SaranacLake

So your only problem with the URLs in my OP is that I was mixing concepts into the 3 slots I had, right?

@requinix, So having a super pretty URL is something that the average user won't care much about, huh? If so, then maybe having everything look like this is a waste of effort? Product Catalog www.mystore.com/shop/movies/list/ www.mystore.com/shop/movies/gallery/ Product Details www.mystore.com/shop/movie-details/the-irishman/ Also, to your point above, is it the end of the world if I have a pretty URL with a query string on the end like.... www.mystore.com/shop/movies/?view=list www.mystore.com/shop/movies/?view=gallery

@requinix, Believe it or not, I don't use a smart phone. So, dumb question, but on a smart phone, do you even see the URL? And on a regular computer, does anyone even care about URL's anymore? (I've heard one person say that they don't matter anymore...)

Well, there will never be a product category called "list" or "gallery", so I am safe there. I am mixing things, because I don't have a way to take care of the presentation. Ideally I would use Javascript to handle the change in presentation, but I don't know Javascript, and that will have to be for a later version. The reason I am mixing "organization" and "presentation" is that i wanted to have a nice looking URL, otherwise there is no need to use regex at all. Hmm... Looks like in this particular case, I am sorta stuck unless I did something like this... Product Catalog www.mystore.com/shop/movies/list/ www.mystore.com/shop/movies/gallery/ Product Details www.mystore.com/shop/movie-details/the-irishman/ I just wanted to keep the /shop/movies/<movie-title> format... 😕

I'm just writing things out on paper to come up with a gameplan for my design, plus I don't have a way to test it right now. Oh, right, I forgot. Haven't actively coded PHP or regexs in like 3-4 years. Okay, so I have been thinking about things while waiting for a response. Here is what I want to do. I am working on my e-commerce catalog and product details page. For the catalog I need a way to tell my PHP what kind of look to present, i.e. either a list of items OR a gallery of thumbnails of the items. And so I was going to have a URL like this... www.mystore.com/shop/movies/list/ www.mystore.com/shop/movies/gallery/ And for my product details page, I want a similar structure like this... www.mystore.com/shop/movies/the-irishman/ So I need some help from my Regex to help me sort out these similar looking URLs, and this is what I have for a solution so far... RewriteRule shop/(.+)/(list|gallery)$ shop/product-catgory.php?category=$1&view=$2 [L] RewriteRule shop/(.+)/(.+)$ shop/product-details.php?category=$1&item=$2 [L] So to my comment above, I am somewhat using my Regex to route which page things go to, because they have the same looking URL in either case, but but my Regex helps play traffic director. Thoughts?

A few questions about mod_rewrites... 1.) If I want to determine if the URL ends with either "list" or "gallery", and then take appropriate action, does the code below look correct? RewriteRule shop/(.+)/([list|gallery])$ shop/catalog.php?category=$1&view=2 [L] 2.) Is it bad to use mod_rewrites to determine how your website branches? For example... RewriteRule shop/music/(.*)$ go somewhere [L] RewriteRule shop/movies/(.*)$ go somewhere else [L] RewriteRule shop/books/(.*)$ go yet somewhere else [L]

I agree. It's possible. I'm gonna try and call Citibank about this, and see if I can understand the mechanics better... I agree, but remember, at this point my checkout process is the same as any other e-commerce site. I ask for the same information everyone else does, and my checkout process is more streamlined. IF I had a business rule where it was a limit of 3 accounts per a given cardholder and/or credit card, then that might be slightly more inconvenient for someone during checkout, but I don't expect a lot of families of 12 becoming customers! 😄 Yet, I could be building a titanium-plated Titantic!!!!!!!!!!!!!!!!!!! So what is that accomplishing? It helps me prove that I have their real phone #? I'm not sure typing the code into my website does much as far as their location, because they could be using a VPN or at the library. But a validated phone # would be golden. Not I don't recall, but I think "Billing Tele #" can be used to validate someone with Authorize.net. (A working phone is pretty much required to open a bank account or credit card in the U.S., and banks/credit card providers are vigilant about making sure they have working #'s for compliance reasons.) There is a service - I forget it's name - that allows you to send text messages and phone calls from your website. It's mainly used for two-factor log ins, but I could use that service for what you are suggesting. of course, that is a whole new complicated thing to learn - assuming I could even figure out how to do it. And that would have to definitely be a v2.0 or v3.0 feature. Yeah, I certainly have bitten off more than I can chew trying to build my own website, my own ecommerce site, and start my own online business!!

