tags:

views:

36

answers:

2
+1  Q: 

How should I store ftp log on credentials in a MySQL database?

Hey guys,

I'm really just looking for some guidance. Here is the scenario:

A user can add an FTP account via a password protected control panel. I need to save these credentials so that the FTP account can be connected to automatically. This is easy but I want to take the most secure approach possible. I was thinking of possibly encrypting the password client-side and then sending the encrypted password to the server for storage. Then the encrypted value would be pulled out and decrypted client side before the FTP connection was made.

I know that isn't too secure but it's all I can think of. Do you guys have any other bright ideas to make this more secure? Thanks!

A: 

Securely storing the credentials is easy - encrypt it server-side and you're fine.

Securely transmitting the data is much harder if you can't use SSL.

The simplest way would be to encrypt the data with their hashed password before transmission (from either end); that way the encryption key isn't transmitted with the data or stored as part of the client-side code.

It's not ideal, you ideally want SSL, but it's better than sending plain-text or encrypting with a key stored in (or generate by) your code.

Andy  2010-06-25 19:40:48
The problem with encrypting it server side is that I need the credentials in plain text later on if I am going to connect to the FTP server with the saved credentials. Not sure how to get around that.Also, when connecting to ftp I am using ftp_ssl_connect to connect to the users FTP. I don't know much about security but I'm assuming that's a bit better than ftp_connect.
Eric Bieller  2010-06-25 20:11:27
@Eric: you can only use ftp_ssl_connect if the FTP server supports SSL-FTP. If the user is able to choose an arbitrary FTP server, then that certainly won't always be the case.
Todd Owen  2010-06-26 00:23:19
I understand. What about ssh2_sftp? Would it be better to connect via ssh2_connect if I can get it working on my server? Also, ragarding password storage, I'm still stuck as I cannot encrypt the password on my server and then connect to the user's FTP at a later date since I would have to decrypt the password. Any thoughts?
Eric Bieller  2010-06-28 18:38:27
A: 

I think your method is actually reasonable, with one major caveat: use public key encryption (aka asymmetric encryption).

Really, as long as you use public key encryption, doing the encryption client-side is not a problem. The whole point of public key encryption is that you can share your public key with the world and yet as long as you keep your private key secure, you'll be the only one who can decrypt it.

JGB146  2010-07-09 06:31:21

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases