Question/Help: Securely sending data to database

[shinichi_nguyen]

Hi everyone. I used to use php to send data to database (mySQL) on project like user register to be member. Now I have a project that I will have to send credit card number, date of expire to database, could someone help me with some code that securely send those information to database with the small risk of leaking and/or being attacked by bad people aka hacker

I dont know much but as far as I know every time I buy something with Dell or Amazon or eBay, they always use the "https://" with the "s" as secure. I wonder if it is something php related?

Much appreciate your help!

[jl5501]

You need to follow normal sanitizing practice on any data you store in a database.

 

But for credit card data, you not only need SSL, which means buying am SSL certificate (SSL) puts the s in https  Secure Sockets Layer), but also I think you need approval from an organisation called, I think, PCI, which governs storage of personal information on computer systems

 

[shinichi_nguyen]

Ok, says just forget bout the https, and let me put it this way, I have mySQL database with a table containing customer info (tranID,nameoncard, creditnumber, dateexpire, amount, note) and I want to create a php page where user submit those info to database. If I use php with the INSERT method as usual, what risk of being attack or putting customer info onto risky is gonna be? I mean, if one wants to make this page, how would they start? a good code sample would be appreciated!

Thank you

[jl5501]

you seem to be getting site security confused with data security.

 

You keep your site safe against various attacks, taking steps to avoid sql injections and the like, but also, when keeping personal information you need to keep the data secure in transmission, and to do that, you need SSL

[shinichi_nguyen]

Ok, I have researched a little more on google and seen that sending credit card number is a whole big deal. I think I cannot do it and will refuse the task of this project. I really do want to know if there is a way to do it, something like if anyone has done this before in php encryption?

[LeadingWebDev]

i seen a shop that has AES encrypted cc numbers.

but i think it is a bad idea to store cc numbers in database. not secure.

who knows which websites hosted @ same server... if somebody gets hacked whole server in dangerous, locally u can get any file with shell then just log into local DB with ur user&pass and then not a big deal to dump db.

so i decide not to store cc nums.

[SchweppesAle]

Ok, I have researched a little more on google and seen that sending credit card number is a whole big deal. I think I cannot do it and will refuse the task of this project. I really do want to know if there is a way to do it, something like if anyone has done this before in php encryption?

 

He's saying that issue would not be on the server side(php) but rather making sure that the data is not intercepted.

 

browser->hacker(aka:asshole)->server(php)

 

you need a way of encrypting the data in transit.

[roopurt18]

Storing credit card numbers is a BIG deal.

 

First you need to be PCI-compliant, which somebody mentioned already.  PCI-compliant means you follow a set of best practices (or maybe even laws) in regards to how you store and serve this type of information.  You need to find the official site and documentation on requirements, which is a lengthy read if I recall correctly.

 

I don't recall if any of this is in the PCI compliance, but you'll also want to do all of the following:

+ Dedicated server with backups you control

+ HTTPS for web traffic

+ SSL connection to your database

+ Code encryption on your PHP code

+ A sys admin that can properly lock the box down

 

In addition to all of the standard web attacks you might fall victim to, you also have to consider someone walking off with a backup or the machine itself.  I'm not really sure what safeguards you can use to prevent someone walking off with a backup and running your code in a debugger.

 

You also have to be really careful about where you store your source code for such applications.

 

If any of the above is iffy or scary sounding to you, then you should be turning down such projects.