It looks like these "virtual" credit cards that Requinix mentioned are really "pre-paid" cards. From privacyworld.com... "Your card is not a US based credit card, it falls OUTSIDE US jurisdiction! Regardless of that, you can still purchase products on-line in USD though your purchases will automatically be converted into Euro's for accounting purposes." Sounds like a great choice for the underground criminal types... Okay, so I am learning something new here, and definitely a topic that I need to learn more about! In the mean time, if I had to guess, I am sure there are ways to block out such cards and cardholders by how I set up my merchant account. Furthermore, as I mentioned above, nothing is stopping me from suspending an order or account, until I speak with the customer and get some reassurance who I am dealing with. Based on my website, I don't know that it would attract corporate clients, BUT if it did, I could simply have a note to call me for such cases. (That is a pretty common way to handle such a scenario.) Good point, though. Okay, I agree that my best bet might be to handle things after the fact, manually, on the back end. For example, I start having problems with user#1, user#401, and user #4001. I can go into my merchant account and see the data for each transaction/cardholder, and if I determine they are all using the same credit card #, or have other similarities, then I can do more investigation and take action. But as an IT guy, I would much rather automate things up front, so I can spend my time on more important things, like creating new content to help make me more $$$! So let's step back for a moment at look at this from a 20,000 foot view.... 1.) Don't you think a significant portion of people in online forums/comments to articles/etc have a pre-disposition to being troublemakers? 2.) In reality, how often is a given person going to buy multiple accounts for other people? 2-3 other people - sure. But more than that? 3.) In my TOS, I will spell out that if you break X, Y, or Z conditions, OR you are generally disruptive to the online community, that management has the right to temporarily suspend or permanently suspend your account, and that NO REFUNDS will be issued. All decisions will be final. By signing the TOS, you agree to these terms. So I think that covers me in the case of merchant disputes with credit card companies. From my experience with my own credit cards, if something is in writing, and you agreed to it, you are bound to it. But nothing in writing, then you are SOL... Thoughts? 4.) If you were an identity-thief, or part of some crime syndicate, would you waste your time spending other people's money so you could buy subscriptions and post crap comments under the website's articles - similar to what the NY Times and Washington Post offer? I do know that "Russian trolls" are a huge problem, and it seems to me that they would have all of the incentive in the world to use stolen cards and use them to push their misinformation/disinformation campaigns against the U.S. This last reason is probably why I am trying to be aggressive about how I handle things. But I certainly don't claim to have all of the answers!!

When you buy gas, that is what is called a "Card present" transaction, and it requires less verification, because the assumption is that if you have the card, it is yours. When you buy gas do you have to enter in your card's CVV code? No, because it is a "Card present" transaction. When you buy a PHP book on Amazon.com, do you have to enter in your card's CVV? Yes, because it is a "Card Not Present" transaction. And in Card NOT present situations, you as the merchant, have the ability to define how restrictive you want to be. (Authorize.net DOES allow you to check the Billing Address when a transaction is submitted.) Yes, all valid examples to make your point. I believe the way that Authorize.net does it is that it primarily focuses on the number portions, so "232", but I cannot say with absolute certainty. Also, I haven't looked at their user manual in over 2 years, so this is a bit fuzzy. Either way, remember that it is "I" that would be capturing certain parts of the checkout data and using them moving forward. So the way Authorize.net does things, and the way I might do things is going to be different. In fairness, your example above definitely demonstrate your point, but for what I am trying to accomplish, consider this... a.) In every example above, it is the same "Robert Smith" b.) all in "Grand Rapids" c.) same state of "MI" d.) same 5-digit "Zip Code" e.) And I suspect a lot of other information would be the same too (e.g. billing phone #) Why? Because banks/credit card companies do an enormous amount of vetting before they give you a bank account/credit card. So while Requinix can have a million "virtual" credit card numbers, the reality is that he is VERY limited in how much he can change his personal information. Consider "Know Your Customer (KYC), Customer Due Diligence (CDD), Anti-Money laundering (AML) and many other fedral laws/regulations/guidelines. Unless you are a member of organized crime, you cannot easily have numerous names/addresses/phones, so certain common pieces of data will tie back to a given person. Criminals get very creative, but I'm just trying to keep "honest people honest". Okay, duly noted. Well, if they did come back, it would most likely be the same "Robert Smith" in "Grand Rapids, MI" unless this person is going to move and get a new credit card with a new address. Now if some hostile person then used his/her relative's or friend's credit card, it would be harder. And, yes, maybe I am "using an elephant gun to kill a mouse"! *LOL* Well, as an over-simplified example... If they had suspicion I was storing "Cardholding Name" and "Last-4 of CC' in my hashes, they could create an enormous table and U.S. names - including "Robert Smith" - and when they got a hit, then they would know that "Robert Smith" + "9876" matched a hash, and thus they would know that that unknown hash matched known data. Of course that would take ENORMOUS effort to do. Agreed. Agreed. But my OP was trying more to CYA as far as protecting the data that I would hash - whatever it may be. Also, i was asking in terms of PCI compliance.

