0

I have a PHP function that any other function on my server goes to to connect to a global MySQL database:

function connect_to_mysql_db() {

$con = mysql_connect("localhost", "user_name", "password");
if (!$con)
   {
      die('Could not connect: ' . mysql_error());
   }
mysql_select_db("db_name", $con);

}

The file which holds this function, as well as most of the others, is located in the following location on my BlueHost server:

/home3/username/includes/scripts.php

The database currently holds only one table with a list of email addresses (those of my subscribers...) I just want to know if the database is secure (for the sake of my subscribers)

If not, does anyone have any other ideas (encryption?). I know HASHING won't work because that is usually 1-way...

EDIT

FYI: The /includes/ directory is not /public_html/

CONCLUSION

Thank you to all who helped me, but I decided that there is just too much liabilities for no good reason, so I will not be storing anything secure in a database. Instead, I will use external services!

Cheers!

Improve this question
3
  • 1
    Do you want to know whether connecting to a database the way you currently do it is secure? Commented Jul 14, 2012 at 19:56
  • 1
    I don't think you understand what "security" means. Commented Jul 14, 2012 at 19:57
  • 1
    Well, security does not depend on a single factor. Your script, that holds the credentials to your database, might be perfectly secure when inspected separately. But any single vulnerability in your system can undermine the whole security and pose a threat to the data that is stored in it. Commented Jul 14, 2012 at 20:03

3 Answers 3

Reset to default
2

I don't think this will give you any additional security. If someone hacks your server, reads the scripts to get the database credentials, logs into mysql, reads the mailadressen and gets only encrypted data, he will probably take a second look into the scripts for the decryption key...

So, I think this is not going to make it way more secure. You better focus on writing a secure environment to prevent any access to the server ;-)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

I think it's secure enough. Anyway if you want more, try something like this:

$crypted = openssl_encrypt ('myemail' ,'AES256', 'mypass')

and then

$decrypted = openssl_decrypt ($crypted, 'AES256', 'mypass')

Reference here.

Improve this answer

Comments

-2

You could AES encrypt the email addresses. ie:

$query = "INSERT INTO (table) AES_ENCRYPT('$email', '$salt')..."

To get the email back in normal text:

$query = "SELECT AES_DECRYPT('email', '$salt') FROM (table) WHERE 1..."

$salt would be a randomly generated key that you put into the variable.

The column in you database table needs to be a blob.

Improve this answer

8 Comments

Tip: php side encryption allows 256 bit AES, mysql side only 128.
2 Things: 1) Do I have to define '$salt'? 2) What is a blob? Thanks!!! I'm a n00b!
ALSO I have an ID column so how would I do the INSERT statement?
I also have seen one way encrypt, I don't know if it's better or worse, but it's another solution
@StevenBuick A salt an a encryption key are not the same. A salt is used to make the input of a hashing function unique and is not a secret while an encryption key is to be kept secret as, well, it’s the key to the encryption.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.