#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2000
    Posts
    4
    Rep Power
    0
    Hi Folks,

    I run a php/mysql site on a virtual server. I store some user info in my mysql dataabse. I'd like to protect my users' details from my host, is this possible?

    I'm guessing not, since I don't have root mysql access, and my db username and passwrd are lying about in all my scripts.

    Howver, it would be great if there was something I could do.

    Any ideas, anyone?
  2. #2
  3. No Profile Picture
    Gödelian monster
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 1999
    Location
    Central Florida, USA
    Posts
    2,307
    Rep Power
    62
    I don't have the specifics for you, but it should be possible to encrypt the data, and have the decryption key be entered from an HTML form to view or enter data. Bear in mind that to be truly secure, the form should be accessed from https:// (secure server), but at least this will keep those with direct access to your database from browsing the tables.
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2000
    Posts
    4
    Rep Power
    0
    Hi,

    Thanks for replying.
    I don't think I need an SSL connection, because all the user enters is an email address, however I would hate for anyone to walk off with the email addresses I have of all my subscribers.

    Because I want anyone and everyone to be able to add to the database and some cron jobs to deal with the data, I don't think I'll be able to use encryption of the data to provide any real level of security.

    I guess I was hoping for some sort of MySQL protection I could set on the tables to deny root access. But I guess root could always change that anyway...

    I'm guessing it comes down to trust. And I *do* trust my host. However, I don't think that would be enough to get any independant "Your data is safe on this site" certification.

    Bummer. :/

    Thanks again for taking a stab at this!
  6. #4
  7. No Profile Picture
    Gödelian monster
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 1999
    Location
    Central Florida, USA
    Posts
    2,307
    Rep Power
    62
    You can disregard part 2 of my answer. People don't need to enter an encryption key to *enter* the data, you would just have the MySQL INSERT encrypt data after the form is submitted. The only drawback is users would not be able to edit their existing data without an encryption key, but you can always just have then enter a new record.

    Your viewing and exporting the data is the only thing that would need an encryption key.
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2000
    Posts
    4
    Rep Power
    0

    Unfortunately, I do little with this system by hand. Most of the work is done by cron jobs, the scripts for which will need access to the decryption key. So, for any determined person with access to my server, the keys would be there for him.

    Like I say, I don't think this can be done... but I figgered it was worth asking.

    And thanks again for your time,

    I do appreciate it!

    Boogie
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 1999
    Posts
    12
    Rep Power
    0
    Well if u *really* want to encrypt your data with relative security i suppose you can lookup the tea encryption algo. (really fast and small, couple of lines of code) and just write a small c program that implements it, then hard code the key in the encrypt. and decrypt. program, of course root would be able to just use an hex editor to look up the passphrase but its a bit of an overkill i think.

Similar Threads

  1. access mysql database from other host
    By DKY in forum MySQL Help
    Replies: 11
    Last Post: November 14th, 2003, 09:38 AM
  2. database name
    By weebeng in forum Oracle Development
    Replies: 5
    Last Post: November 6th, 2003, 07:53 PM
  3. JDBC database independance?
    By Malice in forum Database Management
    Replies: 2
    Last Post: July 12th, 2003, 02:05 AM
  4. Replies: 3
    Last Post: November 21st, 2001, 07:08 AM
  5. Replies: 5
    Last Post: November 20th, 2001, 06:43 PM

IMN logo majestic logo threadwatch logo seochat tools logo