[英]How can I store sensitive data securely in a MySQL database?
I am making an employment application for a company I am working for. 我正在为我工作的公司提出求职申请。 I've got it to protect against SQL injection and some XSS techniques.
我已经有了它来防止SQL注入和一些XSS技术。 My main issue is keeping sensitive information secured, like SSN and address, because the company needs that to make 1099 forms for the salesmen's taxes.
我的主要问题是保护敏感信息,例如SSN和地址,因为公司需要为销售人员的税收制作1099个表格。
I don't know how to do this part, but should I encrypt everything and then decrypt it when it gets into the MySQL database? 我不知道如何做这个部分,但是我应该加密一切,然后当它进入MySQL数据库时解密它?
This is an overly simplified answer and should be taken with a grain of salt, as most answers about security: 这是一个过于简化的答案,应该与大家一起考虑,因为大多数关于安全性的答案:
Use SSL everywhere. 到处使用SSL。
Use a secure encryption key 使用安全加密密钥
For storage of encrypted data, you could use a BLOB
field, and use MySQL's built in encryption functions . 对于加密数据的存储,您可以使用
BLOB
字段,并使用MySQL的内置加密功能 。 Example: 例:
update mytable set myfield = AES_ENCRYPT('some value', SHA2('your secure secret key', 512));
If you prefer to do the encryption/decryption in the application code, take a look at PHP's Mcrypt functions. 如果您更喜欢在应用程序代码中进行加密/解密,请查看PHP的Mcrypt函数。
This is by no means a complete guide, but it's a start and better than doing nothing. 这绝不是一个完整的指南,但它是一个开始,而不是什么都不做。
You may be able to learn more on https://security.stackexchange.com/ 您可以在https://security.stackexchange.com/上了解更多信息。
SQL query with key in it (as Wesley Murch suggests ) is not a good idea. 带有密钥的SQL查询(正如Wesley Murch 建议的那样 )并不是一个好主意。 If you do:
如果你这样做:
update mytable set myfield = AES_ENCRYPT('some value', 'your secure secret key');
... and the query gets logged (slowlog for inst.) your secure secret key is captured in plain text, which should never happen. ...并且查询被记录(inst的slowlog)你的安全密钥以纯文本形式捕获,这绝不应该发生。 Such a query with the secret key would be also visible when you run query like
SHOW PROCESSLIST
. 当您运行
SHOW PROCESSLIST
类的查询时,使用密钥的这种查询也是可见的。
Next problem where to store the secure key? 下一个问题在哪里存储安全密钥? In PHP file?
在PHP文件中? It is again plain text.
它再次是纯文本。
Encrypt data: 加密数据:
Use private/public key encryption ( http://en.wikipedia.org/wiki/Public-key_cryptography ). 使用私钥/公钥加密( http://en.wikipedia.org/wiki/Public-key_cryptography )。 PHP has quite good support for it.
PHP对它有很好的支持。
If you want to learn more, you can google "user controlled encryption" or "zero knowledge privacy". 如果您想了解更多信息,可以谷歌“用户控制加密”或“零知识隐私”。
SQL inserts / XSS: SQL插入/ XSS:
The best protection is secure app. 最好的保护是安全的应用程序。 No doubt.
毫无疑问。 If you want to secure it, you can use for inst PHP IDS to detect attacks: https://github.com/PHPIDS/PHPIDS
如果你想保护它,你可以使用PHP PHP IDS来检测攻击: https : //github.com/PHPIDS/PHPIDS
I have quite good experience with it. 我有很好的经验。
As implied in the comments, you are asking a huge question. 正如评论中暗示的那样,你提出了一个很大的问题。 You are going to need to research a number of separate issues:
您将需要研究一些单独的问题:
It would be hard to address all of them in one answer. 在一个答案中很难解决所有这些问题。 I would suggest performing some searches on this site for the topics mentioned above.
我建议在本网站上进行一些搜索,以了解上述主题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.