Skip to content
Advertisement

Encrypting data using query in Node.js and MySql

Is it safe to encrypt the data posted in MySql using query in node.js?

I tried something like this and it works pretty fine in terms of encryption but I don’t know exactly how safe it is, I am pretty much a begginer in this area.

db.query('INSERT INTO questions (content) VALUES(aes_encrypt(?, "key"))', 
    [content], err => {
        if(err){
            console.log(err);
        }
        else{
            res.send("succesfully posted")
        }
    })

Advertisement

Answer

Let’s say I wanna encrypt the password so it could be safe from threats like attackers who might try to get the data from the database

There are two major threats to passwords.

Interception between user and API

You need to have the client, typically a browser, encrypt the data. Doing it in the database is too late.

Use HTTPS instead of plain HTTP.

I saw that there are a few libraries designed to encrypt data before is send it to the server.

HTTPS is excellent. Do not try to roll your own secure transport layer with off the shelf encryption libraries; just use HTTPS.

You also need to secure the connection between the API server and the database server. This is usually less of a concern as they typically take place either on the same machine, or on two machines that have a pretty private network connection between them. You need to investigate this more if your database and API servers are running on different machines and communicating over a shared network.

Harvesting from a vulnerable server

If your database server is compromised then the passwords can be read by the attacker.

At this stage it is too late for your site and the attacker knowing the passwords isn’t going to do much more direct harm to you.

However, since many users are in the habit of recycling passwords, this gives the attacker a bunch of passwords and usernames/email addresses to try out on other websites.

This will hurt your users and damage your reputation.

Only store hashed passwords. This answer covers doing that with bcrypt.

User contributions licensed under: CC BY-SA
5 People found this is helpful
Advertisement