the secret place.";
$encrypted_data = mcrypt_ecb (MCRYPT_AES, $key, $input,
$query = "insert into myTable (text)

I think encrypt data directly with php is better because the
information is sent directly encrypted to database server, but i not


Re: Security

On Tue, 09 May 2006 13:50:27 -0700, wrote:
Quoted text here. Click to load it

I would hope for a given algorithm they are equally secure...

Either way you have to have the key in the script, so I'd say whichever
takes your fancy.

It then depends on if your database and PHP are on the same machine and if
not, how secure is the network between the two.



Quoted text here. Click to load it

Andy Jeffries MBCS CITP ZCE   | gPHPEdit Lead Developer | PHP editor for Gnome 2 | Personal site and photos

Re: Security

Quoted text here. Click to load it

What is your threat model?  What is the risk of someone listening
in on your PHP<-->DB connection?  (The DB and PHP are often on the
same host, or if not, on the same LAN).  Does the DB log queries?
Where are the DB backups kept?

Then again, if the DB and PHP are on the same host, and the thief
steals the whole host, he's got both the encrypted data and the
key, with either setup.

Quoted text here. Click to load it

If the threat model is only someone tapping the connection between
PHP and the database, but not breaking into either server, I think
you're right.  But I'm not so sure that is a common threat model.

                        Gordon L. Burditt

Re: Security wrote:

Quoted text here. Click to load it

I would say, theoretically, performing the encryption is safer on the
database, as PHP runs in a more vulnerable user account.  The database
server is typically protected by a firewall, whereas the web server is
open to the Internet.

Site Timeline