PDA

View Full Version : Database Security


m1a2x3x7
03-11-2008, 01:35 PM
A client wants to start storing personal information in a database such as phone numbers and addresses, no ssn or cc numbers but things he wants to make sure are as safe as possible without having to use a SSL.

Where is the best place to store you connection file to a database. Also when you create a password for it do you make the password strong or does that matter since you have to display it in the database connection file?

What other means should I go through?

Thanks.

davidj
03-11-2008, 01:44 PM
you need to validate all input (escape all form data)

make your db connection strong and also have some password formating (8 alpha numerics mix)

force change passwords after a time duration (30 days)

validate all the data

thats it really

additional...

create a custom connection account to your db and use that in your app. Dont use a generic one. The account should not have drop rights.

m1a2x3x7
03-11-2008, 02:48 PM
not sure what you mean buy custom connection account. could you explain? also what would be a generic one?

davidj
03-11-2008, 02:52 PM
you have a connection page which connects to your db

the MYSQL user account you use to do this should never be root or a copy of the root level

create one specifically for your app without drop rights

m1a2x3x7
03-11-2008, 03:08 PM
I use cpanel to create my database so my user account wont allow it to be root. Where should I store my connection.php file?

davidj
03-11-2008, 03:17 PM
where ever you like

make sure you drop an index.htm (blank) in the dir

it could redirect to the index page using a simple refresh tag

m1a2x3x7
03-11-2008, 03:26 PM
Thanks for the info.