I’ve been asked a few times now if there is a way to use encrypted MySQL connections in Magento. Most of the time it is when merchants are selling medical products and HIPAA requirements come into play. I am not an expert in HIPAA, nor do I want to be, but with the cost of vulnerabilities on the rise it made sense to at least look into it and get a good answer on how to do it.
I don’t talk much about security. This is mostly because it’s such a moving target. I’m also horrified that I might give bad advice and someone will be hacked because of me. But in
Chris Dale recently posted a horrifying article on his blog. It is called “Why it’s easy being a hacker – A SQL injection case study“. The most horrifying part of the post was that
A little while ago I had come upon the problem of having to store sensitive data in a user session. The solution that I (and several others came upon) was creating a mechanism for storing encrypted data in a session. But what we wanted to do was build something that didn’t have a single point of failure. We also wanted to build something portable. What we built was a simple Zend Framework session handler for storing sensitive data.
I recently posted an image on why you shouldn’t put phpinfo() calls in your code.
There were a couple of comments from people asking “why not?”
Here’s why not.
Go to Google
Search for inurl:phpinfo
Check out the results
At the time of writing there were 4 pages on the first result page that were broadcasting their settings.
Here’s another fun one. Search for “inurl:phpinfo root”. Lots more.
There’s a bunch of information that you will see.