Reply
Highlighted
Member
Posts: 2
Registered: ‎02-15-2012

Securing the Transaction Key when using SIM

How should the transaction key be stored when implementing SIM in PHP on a LAMP server?

The code samples/SDK for the PHP solution has a placeholder for the transaction key right on the sim.php page, which I don't think is the most secure way to store the transaction key.

Should I keep the transaction key in my mysql database and if so, what's the right way to have it encrypted while stored in the database and then in plain text in a variable when used in the PHP code? I'm asking for the 'right way' because if this 'the'/'a' good way to store the transaction key, then there should be a recommended way to do it as I know I'm not smart enough to invent my own encryption scheme.

Perhaps I should store it in an encrypted file. If so, I again ask, what's the right way to manage the file so I can rely on trusted cryptographic methods?

Are there other options I'm not thinking of, or am I missing the point all together? I don't see anybody else asking this question so maybe I am missing something.

Thanks in advance!

Highlighted
Posts: 1,476
Topics: 33
Kudos: 34
Solutions: 126
Registered: ‎09-14-2009

Re: Securing the Transaction Key when using SIM

Just store it outside of your web root. That's all you need to do.


-------------------------------------------------------------------------------------------------------------------------------------------
John Conde :: Certified Authorize.Net Developer (Brainyminds) :: Official Authorize.Net Blogger

NEW! Handling Authorize.Net's Webhooks with PHP

Integrate Every Authorize.Net JSON API with One PHP Class (Sample code included)

Tutorials for integrating Authorize.Net with PHP: AIM, ARB, CIM, Silent Post
All About Authorize.Net's Silent Post