encrypt data in database

Soldato
Joined
26 Aug 2004
Posts
7,571
Location
London
Hi,

I'm looking to store some sensitive data in an existing (MySQL) database. Imagine for a moment that the user is already on a page that is only available when logged in as I've already got all that sorted (using a CMS). The page is not HTTPS at the moment and the data is stored in plain text in the database. I understand both of these to be very bad. How do I go about:
a)forcing https; and
b)encrypting data for the database and subsequently decrypting it to be read by the user.
 
Can anyone confirm if this is secure:

Data is encrypted in the database using mcrypt with blowfish. The iv is stored in the xhtml file in the php encryption/decryption lines. The key is the hash of the user's password, which is stored in the same database. The page where this is viewable is only available to logged in users and shows the details for that logged in user only. The page is delivered over SSL.

Secure? I'm hoping there's nothing really stupid in that logic...
 
Back
Top Bottom