To become a member of my website (i.e. buy a paid subscrption), all I am asking for is a... 1.) A valid email 2.) Valid credit card payment That describes every e-commerce site on the Internet?! What is so obtrusive about that? Just to be clear... If you don't buy a paid subscription, then you cannot have an account. (My site is not like PHPFreaks.) All you can do if you are a "Visitor" is read the free articles and some other free content (e.g. podcasts) on my site. So I am NOT asking anyone to cough up credit card details or other info just to use my site. But if you want an account, and access to premium content (e.g. premium articles, interviews, podcasts, analysis, ability to PM other members, post comments, take surveys, etc) then you need to buy a subscription. Couldn't a sophisticated hacker use a "Rainbow Table" to reverse engineer my hashed value of say "Cardholder Name" and "Last-4 of CC"?? You need a "Billing Address" and that is an address... I haven't looked at what configurations Authorize.net has - and of course that has probably changed since I last looked - but maybe two years ago I recall that they had an option where you could require a "Billing Address" for your merchant account. Also, think about how many e-commerce sites ask for a "Billing Address". (I cannot think of a time where all they asked for was my "Zip Code".) Now I could be wrong, but for "Card Not Present" transactions (e.g. online), I thought a full "Billing Address" was required? Either way, I buy thousands and thousands of dollars of things only each year, and I cannot remember ever NOT having to cough up the following... - Cardholder Name - Full Billing Address - Card Number - Exp Date - CVV - Billing Phone Number As I recall, "Billing Phone Number" was another thing i could configure in my merchant account as a required field, and I have never bought anything online that didn't require that. So what i am asking for - only for people buying a paid subscription - is the same information 99% of online merchants already ask for. So where is the issue?? Please name some major merchants that you have purchased from ONLINE in the last 2 years that did NOT require a "Billing Address" and a "Billing Phone #"... This I gotta hear.... Correct, but I do not believe it breaks PCI compliance if you store "Cardholder Name", "Billing Address" and "Billing Telephone #" does it? And that is what I was calling earlier, a "Payment Token". I believe that all that is is a hashed value that the merchant is allowed to store in plain-site, and which (supposedly) cannot be reverse-engineered, BUT when you provide it back to your payment gateway, the processor WILL be able to use that again to successfully charge the customer again. (Would probably break with a "virtual" card number, though.) Ironically, I am not offering recurring billing - which most sales/marketing people would shoot me for. One, I am not offering this, because I don't have the time to learn how to do it - and maybe I'm not smart enough to figure it out?! Second, I am confident in my my offering, and when someone's annual subscription is about to expire, I will send a reminder email, and IF I have done my job, then they will MANUALLY buy another subscription. if not, then I lose a customer. No high-pressure sales, no "locked in" contracts. Easy-peasy. (Just don't screw around and break my TOS, or you donate your subscription $$$ to my piggy bank!!) As stated above, I am thinking "Cardholder Name" (already vetted) and "Billing Address" or part of it (already vetted) and "Billing Tele #" is a powerful combination for most cases. Another thing I am considering doing, although this could easily become a full-time job, is to do a quick "order verification" by phone. Again, this is VERY common in my own experience buying things online. So whether you are the Russian syndicate or a lone identity-thief, unless you do great voice impersonations, how are you gonna fool me even if you have 10 active credit cards at your disposal? Definitely a good conversation, and thanks for the advice from everyone - albeit a little "harsh' at times!!

