Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    New Coder
    Join Date
    May 2009
    Location
    Pennsylvania, United States
    Posts
    54
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Exclamation Is it considered secure to store sensitive data in text files, if it is ENCRYPTED?

    I was just curious, is that a good idea? All sensitive data will be protected and encrypted via crypt(). Is this generally unsafe.

    I was also considering saving the file as .php, and adding

    PHP Code:
    <?php exit(); ?>
    as the first line so nobody can even see the encrypted passwords, just a blank page.

    Which way should I go with this?
    Thanks!

  • #2
    New Coder
    Join Date
    Jan 2010
    Location
    UT
    Posts
    35
    Thanks
    1
    Thanked 3 Times in 3 Posts
    Using "exit" on the first line will stop execution (and show a blank page) for not only people that view the page directly, but your scripts that read the files as well.

    I highly recommend not using files to store sensitive information (such as passwords) even if they are encrypted. It would be best to store them in a database.

  • #3
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    File system storage has the exact same principles as database storage. Make sure passwords aren't stored in plaintext, (I'd use something a bit more robust for hashing, btw). With regards to whether it is less secure than storing them in a DB, the answer is no, provided access permissions and suchlike are correct. Don't save the files as .php files, btw.

  • #4
    New Coder
    Join Date
    Dec 2009
    Posts
    84
    Thanks
    6
    Thanked 3 Times in 3 Posts
    @ johnnnn
    I always using for every thing stored in plain text. .ini .php .csv .inc or another similar. and i'm not say using flat file more secure than DB. but i believe both DB or plain text not secure in 100% blue proof.

    i think i will say using plain text also safe = using DB. provided that you don't forget to encrypt the output data will be store to plain text especially password, used robots.txt to avoid search engine crawler, using .htaccess to avoid direct access. etc... using 0644 or at least 0755 for file permission better than 0777.

    Regards
    Best Regards,

  • #5
    Regular Coder
    Join Date
    Dec 2009
    Location
    UK
    Posts
    495
    Thanks
    0
    Thanked 58 Times in 58 Posts
    Personally I always use the method of hasing passwords. You shouldn't store passwords at all. They're not needed, as you can always use a password reset function if it comes to it.
    My site: JayGilford.com
    Resources:
    PHP Pagination Class | Getting all page links | Handling PHP Errors properly
    If you like a users help, show your appreciation with the rep and thanks buttons :)

  • #6
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Quote Originally Posted by JAY6390 View Post
    Personally I always use the method of hasing passwords. You shouldn't store passwords at all. They're not needed, as you can always use a password reset function if it comes to it.
    Hasing? If you don't store any passwords, how can you have a reset function for them?

  • #7
    Regular Coder
    Join Date
    Dec 2009
    Location
    UK
    Posts
    495
    Thanks
    0
    Thanked 58 Times in 58 Posts
    You store the hash, not the password...

    Edit: I meant hashing not hasing, simple typo
    My site: JayGilford.com
    Resources:
    PHP Pagination Class | Getting all page links | Handling PHP Errors properly
    If you like a users help, show your appreciation with the rep and thanks buttons :)

  • #8
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Quote Originally Posted by JAY6390 View Post
    You store the hash, not the password...

    Edit: I meant hashing not hasing, simple typo
    Ah, that makes sense now. The penny just wouldn't drop before, no matter how many times I read your post.

  • #9
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,979
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    ...how sensitive are you talking here?
    First and foremost, this file should not be a published one. Period. Ensure that it is never in a location where it could be accidentally served by a webserver.

    Second, the permissions of the file should be owned by you're user, and perhaps grouped to the account used for apache. 060 privileges.

    Third, crypt is not a suitable encryption algorithm. Look into encryption with RSA or DES. Hashing is not an option if you need to reverse it in a timely manner. Should you be storing just a comparable value such as a password, hashing is fine. If you're storing credit card or financial numbers (be aware of the legalities involved with this), you must encrypt it, and you're encryption has to be at least as strong as required by financial institutes. Watch you're encryption strength as well; some countries do not allow general population to exceed a certain bit level on their cyphers.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •