Forum Moderators: open
If the table/privileges are structured so that the user can only see/update data associated with their password (along with all of the other commonsense precautions), is there any reason to encrypt the table data?
How vulnerable is the data of the other registered users?
Thanks to all of you for your comments!
However, the only 'bad guys' would not be limited to a legitimate user. Anyone can attempt to execute SQL injection attacks to cause havok with your database whether they are a registered user or not. Of course they have to know what they're doing... Though if you take all the necessary precautions, including sanitizing input, using prepared statements, then you should be fine.
One of the reasons to encrypt the database is to protect again someone gaining physical access to your machine. If that happens, would you be storing the decryption key on that same server? If so, the attackers could find that just by poring through your PHP, perl, etc. and then use that to decrypt the db.
Of course, you really have to consider the value of the data you are encrypting. If you are running a banking site, you would definitely want to go to the trouble of encrypting all your data. If you're running a hobby or community site where people's contributions tend to not include personal or financial data, encryption is really overboard and could have a significant performance hit.