Right. I do. Actually I recall that storing the Last-4 is okay now that you mention it. Guess I need to read the latest laws and regulations. Not accounting for stolen identities and credit cards - which is a whole other category - I would think that "Cardholder Name" (usually a Legal Name since it is vetted much better through a bank), "Billing Address" (again, already vetted for me through a bank) and a "Credit card Number" is a pretty effective way to identify MOST people. Even if Requinix used his "virtual" card numbers, the "Cardholder Name" and "Billing Address" would be the same. (And for people like me that have more than one "Billing Address", you still have a finite universe, plus likely the same Zipcode and so on. I've spent a lot of time working for banks as my client, including the last 3 years at a major bank in the credit card division, so don't tell me that institutions aren't checking up on customers. Now, obviously I'm not a bank, but just like your gym or daycare center or doctor's office or church or cable company or storage facility or golf course, I have a right as a merchant to have enough information about you to make sure I get paid AND to protect my company, my employees, my assets, and other customers. I am not asking for DNA samples, but I am hoping that having a "Cardholder Name", "Billing Address" and "Billing Phone Number" is enough to keep track of MOST people, and to act as enough of a deterrent that jerks and trolls stay away. And all I was asking about in my OP, was whether it was secure to store any of the info above - minus obviously card details - using a secure hash or whatever else PHp might offer. I would hope that would be enough. Well, according to my TOS, I can take your money if you get kicked off of my site because you broke the TOS. Again, though, all I was asking in my OP is how to store some of the info I mentioned, or determine if it would be too complicated - as it would be if you wanted to store credit card details. Okay. So how would you stop people like that? But they will have the same "Cardholder Name", "Billing Address", "Billing Telephone Number" and "Billing Zip Code", right? Earlier I stated that I was going to allow 2 accounts per cardholder. (I might be willing to allow 3.) That would allow someone to buy a subscription for a spouse, bf/gf, child, or friend. I just don't want one cardholder having 20-30 accounts linked to their credit card, because then I suspect there is something fishy going on. They can buy a gift certificate... I have that. if things become successful enough, maybe I can do that. I already have built in ways for other paid members to flag PM's, flag Profiles, and flag Posts. And in version 2, I hope to have time to build out an idea I had 5 years ago which is a "Reputation Score" which I can further use to reward/punish people. Still feel that way after my responses above?

Thanks for the link!! (I'm not sure if I knew about this, or if I did know, I forgot, because there is nothing for me to lose here. Yes, I think there are other pieces of info I could use to verify that a person is registering and maintain my 2 accounts/card limit. Then again, the laws are changing (e.g. California Privacy Act, and GDPR), and like most laws, things are left to interpretation by the courts. I am also considering calling people after the buy a subscription and having a quick conversation asking them some details, maybe set up some "challenge questions/answers", and basically letting them know that they should consider their membership/subscription to be like they joined some group in real life (i.e. absolutely no bullshit). Of course, I won't count on Requinix joining anytime soon... 😄 And to @gizmola's point, there is something to be said for focusing first on getting a following, and next some sales, and then maybe stepping up background checks as needed.

Yes, that is true. Well, I have spent my career working for "multibazillion dollar companies", and first of all I can tell you that "looks can be deceiving"... Most of my clients have been run by idiots, regardless of whether or not they made truckloads of money. Yeah, sometimes a nation-state penetrates a large American corporation, but usually it is freshman errors that brings companies down. And a valid point, but my counter would, "If you are afraid that something might blow up with your code, then you best not be a programmer. There are a million places where things could go wrong, and if you never wanted any risk then you'd never be able to do anything in application development. PHPFreaks could have a data breach and get sued also, but that doesn't stop the owner from running this forum. Also, in my case, like most proper checkouts, the data is going directly from a secured webform to my payment gateway, so that's a lot easier to do than, say, storing credit card details in your database. My hash idea is certainly more risky, but it never hurts to investigate things. Thanks.

So you make it sound like using a hash is not nearly as infallible as was said above, right? I'm guessing that using the "security token" that most payment gateways offer is probably the safer way...

Tell @requinix that - he now thinks I'm part of the "Deep State" - or is that the "Red State"?! *LOL* I understand, but you realize that free forums usually end up closing because it becomes a full-time job to clean up troll posts and it becomes unmanageable. The reason this happens is because there are no incentives online to behave. No consequences anymore. But $$$ is king!! If people realize they will lose $60 and be blocked for good, they will likely have second thoughts about subscribing if their only goal is to incite riots, or they will think twice before they post. Maybe I was naive in thinking I could rely on Cardholder Name, Billing Address, and Payment Details as a way to uniquely identify people. It may not be foolproof, but I still suspect it would eliminate most of the issues. (I'm sure Requinix completely disagrees with me!) Right, because of free emails and VPNs. You think American (or Russian) trolls give up that easy? Aha, but that is in my TOS. Willing to pay $60 for a one time spam message that gets you blocked and the message gets deleted? I'll take the donation! 😉 It's good that your small army is winning. I just see what happens on sites like Facebook, Twitter and Reddit and I figure that I need more than that - not that I am that successful (yet)! Okay, that may be the wisest thing spoken yet in this thread, and I will concur with you on that. At the same time, now is indeed a good time to make architectural decisions before the cement hardens!! That being said, could I use a hash securely if it is based off of thinks like Cardholder Name, Billing Address (or part of it), and possibly Last-4 of credit card? or is that a train-wreck waiting to happen? Also, does anyone here have experience with 'payment tokens" which I believe do the same thing, but which are considered PCI complient?

