Showing results for 
Search instead for 
Did you mean: 

Securing the Transaction Key when using SIM

How should the transaction key be stored when implementing SIM in PHP on a LAMP server?

The code samples/SDK for the PHP solution has a placeholder for the transaction key right on the sim.php page, which I don't think is the most secure way to store the transaction key.

Should I keep the transaction key in my mysql database and if so, what's the right way to have it encrypted while stored in the database and then in plain text in a variable when used in the PHP code? I'm asking for the 'right way' because if this 'the'/'a' good way to store the transaction key, then there should be a recommended way to do it as I know I'm not smart enough to invent my own encryption scheme.

Perhaps I should store it in an encrypted file. If so, I again ask, what's the right way to manage the file so I can rely on trusted cryptographic methods?

Are there other options I'm not thinking of, or am I missing the point all together? I don't see anybody else asking this question so maybe I am missing something.

Thanks in advance!


Just store it outside of your web root. That's all you need to do.

John Conde :: Certified Authorize.Net Developer (Brainyminds) :: Official Authorize.Net Blogger

NEW! Handling Authorize.Net's Webhooks with PHP

Integrate Every Authorize.Net JSON API with One PHP Class (Sample code included)

Tutorials for integrating Authorize.Net with PHP: AIM, ARB, CIM, Silent Post
All About Authorize.Net's Silent Post