Hi jeffrey, On 7/13/05, Jeffrey <jeffreyb@xxxxxxxxxxx> wrote: > Is it worth encrypting data on the database tables when anyone who can > access the application itself - or better still the server - could > readily access the encrypted data? Assuming SSL connections, secure > server, etc, would you also encrypt on the DB? What type of encryption you mean? For one-way encryption algorithms (widely employed to store passwords) the data can't be recovered (except by brute force attacks, a time- and resource-consuming process that can take forever). For two-way encryption algorithms, the data has to be decrypted at some point for a "legitimate" controlled use. If the decryption process is done inside your web application code, then why wouldn't the attacker (assuming he/she has gained access to the server) read your source code to find out how to decrypt the data? I haven't been through this before so this is just what i think about it. -ahmed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
