(Note: cross-posted on PHPbuilder).
My question sounds simple but I haven't been able to find a good, complete answer in various articles on security or on this forum. I need to store Social Security numbers (and other sensitive data) in mySQL using PHP. I plan to encrypt them using some form of symmetric encryption, such as AES.

The question is: how/where do I store the encryption key? If someone can get ahold of my database or otherwise compromise security, it seems like they would easily be able to get the key just by accessing it in the same way my PHP files access it.

Am I missing something? Is there some location on the server combined with some PHP techniques whereby the key can be kept out of the hands of someone who is sophisticated enough and determined enough to grab the database records themselves? It seems completely pointless to encrypt data if the encryption key can be found.

Using Linux.