Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
May 9, 2006, 8:50 pm
rate this thread
What is more secure ?
Encrypt data using php functions before send it to database (mysql), or
Encrypt directly on database, using encryption functions of database
$key = "this is a secret key";
$input = "Let us meet at 9 o'clock at the secret place.";
$encrypted_data = mcrypt_ecb (MCRYPT_AES, $key, $input,
$query = "insert into myTable (text)
I think encrypt data directly with php is better because the
information is sent directly encrypted to database server, but i not
I would hope for a given algorithm they are equally secure...
Either way you have to have the key in the script, so I'd say whichever
takes your fancy.
It then depends on if your database and PHP are on the same machine and if
not, how secure is the network between the two.
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos
What is your threat model? What is the risk of someone listening
in on your PHP<-->DB connection? (The DB and PHP are often on the
same host, or if not, on the same LAN). Does the DB log queries?
Where are the DB backups kept?
Then again, if the DB and PHP are on the same host, and the thief
steals the whole host, he's got both the encrypted data and the
key, with either setup.
If the threat model is only someone tapping the connection between
PHP and the database, but not breaking into either server, I think
you're right. But I'm not so sure that is a common threat model.
Gordon L. Burditt