[thelist] sensitive info and security

Liam Delahunty ldelahunty at britstream.com
Sun Feb 2 06:19:01 CST 2003


David Treves wrote:
I am working on a web site where I should retrieve credit card numbers from
clients of the site and pass them to the site administrator for manually
charging the client.

The site is written in PHP and the payment process is done in a secured page
(128-bit SSL). I don't want to store this sensitive info in the server's
database, and I think that mailing it to the admin is also unacceptable.
/end section/

Get a PGP public key from the client and use http://www.gnupg.org/ to
encrypt the data and store it. I've just whacked some code together based on
a process I use on onlinesales.

// Tell gpg where to find the key ring
putenv("GNUPGHOME=/tmp/.gnupg");

// create a unique file name
$infile = tempnam("", "pgp");
$outfile = $infile.".asc";

//write the data to the file
$fp = fopen($infile, "w");
fwrite($fp, $content);
fclose($fp);

// gnupg command.
$encryption_command =  "/usr/local/bin/gpg -a --recipient 'Name Name
<mail at domain.tld>' --encrypt -o $outfile $infile";
system($encryption_command, $result);
//delete the unencrypted temp file
unlink($infile);

if($result==0) {
	$fp = @fopen($outfile, "r");
	if(!$fp||filesize ($outfile)==0) {
    	$result = -1;
	} else {
		//read the encrypted file
		$content = fread ($fp, filesize ($outfile));
	}
}
//delete the encrypted temp file
unlink($outfile);
}

// send the email & store in DB whatever...


This process will send an email to the customer and store the details in the
database, both (fairly) securely.

David Treves also wrote:
My client does not have enough transactions to justify payment to a service
which will auto-charge the client.
/end/

Make sure that their merchant services provider allows that to handle orders
taken over the internet. If they are allowed to do mail order (customer not
present) transactions that doesn't mean they can do Internet transactions.
However, I'm sure most of my clients, despite my advice, are doing exactly
that as the banks try and charge for a new agreement, and rent a new PDQ
machine...

Kind regards, Liam Delahunty
Mega Products Limited, 10-11 Moor Street, Soho, London W1D 5NF
http://www.onlinesales.co.uk/ Open Source PHP/MySQL E-commerce
http://www.liamdelahunty.com/ web/ design/ database/ programming
http://www.britstream.com/ Hosting/ Domain Names From UKP 7.50 p.a.




More information about the thelist mailing list