2

I'm wondering if you can help me out. I've been working on a project that stores information about volunteers at my church. It is all managed through a control panel which is fine because username, passwords and permissions can be setup to give certain people access to use the system. However, we do have a few people that have access to cPanel and use PHPmyAdmin. Is there a way to encrypt all the information stored so that it is not readable on PHPmyAdmin and then have it decrypted so you can view it on the control panel?

We store names, addresses, contact information such as numbers and emails and possibly into the future bank account details and don't want anyone accessing PHPmyAdmin being able to read any of it.

Thans :)

Keiran
  • 25
  • 1
  • 4
  • You should look at the [PHP manual](http://php.net/manual/en/faq.passwords.php) – FluxCoder May 21 '17 at 20:48
  • *"We store names, addresses, contact information such as numbers and emails and possibly into the future bank account details and don't want anyone accessing PHPmyAdmin"* - That sounds terribly dangerous. You shouldn't be storing bank account details unless you know exactly what it is you are doing. – Funk Forty Niner May 21 '17 at 20:52
  • If you only want certain people accessing phpmyadmin, you could GRANT them only certain privileges. – Funk Forty Niner May 21 '17 at 20:53
  • @Fred-ii- This is why I'm looking into how we go about doing it so that it is done properly and until then everything is also paper logged and put into a safe. :) – Keiran May 21 '17 at 20:54
  • Consult https://docs.phpmyadmin.net/en/latest/privileges.html on how to GRANT privileges in phpmyadmin. Have a look at [How do you Encrypt and Decrypt a PHP String?](http://stackoverflow.com/q/16600708/1415724) which contains a lot of information on encrypting/decrypting. @Keiran – Funk Forty Niner May 21 '17 at 20:57

1 Answers1

3

An observation: You are proposing to store Personally Identifiable Information in your system. If you store bank account details, an intruder into your system will be able to commit identity theft and bank fraud against the persons whose information is recorded. This is very dangerous. If I may speak as someone who's both an ordained pastor and a computer programmer, I urge you not to do this. It's simply not fair to your church's members to put them at risk this way. Emails, names, addresses? OK. That's the same stuff that's in your published directory. But be careful with names, genders, and ages of children.

At any rate, get the approval of your church's leadership for this project. You don't want sole responsibility for this.

I appreciate your attempt to keep personal information invisible to people among your staff and volunteers who don't need to know it. There's something in church work somewhere about avoiding temptation :-), and you're helping that. Good.

But: your most dangerous threat is not your staff and volunteers who can see your phpMyadmin pages. It is cybercriminals. If somebody cracks your system, they probably will crack your "control panel" -- your web application. If they do that, it doesn't matter whether you've encrypted those bank account numbers. For your web application to use that data it will need the key to decrypt that data. Cybercriminals know how to find that stuff. (See Matthew 10:16. Seriously.)

Set up multiple MySQL accounts, preferably one for each different person who will access your data base. Use phpMyadmin's user management page to do this. https://docs.phpmyadmin.net/en/latest/privileges.html

Then grant each user access to the databases and tables she's allowed to see. To prevent a user from seeing a table, don't grant her the SELECT privilege on that table.

You can do this with ordinary SQL too. It looks something like this:

CREATE USER 'JackTheTeacher'@'*' IDENTIFIED BY 'secret-password';
GRANT SHOW DATABASES  ON *.* TO  'JackTheTeacher'@'*';
GRANT INSERT, UPDATE, DELETE  ON `mydb`.`students` TO 'JackTheTeacher'@'*';

CREATE USER 'SallyTreasurer'@'*' IDENTIFIED BY 'another-secret-password';
GRANT SHOW DATABASES  ON *.* TO  'SallyTreasurer'@'*';
GRANT INSERT, UPDATE, DELETE  ON `mydb`.`pledges` TO 'SallyTreasurer'@'*';
GRANT INSERT, UPDATE, DELETE  ON `mydb`.`donations` TO 'SallyTreasurer'@'*';

FLUSH PRIVILEGES;

This example grants Jack the right to manipulate the students table when he's using phpMyAdmin. It also grants Sally access to the pledges and donations tables. These are just examples to show you how to use fine-grained GRANT operations.

You can also ecrypt the contents of certain columns. But in that direction lies a false sense of security, because your web app needs the key to decrypt columns it uses, and your web app is probably the easiest route to crack your system.

O. Jones
  • 103,626
  • 17
  • 118
  • 172
  • @o-jones - Thank you for the great advice! This has definitely been something to consider and seems like the best way to go. Thank you for your help and thanks for the scripture! :) If you are looking for any paid work, can you drop me a message? – Keiran May 21 '17 at 23:01
  • The company called stripe.com offers ways to handle payments, both via credit/debit cards and via ACH (bank account) transfers. They have done an excellent job of working out how to make this secure for the account holders. Might be worth a look. – O. Jones May 21 '17 at 23:55