From: "Derek Fountain" <dflists@iinet.net.au>
> [snip discussion about encrypting data]
> Indeed, but I'm still interested in the general answer. The server I have
been
> looking at was hopelessly insecure and SQL injection is only one of its
> problems. There were several other ways in! Assume, for example, an
attacker
> can write his own script directly into the website document tree. In this
> case prepared queries don't help protect what's in the database. The
attacker
> can use them himself if he likes!
For encrypted data to be usable by the website, the keys must be available
by, either in the database or in the scripts themselves. If the attacker
can write his own scripts into the document tree, these keys will be
available to him as well.
gnari
