I have a downtime and Iām thinking about choosing a new project for fun. I am a college student and every year we have an online competition. I want to create a project for this pitch competition that is approximately 9 months old. The problem is that the project requires very high security, and competition is very competitive.
Things I need to do: 1. Store HIPAA or ePHI (.pdf | .gif | .jpg | .doc) 2. Strong access control 3. Support for a large number of users and files (1 million +) 4. Full reports on audit (oh ePhi, what a pain you are) 5. Encryption
Suggested Solutions
0) Put the web application on a secure dedicated server behind the firewall.
1) Store the files in a file, for example, "secure_files /", and then use mod_rewrite to restrict access to this directory.
Something in the lines:
Then use a php script to open the files if the user has privileges for this. So I can just use:
------ -SQL ------ ------ - create files table ----- CREATE TABLE `files` ( id INT NOT NULL AUTO_INCREMENT, file_name VARCHAR(50) NOT NULL, PRIMARY KEY('id') ); ------ - create files table ----- CREATE TABLE `privileges` ( uesr_id INT NOT NULL, file_id INT NOT NULL, ); ------ - create users table ----- CREATE TABLE `users` ( id INT NOT NULL AUTO_INCREMENT, name VARCHAR(20) NOT NULL, email VARCHAR(50) NOT NULL, password CHAR(40) NOT NULL, PRIMARY KEY('id') ); <?php public function get_user_files($filename) { //this is set during login $user_id = $this->session->userdata('user_id'); //check to see if the user has privileges to access the file and gets the file name $query = $this->db->join('privileges','privileges.id = files.id') ->select('files.file_name') ->where('privileges.user_id',$user_id) ->where('files.file_name',$file_name) ->limit(1) ->get('files'); $file = $query->row()->files.file_name; if($file) { //user has privileges to access the file so include it $handle = fopen($file, "rb"); $data['file'] = fread($handle, filesize($file)); fclose($handle); } $this->load->view('files',$data); } ?>
2) Use the CI session class to add a "user" to the session.
The controller checks if the session is established:
<?php public function __construct() { parent::__construct(); if($this->secure(array('userType' => 'user')) == FALSE) { $this->session->set_flashdata('flashError', 'You must be logged into a valid user account to access this section.'); $this->session->sess_destroy(); redirect('login'); } } function secure($options = array()) { $userType = $this->session->userdata('userType'); if(is_array($options['userType'])) { foreach($options['userType'] as $optionUserType) { if($optionUserType == $userType) return true; } } else { if($userType == $options['userType']) return true; } return false; } ?>
3) Rotate a round robin between several cobwebs. I have never done this, so I have no idea how to do this. I have no idea how to handle multiple database servers. Any ideas / suggestions?
4) Use Oracle Database Standard Database Auditing. I wish I could use MySQL, but I cannot find any audit support. I could use MySQL and use PITA. Has anyone used a point-in-time (PITA) architecture with MySQL? can you share your experience?
5) Thus, I can use hash codes with a one-way salt hash. But do I need to encrypt everything? Also, I do not see how AES_ENCRYPT (str, key_str) generally improves security. I think this may prevent the administrator from looking at the database? Can / should I encrypt everything in the secure_files / folder? Can I just use full disk encryption like BitLocker?
Basically, can I achieve security at the level of banking Internet using php and CI? Can you make any other suggestions, except that "your idiot must pay an expert because you know nothing"?
Thanks for taking the time to read this.
adopted from Redux Auth
As for the one-way hash. My mistake is what I'm talking about encryption. I usually do something similar to:
salt_length = '9'; } public hash ($ password = false) {$ salt_length = $ this-> salt_length; if ($ password === false) {return false; } $ salt = $ this-> salt (); $ password = $ salt. substr (hash ('sha256', $ salt. $ password), 0, - $ salt_length); return $ password; } salt of private functions () {return substr (md5 (uniqid (rand (), true)), 0, $ this-> salt_length); }}? >