shinichi_nguyen Posted February 17, 2010 Share Posted February 17, 2010 Hi everyone. I used to use php to send data to database (mySQL) on project like user register to be member. Now I have a project that I will have to send credit card number, date of expire to database, could someone help me with some code that securely send those information to database with the small risk of leaking and/or being attacked by bad people aka hacker I dont know much but as far as I know every time I buy something with Dell or Amazon or eBay, they always use the "https://" with the "s" as secure. I wonder if it is something php related? Much appreciate your help! Quote Link to comment Share on other sites More sharing options...
jl5501 Posted February 17, 2010 Share Posted February 17, 2010 You need to follow normal sanitizing practice on any data you store in a database. But for credit card data, you not only need SSL, which means buying am SSL certificate (SSL) puts the s in https Secure Sockets Layer), but also I think you need approval from an organisation called, I think, PCI, which governs storage of personal information on computer systems Quote Link to comment Share on other sites More sharing options...
shinichi_nguyen Posted February 17, 2010 Author Share Posted February 17, 2010 Ok, says just forget bout the https, and let me put it this way, I have mySQL database with a table containing customer info (tranID,nameoncard, creditnumber, dateexpire, amount, note) and I want to create a php page where user submit those info to database. If I use php with the INSERT method as usual, what risk of being attack or putting customer info onto risky is gonna be? I mean, if one wants to make this page, how would they start? a good code sample would be appreciated! Thank you Quote Link to comment Share on other sites More sharing options...
jl5501 Posted February 17, 2010 Share Posted February 17, 2010 you seem to be getting site security confused with data security. You keep your site safe against various attacks, taking steps to avoid sql injections and the like, but also, when keeping personal information you need to keep the data secure in transmission, and to do that, you need SSL Quote Link to comment Share on other sites More sharing options...
shinichi_nguyen Posted February 17, 2010 Author Share Posted February 17, 2010 Ok, I have researched a little more on google and seen that sending credit card number is a whole big deal. I think I cannot do it and will refuse the task of this project. I really do want to know if there is a way to do it, something like if anyone has done this before in php encryption? Quote Link to comment Share on other sites More sharing options...
LeadingWebDev Posted February 17, 2010 Share Posted February 17, 2010 i seen a shop that has AES encrypted cc numbers. but i think it is a bad idea to store cc numbers in database. not secure. who knows which websites hosted @ same server... if somebody gets hacked whole server in dangerous, locally u can get any file with shell then just log into local DB with ur user&pass and then not a big deal to dump db. so i decide not to store cc nums. Quote Link to comment Share on other sites More sharing options...
SchweppesAle Posted February 17, 2010 Share Posted February 17, 2010 Ok, I have researched a little more on google and seen that sending credit card number is a whole big deal. I think I cannot do it and will refuse the task of this project. I really do want to know if there is a way to do it, something like if anyone has done this before in php encryption? He's saying that issue would not be on the server side(php) but rather making sure that the data is not intercepted. browser->hacker(aka:asshole)->server(php) you need a way of encrypting the data in transit. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted February 17, 2010 Share Posted February 17, 2010 Storing credit card numbers is a BIG deal. First you need to be PCI-compliant, which somebody mentioned already. PCI-compliant means you follow a set of best practices (or maybe even laws) in regards to how you store and serve this type of information. You need to find the official site and documentation on requirements, which is a lengthy read if I recall correctly. I don't recall if any of this is in the PCI compliance, but you'll also want to do all of the following: + Dedicated server with backups you control + HTTPS for web traffic + SSL connection to your database + Code encryption on your PHP code + A sys admin that can properly lock the box down In addition to all of the standard web attacks you might fall victim to, you also have to consider someone walking off with a backup or the machine itself. I'm not really sure what safeguards you can use to prevent someone walking off with a backup and running your code in a debugger. You also have to be really careful about where you store your source code for such applications. If any of the above is iffy or scary sounding to you, then you should be turning down such projects. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.