Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Chris Howell
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Chris Howell
Python Web Development Techdegree Graduate 49,703 Points
Posted by Chris Howell
.a{fill-rule:evenodd;}techdegree seal-36
Chris Howell
Python Web Development Techdegree Graduate 49,703 Points

PHP securing data

So I have google'd this and found a ton of discussions some agree and some disagree on the same PHP code.

So to the PHP experts in the house, If I have created a MySQL database and have code in a website or program that wants to store data by first encrypting it then sending it to that database or retrieve that data to validate for things like a password and/or decrypt it to display.

Example 1: Having a log in form for a user to validate their account which is stored in a database.

Example 2: Having profile information about a user encrypted in the database but having the PHP code decrypt the information to be able to display profile information on the page. In both cases a user would be able to change both information in each example.

But if their account was compromised or database was compromised somehow the hacker would not be able to make use of the data or be able to brute force it.

What commands should I research and what do I need to understand about the commands or MySQL to achieve this?

2 Answers

Randy Hoyt
STAFF
Randy Hoyt
Treehouse Guest Teacher
Randy Hoyt
Randy Hoyt
Treehouse Guest Teacher

You want to hash the passwords, which means encrypting them in such a way that you cannot recover the original. When you validate the passwords, you validate that the hashes are the same. You'll want to search for "hash" or "one way encryption" for more information.

With other data, you'll need to be able to decrypt it. Having the data encrypted in the database is important; if someone gets access to the database, either in production or a backup, they won't be able to read the data. You should definitely do it. It's not a silver bullet, though; since the web server needs to be able to decrypt the data, anyone with access to the web server will probably be able to get access to the decrypted data. The trick is really all in securing the key that you use for decrypting. You'll want to search for "php encryption" or something similar.

Does that help?