But I don;t want to decrypt anything. For instance, let's say that "Linda Zeiger" from "123 Main Street" subscribes with a "Visa" ending in "1234" and I create a hash. Then if Linda got kicked off of my site for breaking the TOS - and after being given a couple of warnings to get in line - then if she came back and tried to create a new account using a new email address, but the same "Linda Zeiger" from "123 Main Street" subscribes with a "Visa" ending in "1234", then i could compare that hash to the stored hash, and determine if I let the registration go through. Same way logging in works. Now obviously there are lots of ways to get around that, but to your concern, using a hash would work. And to my question in my OP, is doing that secure? I'm guessing it is not allowable by PCI standards, but you never know... SHA1 is super hackable, is it not? Last I heard, SHA-256 (?) was a better choice, but maybe that is easy to reverse-engineer, and get this from t... "Linda Zeiger" from "123 Main Street" subscribes with a "Visa" ending in "1234"

Lots of undertones there... And again. Did you get excluded from some club earlier in life and you're bitter? *LOL* The only thing you can do on my website for free is read free content. Period. With a paid subscription, you get a lot more. Don't want a lot more? Then don't buy a subscription. Nothing "elite" here. But IF you buy a subscription, and I give you the ability to talk with others and post comments, then you have to follow the TOS. If you don't, then you're gone. And I'm just trying to make it difficult for the same people to come back again and again and slip through, because you know they are only coming back to get revenge. That's the problem online.... People feel everything should be free and they should be able to behave however they want. I disagree. I challenge you to buy a subscription to the NY Times, WP, or Wall Street Journal and become abusive on their websites and see what happens... You are twisting what I am doing. The only info I ask for is e-mail address, password, and payment details - which includes name and billing address. But how effect - alone - is that? You're fighting with some shadow here. I asked for clarification on a technical matter, and now you are all mad at me because you don't like the approach i am taking - which is the same approach pretty much every other online paid subscription takes.

People have to provide a Cardholder Name, Billing Address, and Payment Details just like every e-commerce site since the beginning of time. If you don;t want to provide that, then you cannot buy a subscription. Where did i say i was asking for anything else - other than email address? Let's talk about my use-case... I am building a website that is part online newspaper and part community. There will be lots of free content, but for premium content, you have to pay. And as a paid member, you also get to join the online community and create a profile, chat with others, post comments, and get access to much more. This is not a new concept, and it works IF you have phenomenal content. If you don't have a paid Washington Post subscription, you cannot post on their site. And while they might not kick you off their site if you posted nasty messages, I guarantee you'd be blocked from posting again. (And if you came back pretending to be someone else, I'm sure they could catch you.) Don't like that? They be try CNN or Fox News which are free. Why is what i am trying to do (i.e. paid subscription) so radical? But I'm not making things "hard". All I am trying to do is enforce the TOS. No one is forcing people to buy a subscription. But if you do, I do expect people to behave - otherwise i end up with a cesspool like social meda... P.S. I appreciate your feedback, but I don't think I'm being unreasonable here.

I just read an article about them. Not sure I see any real value. if your credit card get compromised, get a new #. (If you have to sign up for that service - especially with a 3rd party - you are probably defeating the purposes by having to cough up even more details that can be breached. That and the article I read mentioned using a browser add-on which i wouldn't touch with a 100 foot ppole!) Why is that so funny? Because every company in the world that sells memberships does this. What does your gym do? You gun club? AAA? How about the NY Times or Washington Post? You are paying to join my online community - which is a feature of buying an annual subscription - and if people cause trouble then i want the ability to block them, and not have Russian trolls coming back every 20 minutes with a new email and credit card number. What does that mean? You mean "Big Brother" watching you? If so, the difference is that I am not selling your info like Zuckerberg, and I'm not going to come to your home and beat your family if you mess around. I would like a reasonably reliable way to keep riff-raff out. Nothing personal, but don't be so sanctimonious about online memberships. I challenge you to get an in person "membership" to any club (Elks Club, golf course, hunting club, tennis club, gym membership, etc) where there are no reprocussions if you screw around. How about even a store or restaurant? Of course in those cases, they can see who you are. So why is it so offensive to you that I am trying to protect my online community that is member's only? (Not the same thing as on online PHP forum...) Either way, so what other things could I do to establish someone's identity - and let's not make it sound like I am China - so if they break the TOS then I would have a way to refuse them service in the future? (Or to the point of this thread, if their 50 friends use their credit card and THEY screw around, then I need a way to take action.)

