I am storing passwords after bcrypting but user email ids as a plain text(without encrypting), because I want to send newsletters to that email ids regularly. I have got two questions?
How to secure the database so that email ids as the plain text in the database can be secured from hackers?
Is there any way to check the particular database table is only accesed by my web form not from outside?
note:I am new to database.
1- If you really want to encode the emails, and need to decode them in the future, your best bet is to look at the MySQL encryption functions like ENCODE() and DECODE(). First you need to set up a "salt". This is like a secret code. It can be the same for every record, like this:
SELECT DECODE(email, 'mysecretsalt') FROM Table WHERE id=1
Or, you can make the salt part from a code and another field in the table, like this:
SELECT DECODE(email, CONCAT('mysecretsalt', id)) FROM Table WHERE id=1
2- Set up a specific user in your database that ONLY has access to that specific table and ONLY has INSERT privileges for when you are adding records, and then another user that only has SELECT privileges when you are retrieving the records. Also, lock those users down to the "localhost". If a hacker gets one of those, they can't do much.
Also, when you receive the email from the customer in the form of a request variable (GET or POST), to protect from SQL injection attacks, either escape characters (in PHP, you could use mysqli_real_escape_string()) or simply get rid of all characters that don't belong. In PHP, it would look like this:
$email = preg_replace('/[^A-Za-z0-9\\.@-_]/', '', $email);
That's the way I like to do it.
There's nothing wrong with storing emails in plaintext. Even if accessed they don't allow the attacker to access the accounts (provided the authentication works correctly). There's no reason to encrypt them unless you have some very specific requirements we don't know about.
If you want to secure your database in general:
