1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Securing Data Inside MySQL Database With PHP

Discussion in 'PHP' started by PK-Host, Aug 5, 2012.

  1. #1
    I'm currently creating a project that requires usernames and passwords for servers to be stored in a sql database (I have to be able to access these in plain text at further points as they are used for logging in). Because of this I'm encrypting everything with a public/private openssl key so that while they are in the database they are secure and are only unsecure while actually connecting with the servers. Thats fine and secure.

    However I initially through I'd store the public and private keys in functions inside a file to encrypt/decrypt data then I would encrypt that file with ioncube. Only after thinking about it I realised if someone managed to hack into the database generally there gonna have access to files as well and it wouldnt take long to realise that in other files there are like decrypt_data functions. So now I'm stuck.

    How can I keep the private key safe? Bearing in mind its automated so the private key cant have a password.
     
    PK-Host, Aug 5, 2012 IP
  2. danx10

    danx10 Peon

    Messages:
    1,179
    Likes Received:
    44
    Best Answers:
    2
    Trophy Points:
    0
    #2
    If I understand you correctly...you are completing doing this the wrong way.

    If you are storing passwords, that is private & confidential information, so you should be encrypting it (use a hash function with a salt), it should not be able to be decrypted or viewed in plain text!

    Don't write your own password mechanism at all!

    Please see => http://phpsec.org/articles/2005/password-hashing.html
     
    danx10, Aug 5, 2012 IP
  3. PK-Host

    PK-Host Guest

    Messages:
    109
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    0
    #3
    Basically I am storing passwords to allow login to cpanel through the api. Hence I can't encrypt them I can only hash. Effectively if my plan works well encrypting with openssl will secure the password and login details in the database.
     
    PK-Host, Aug 5, 2012 IP
  4. danx10

    danx10 Peon

    Messages:
    1,179
    Likes Received:
    44
    Best Answers:
    2
    Trophy Points:
    0
    #4
    If you get hacked then your screwed - so you'd have to put preventative measures in place (if you have not already), by following safety principles e.g. ensure queries are escaped properly, ensure the right permissions are set on files ("read only" and only by user required) and ALSO ensure any other scripts hosted alongside are secure/stable.

    I can't think of any other way of storing the key or an alternative method (maybes its because it's 3:40am here! :eek:)...perhaps others can share there thoughts.
     
    Last edited: Aug 5, 2012
    danx10, Aug 5, 2012 IP
  5. PK-Host

    PK-Host Guest

    Messages:
    109
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    0
    #5
    I simply need a way to restrict the private key without adding a password to the private key :/ anyone got any ideas?
     
    PK-Host, Aug 6, 2012 IP
  6. jkon

    jkon Member

    Messages:
    12
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    36
    #6
    Not only storing passwords as they are is a dull thing to do (without any purpose) but to get passwords from forms is as dull. Why not have an md5 in JavaScript , take the md5 and then run your secret algorithm in PHP and then store it in DB ? WHAT PRIVATE KEY ? The way you are doing it nothing is private ...
     
    jkon, Aug 7, 2012 IP
  7. PK-Host

    PK-Host Guest

    Messages:
    109
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    0
    #7
    Only few things wrong there
    A) Who mentioned anything about a form.
    B) If you had read my last few posts you would realise why I need the password to be stored in a 2 way encryption
    C) If you don't know what private key I'm on about the you have no clue what your talking about read about openssl :/
    D) If I was going to use one way encryption I wouldn't use md5 it generates the smallest hash at least use sha128 preferably 256 or above.
    E) Also if i was going to use a MD5 encryption why wouldnt I just do it in PHP?
     
    Last edited: Aug 7, 2012
    PK-Host, Aug 7, 2012 IP
  8. Rukbat

    Rukbat Well-Known Member

    Messages:
    2,908
    Likes Received:
    37
    Best Answers:
    51
    Trophy Points:
    125
    #8
    Why do you need to be able to decrypt? You hash the password and store the hash. (Preferably you salt it first.) When you check it you hash what you're given and check that hash against the hash in the database.

    If you're hacked, all the hacker gets is the hashed passwords which, if you use a good hashing mechanism, are useless.