So how does that work? I have never heard of virtual credit card numbers before?! Most Americans have several credit cards. But it is a start. Do you have a better idea? I could make people meet me in person in a parking lot with their gov't issues id... 😉 Because I am creating an online forum, and I want people to have some accountability. One of the reasons the Internet sucks so much in 2020 is that most online sites and forums and communities are filled with anonymous users that do not behave the same way they would in real life/ The problem I am trying to solve for - and it sounds like you are giving me an "F" once again - is a way to make sure people have "skin in the game". So my (naive) plan was that if someone creates an account and pays with a credit card, and then they break the TOS, not only do I kick them off of my site, but if they try to create another account using the same details I have a *reasonable* way to stop them. Now in that design, I know someone could have another credit card with different billing details - I know I do - and of course, nothing is stopping them from using someone else's credit card, but the goal is to create a reasonable deterrent and a way to keep people more accountable. So since my idea sounds like it it is DOA from the get-go, what better ideas do you have? (Note: I'm not issuing security clearances, but i don't want to have to deal with dicks/trolls/punks/etc...)

I am not storing the payment details. Those would go from my checkout form *directly* to the payment processor. You would need PCI compliance and wicked infrastructure to be storing payment details!! But I was wondering - probably naively - if you securely hashed just part of the details - enough to uniquely identify a cardholder and the form of payment - if you could then retain that safely and not have to worry about a data breach and getting sued. I'm pretty sure there is the concept of a "payment token" that does this, and it is used for cases where you have things like recurrent billing (e.g. for subscriptions), but I am not familiar how to do that, and as I recall, the documentation from Authorize.net leaves a lot to be desired.

> So if Lisa Smith buys a subscription, I want a *SECURE* way to maybe capture her name/last-4 of credit card/exp date > and store it so that each time a new person registers, I can make sure the 2 members/credit card is not succeeded. I am looking for a way to safely store the Cardholder Name + Last-4 of credit card + Exp date (or something like that) so that I can keep track of how many times a credit card is used with respect to new accounts. The payment details are really the only way I have to link a subscription to a human being, short of calling everyone or something like that. Does that answer your question?

So here is a problem that I am trying to solve, and security is of the utmost importance... I am building a website with subscriptions, and my business rule says that there cannot be more than 2 members per credit card. My reasoning is that I want to use the credit card payment not only to get $$$, but as a means of connecting a real human being to an user account. If I allow 50 member accounts for one credit card, then it defeats the point. (The assumption is that allowing up to 2 member accounts per credit card payment allows for things like spouses or parent-child.) And, yes, there is always a way to "hack" the system, but I think this approach is sufficient for now. So if Lisa Smith buys a subscription, I want a *SECURE* way to maybe capture her name/last-4 of credit card/exp date and store it so that each time a new person registers, I can make sure the 2 members/credit card is not succeeded. Is there any reasonable way that I could do that using a hash, or is that suicide/ (BTW, I will be using Authorize.net for my payment gateway, and maybe they already offer a way to do what i want, but since I am not at the point to where i am setting up the payment gateway to my website, I am trying to think of ways to accomplish what I need just using PHP.)

Are there any PHP hashes that are extremely secure and that CANNOT be reverse-engineered?

Right, that is the same conclusion that I came to! 😉 So I would store everything in my database as my local time of EST, and then use PHP to localize the dates in the user's control panel? A few things here... 1.) So it sounds like you are saying that I should use a DATE and TIME and record the moment they make a purchase as the 'start date", right? (I guess I could use a MySQl "TIMESTAMP" datatype for that?) 2.) My database design has a "start_date' and an 'end_date" for a subscription - otherwise how would I know when a user's subscription had ended? So I think what you are saying is on registration/renewal to grab the TIMESTAMP and stick that in the "start_date" and then maybe use a date function in PHP or MySQL to add 1 year onto that 'start_date" to calculate my 'end_date" - which would need to be written into my "Member_Subscription_History" table. Is that what you were suggesting?