[TYPO3-dev] Encryption of the fe_users table (not just passwords).
Martin Kutschker
martin.kutschker-n0spam at no5pam-blackbox.net
Wed Feb 20 22:09:58 CET 2008
Sacha Ligthert schrieb:
> Hi List,
>
> For a project I am planning as an intern (to finally finish my school)
> there is the requirement that personal and transaction information
> should be encrypted as much as possible. One (logical) place to store
> personal information are in the fe_users fields.
>
> I am wondering, is there a sound way to encrypt all fields (except
> uid,pid,crtime, etc) in the table fe_users without breaking extensions
> dependent on this table (for example: sr_feuser_register)?
You could try an make an XCLASS extension of t3lib_db to intercept all
access to the fe_users table.
But I cannot imagine it to extremely secure as you will have to store
the key to your encryption scheme on the server. That is if you want to
encrypt the whole table globally. Maybe you can fuzz around with record
based encryption and a user supplied password which (also dangerous)
must be stored somewhere in the session. In this case all UPDATE
statements that may affect more than one record will be hard to check.
I think it is better to find ways to protect the server itself properly.
Masi
More information about the TYPO3-dev
mailing list