Store user messages

Question

Is it secure to store user chat messages in database as plain text?

And another question: Where to store page content - in database or in files? Wordpress holds blog entries in database, but it takes 25 requests to database to display a page, so website perfomance decreases.

Answer 1

Summary of comments:

• Considering the nature of the application (a chatroom on the Internet), I feel that saving the chats as plain text is acceptable assuming that the users do not chat about private/sensitive/confidential information.
• The above assumption can be made given some faith and optimism in the human race (i.e.: that it is smart enough to realize that a chatroom or a PM session is not the time or place to give out passwords, SINs, credit card numbers, etc.).
• Concerning the, well... concerns surrounding the situation in which a person betrays the above assumption, I am of the belief that no amount of foolproofing is enough for the most ingenious fool. While encrypting the chat is most definitely more secure than not, the cost of encrypting each and every chat as opposed to the applicability of the added benefit to chats (that is, none whatsoever unless the chat contains sensitive information, which is a rare case at best) provides little incentive to encrypt those chats. A much simpler solution would be to simply disclaim any responsibility for private information leaked from the chats.
• One last tidbit on handling sensitive information (this one's for Internet users everywhere): don't do it through email, chat, or any unsecured connection. Try as much as possible to avoid putting sensitive information where it will be logged, unless you have absolute confidence the logs won't be breached.

Answer 2

Separate questions really ought to be posted as separate questions...

And neither question is sufficiently well-defined to give anything but the broadest of answers...

But here we go:

1. Whether or not something is "secure" depends on your threat model (i.e. your definition of "secure"). But what alternatives are available to you? If you encrypt the messages, where will you store the decryption key?

2. Where to store data depends on the structure of such data and how you intend for it to be used. If it is "static" and will always be queried in predictable ways, a filesystem may provide sufficient structure for good performance; however, if the data is "dynamic" (i.e. your application will modify it), then a database may offer greater flexibility or better performance. As with most problems in computing, the design decision you take is a trade-off for which the best answer will depend on your own requirements (and indeed, your metric of what is "best").