password / trade secret algorithms : Are they safe in php files?

Question

My website is built using php files. I use trade secret algorithms in these files and my root password for my database is stored within these php files also. My database is used to store private medical data of many customers.

Is this considered a secure set up; can anyone download the php source from my webserver, and therefore have access to my root mysql password?

I run apache 2.0 and php 5, on ubuntu 8.04 and mysql 5.

thank you.

Answer 1

If you are storing medical data in the United States you are subject to specific, stringent security requirements. Other countries may have similar provisions.

Without being an expert, I seriously doubt that you would pass a security audit with the setup you describe. To begin with, having a root password anywhere in plain text is bad practice. Storing any sensitive data (e.g. medical records) in unencrypted form invites any hacker that can penetrate your website to help themselves to the data. I suspect that HIPAA has specific requirements for securing all medical information and patient identifying information.

This is a serious matter that can expose your company to serious liability.