Is there anyway in PHP to automatically encrypt and decrypt data to/from the database?
Right now, I'm using SSL and other security mesures to protect my application but data stored in the database is still in plain text. Is there anyway to automatically store it in encrypted form so that data isn't plain text anymore?
Encrypting for the sake of encrypting is useless. Databases are filled with non-sensitive information that doesn't need to be encrypted. Just make sure that your DB server is properly secured by a strong password and relevant firewall rules (to prevent outside access).
Encrypting everything would remove the ability to properly query the database as you would always have to query based on the encrypted form. So you can forget things like ORDER BY
(which would be meaningless) and easy WHERE
clauses.
That said, you still need to properly hash (bcrypt) your passwords AND secret answers (this is largely forgotten, unfortunately) and secure any sensitive data such as SSNs. That can be done manually in your Model class.
The reason why these informations are encrypted/hashed versus normal information is that in case of an SQL injection attacks, proper hashing makes it close to impossible for attackers to gain further access to the system (versus plain text passwords which can be then used to gain access to the service).
精彩评论