Comments on: Storing Private Information In An Online Database

By: austin

austin — Wed, 17 Nov 2010 03:10:55 +0000

Thank’s for the speedy reply.

By: Jill Olkoski

Jill Olkoski — Wed, 17 Nov 2010 03:04:10 +0000

Hi Austin,
First off, I’m not a security expert, so keep this in mind when you read my answer.

Personally, I don’t think I’d be comfortable storing confidential information (either health info or SSN or credit card info) on a hosting company using shared servers. I don’t have any clients who need to do this, and if they ask, I refuse, because I’m not comfortable taking the security risk. So it’s a boundary I don’t cross. Maybe it’s fine, I just don’t know enough about it. So for confidential info, I think I’d try hosting the database yourself, assuming you can do this. I have no idea how. And be sure to use a SSL certificated when transmitting data to and from the query pages. Also do some research into MySQL Injection prevention. That’s the best I can offer.

By: austin

austin — Wed, 17 Nov 2010 01:07:07 +0000

Hi Jill. Thanks for the info. I am new to web and database design. I have a question for you. I work for a small company that still does things the old fashioned way. I am in the process of designing a MySql database to store job, and inventory information. It may someday store employee and other confidential information. To access the database I want to set up a web based application using Perl/Mason. If this web application is eventually stored with a web hosting service, how do I use it to access my database securely. Where should I keep the database. Or should I just host the web server myself.
Thanks. Hope you have time to answer this .

By: Jill Olkoski

Jill Olkoski — Fri, 31 Jul 2009 16:35:23 +0000

Hi Tina,
Excellent question. So far, I’ve never had an ecommerce client who needed to do a credit check. I presume that this kind of check would be necessary to get a loan, versus making a purchase. In general, I would NEVER submit my SSN number via any online service, unless it was the government or one of the big three credit rating agencies. Just too dangerous, my personal opinion. Whenever I’ve been required to give SSN number, it was either via phone, or via fax.

Note, that I’ve been contacted by a few loan companies who wanted me to do just this, to collect SSN numbers and send them in the clear, via email. I’ve refused these jobs, concerned they might be scams.

Now, I’m no security expert. I have heard that it’s possible to encrypted in the database, but I haven’t done this before – it’s simply out of the scope of what I’m comfortable doing. If you need to collect and store SSN numbers, you should consult with a web developer security expert who has done this type of thing before. I’m sure there are other things as well, it’s just out of my field of expertise.

By: Tina

Tina — Fri, 31 Jul 2009 14:48:51 +0000

This is good information. I’m curious how you would handle a client who requires Social Security number information necessary to process a credit check on a customer.

Suppose the client is very adamant that this information be captured, as it’s vital to his business.

I would assume the obvious: if it’s to be stored in a database, the SS number needs to be encrypted and the data transfer needs to be via SSL. But what other security measures can be taken that haven’t already been mentioned above?