M
M
motomac2011-09-03 10:59:45
Encryption
motomac, 2011-09-03 10:59:45

Storing phone numbers?

Friends, I would like to consult with you on the issue of storing user phone numbers in the database. To the question: from the legal side, are the phones (without full name, just a regular account on the site) personal data or not, I could not get a clear answer.
Accordingly, it is not clear how best to store these numbers in the database - in plain text or encrypted. If encrypted, what algorithm? The usual md5(), I think, brutes just fine. How to do it right?

Answer the question

In order to leave comments, you need to log in

4 answer(s)
R
Roman Yudichev, 2011-09-22
@Noospheratu

You can use the following scheme:
1) store in open form until confirmation via SMS.
2) After confirmation, the task of combating fake accounts is completed and the open phone number is no longer needed. Now you calculate the hash with the currently stable function and store only it.
3) And if you need to recover the password from your account by sending it by SMS, then for this you suggest entering the phone number, calculate its hash, compare it with the stored one and, if it matches, send information to recover the password in SMS to the entered number.
4) Upon completion of password recovery, the entered open number is no longer needed and can be deleted (we continue to store the hash).

K
korvindest, 2011-09-03
@korvindest

If you are really going to store phone numbers, without any reference to personal data that deanonymizes the user, then I think you can do it safely, because with the same success I can call the numbers and find out which of them are alive. Otherwise, if you have any additional information about the owner, you are already most likely violating the law on personal data.
But frankly, I do not understand why you need phone numbers without any other information. Even without how to contact the owner of the phone.

P
pratamishus, 2011-09-03
@pratamishus

Well, why phones are needed is already a question of the goals of the project. In webmoney, for example, you can also enter through a phone number.
The usual encoding in md5 or sha1 will definitely not suit you, because. it's just numbers that can be easily deciphered. I usually resort to simple cryptography like
md5(substr($user_phone, 0, 4).$user_phone.substr($user_phone, 4).'myword');
Thus, in order to hack this phone, the hacker needs to get not only to your base, but also to your files on the server, which is much harder.
Of course, this system will not work if it is a Pentagon database, but this scheme is safe enough for average projects :)

A
Alexander, 2011-09-03
@Alexx_ps

Full name + phone number are not personal data, because do not allow a person to be uniquely identified. But the full name + address already allow.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question