icky_thump — 2012-05-15T11:39:37-04:00 — #1
My HR dept. is asking if they can have a job application form be built that would feed into a database.
My concern with this is with regards to security. I know you have to script properly to avoid injections and whatever techniques hackers might use.
From a bigger picture though, do we have to have certain certification in place for handling sensitive info?
Social Security Numbers is the first thing that comes to mind.
Handing sensitive info is new to me, so I'm muddling through it all right now reading HITECH certification and if that applies or whatever else we have to do to get and maintain compliance.
Any feedback is appreciated.
dklynn — 2012-05-15T19:30:49-04:00 — #2
SQL injection attacks are relatively easy to thwart if you understand that you MUST run data through your equivalent of mysqli_real_escape_string then testing the string for expected content (validation of input before touching the database).
icky_thump — 2012-05-16T13:58:51-04:00 — #3
Hey thanks DK! Appreciate your feedback!
The guy who hosts all my sites went on and on about HITECH. He said that he spent about 6 hour researching it awhile back and decided against it as it was such a major ordeal to get and stay certified.
I have no knowledge in this area so I thought I find some knowledge on here.
Basically, he tells his customers that he won't handle SSN, credit cards and health records passing through or being stored on his servers as he could end up getting in big trouble because of HITECH certification.
dklynn — 2012-05-19T21:19:43-04:00 — #4
Sounds like a lot of BS to me. IMHO, find a good host and use your own Secure Server certificate. THEN be sure that you handle sensitive information with some pretty good encryption, i.e., seeds which can identify you as the owner of the data so that only you can read it.
doug_g — 2012-05-20T14:37:27-04:00 — #5
If you are dealing with sensitive user personal information on a website, be very, very careful. If your site has any kind of breach that exposed any personal data, the penalties will be severe. And if it turns out you didn't do some security stuff that you should have done, the penalty could be more than just $. Listen to the guy that hosts your websites is my recommendation.