    (A password should only be used to check to see if the user is someone who knows the password. If you use it for anything else, you're creating a security hole large enough to drive the internet through.)
     
    Rukbat, Aug 10, 2012 IP
  9. PK-Host

    PK-Host Guest

    Messages:
    109
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    0
    #9
    Please read through other posts before posting. I cant one-way encrypt them because of the cPanel API. I have opened a topic on cPanel's forum about authenticating with other methods but are currently unable to. http://forums.cpanel.net/f42/cpanel-api-password-hash-authentication-289102.html
     
    PK-Host, Aug 10, 2012 IP
  10. DomainerHelper

    DomainerHelper Well-Known Member

    Messages:
    445
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    100
    #10
    Hi, I am an expert in integrating PHP with cPanel.

    Stop where you are, take a deep breath and re-approach this. What is the login for? Auto login to people's accounts? Auto login to webmail? Other?

    Telling me WHAT you are wanting the script to do, I can tell you the CORRECT way in accordance with modern protocols and the cPanel official documentation... which I have read time and time again.
     
    DomainerHelper, Aug 10, 2012 IP
  11. PK-Host

    PK-Host Guest

    Messages:
    109
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    0
    #11
    Currently I authenticate into a reseller's account using their password to list all accounts using the XMLAPI. I then fallback to using curl to authenticate the account using the resellers password as currently the access hash is not allowed to be used in this way, and once authenticated it will perform a backup on the account.
     
    PK-Host, Aug 10, 2012 IP
  12. DomainerHelper

    DomainerHelper Well-Known Member

    Messages:
    445
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    100
    #12
    DomainerHelper, Aug 10, 2012 IP
  13. PK-Host

    PK-Host Guest

    Messages:
    109
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    0
    #13
    "You can write your script so that it includes an access hash, or "key," in the HTTP header that it sends to the server when it calls the API function. This method is only available to WHM users."
     
    PK-Host, Aug 10, 2012 IP
  14. DomainerHelper

    DomainerHelper Well-Known Member

    Messages:
    445
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    100
    #14
    Refer to the first link and then see the cPanel support forum here:

    http://forums.cpanel.net/f42/xml-api-class-works-whm-cpanel-reseller-account-151289.html

    Also see:

    http://docs.cpanel.net/twiki/bin/view/SoftwareDevelopmentKit/ListResellersAccountsInformation

    If security is still an issue, run the script in https instead of http.... also, you should really go VPS these days.

    If you need this done for you, let me know.... $30.
     
    DomainerHelper, Aug 10, 2012 IP
  15. PK-Host

    PK-Host Guest

    Messages:
    109
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    0
    #15
    It's not for me, I currently have the script as a self-hosted thing. Thats fine, however I'm currently trying to created a hosted script also but with the hosted script I have to take extra precautions as I would be holding login data.

    As for the links I can list the accounts with the access hash thats fine, as it is done under the reseller account. However the problem I am having is cPanel only allow you to login to a cpanel account from the reseller account via the reseller's password not the access hash. As I need to run the backup script from their cPanel account.
     
    PK-Host, Aug 10, 2012 IP
  16. lemonsquad

    lemonsquad Greenhorn Affiliate Manager

    Messages:
    42
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    16
    #16
    I just use md5 to hash the passwords in other databases I have worked on.
     
    lemonsquad, Aug 21, 2012 IP
  17. PK-Host

    PK-Host Guest

    Messages:
    109
    Likes Received:
    3
    Best Answers:
    1
    Trophy Points:
    0
    #17
    Sorry but theres 4 things wrong with that.

    1. If you've read the rest of the topic you would understand why I cant encrypt passwords one-way.
    2. Its not on topic with what we are trying to achieve here.
    3. MD5 you shouldn't use! Even something as basic as SHA1 should be used over MD5. Really you should use at least SHA512 this will provide a long enough hash that is internationnally standard now.
    4. You just posted to boost your post count?
     
    PK-Host, Aug 21, 2012 IP
  18. technique5

    technique5 Peon

    Messages:
    26
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #18
    You can use md5 encryption to protect contents of your mysql table but there is no direct way to protect other than md5 if someone have access to your database
     
    technique5, Aug 22, 2012 IP