Jump to content

using AS DECRYPT and AS ENCRYPT

svgmx5

By svgmx5
in MySQL Help

 Share

Recommended Posts

svgmx5 Advanced Member

svgmx5

Posted
Posted

I'm building an online store, and my client wants to able to store customers credit card numbers. I know that doing that has a huge security risk, which I've already talked to him about it, but he insists on storing credit card numbers.

 

So i read that using AS DECRYPT and AS ENCRYPT is about the best way to securely store them online...not sure if thats 100%  but thats what i've read.

 

Anyway, i'm having issues understanding how to use this, so fart i've been able to encrypt the number, but i can't get it to decrypt.

 

I guess i'll show my code that i'm using to decrypt it, i hope someone here can help me out

 

<?php
$order_num = 'xxii8ir3iaqr7155';

$result = mysql_query("SELECT AES_DECRYPT(ccnum) FROM orders WHERE orderNum = 'xxii8ir3iaqr7155' LIMIT 1");
while($row = mysql_fetch_array($result)){// LINE 17
	$ccnum = $row['ccnum'];
}


?>

 

However with this code i'm getting the following error as well

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\Hosting\5357139\html\test\decrypt.php on line 17

 

Well i hope i can get help from someone here..or if you know a really good tutorial, please send me the link

 

Thanks!

Link to comment
Share on other sites
oni-kun Member

oni-kun

Posted
Posted

Try the following; PHP isn't responsible to catch SQL problems at front:

<?php
   $order_num = 'xxii8ir3iaqr7155';
   
   $result = mysql_query("SELECT AES_DECRYPT(ccnum) FROM orders WHERE orderNum = 'xxii8ir3iaqr7155' LIMIT 1") or exit(mysql_error());
   while($row = mysql_fetch_array($result)){
      $ccnum = $row['ccnum'];
   }
   
?>

Link to comment
Share on other sites
svgmx5 Advanced Member

svgmx5

Posted
  • Author
Posted

umm now i'm getting the following:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') FROM orders WHERE orderNum = 'xxii8ir3iaqr7155' LIMIT 1' at line 1

 

I can't find what i'm doing wrong now...

 

Link to comment
Share on other sites
svgmx5 Advanced Member

svgmx5

Posted
  • Author
Posted

i'm not quiting the job.....like i said he has understood the risks, and has signed a contract that takes me out of the picture, all i have to do is just  make sure its as secure as possible...

 

So if anyone else can actually help me with the issue i'd appreciate it

Link to comment
Share on other sites
svgmx5 Advanced Member

svgmx5

Posted
  • Author
Posted

okay, so i've updated the code after much research, however i'm still not getting antying...

 

So here's how my DB is set up...

 

The cc number is stored in a field that is a blob

the password...well for now is only 1234567

 

Now here's the code

 


<?php
   $order_num = 'xxii2kqchdgr1vt3';
   
   $sql = "SELECT * FROM orders WHERE orderNum='$order_num'";
   $run = mysql_query($sql) or die(mysql_error());
   $fetch = mysql_fetch_assoc($run);
   $cc_pass = $fetch['cc_pass'];
   //$ccnum = $fetch['ccnum'];
   //$cc_first = $fetch['cc_first'];
   
   $cc_sql = "SELECT AES_DECRYPT(ccnum, '$cc_pass')  AS ccnum FROM orders WHERE orderNum='$order_num'";
   $cc_run = mysql_query($cc_sql) or die(mysql_error());
   $row = mysql_fetch_assoc($run);
   $cc_num = $row['ccnum'];
   
   echo ' '.$cc_num.' ' ;
   
?>

 

I hope this helps someone help me

 

THANKS!

Link to comment
Share on other sites
andrewgauger Newbie

andrewgauger

Posted
Posted

It is illegal to store credit card CVV2 data. You can read the Visa/MC terms and regulations guide which your bank can send you (you may also be able to find online) for all the ins-and-outs, but that is one I am certain of.

Last time I checked, you could store credit card data in your DB but only if it was encrypted (details of this I don't remember.) You can use the stored data to provide recurring payments or allow people to re-purchase without re-entering all of their payment data. There is also a CISP compliance questionairre you need to fill out internally, basically just 'do you follow these best practices' (not sharing passwords, encyrption keys, etc.) type of thing. Your site hosting location, payment processing gateway, and SSL provider all have to be CISP compliant as well.

 

Have him hire a CISSP or someone who already knows the law.  We would be breaking the law helping you help him, no matter what contracts are in place (you can't avoid penalties of law through signing a document, if you break the law, you face the consequences)

Link to comment
Share on other sites
andrewgauger Newbie

andrewgauger

Posted
Posted

No, you can store them, sorry, I didn't quote the best thing.  But the fact is:

1. it is against the law to store cc numbers cleartext

2. you must use ssl as you say you do

3. there are certain network requirements

4. look into PCI for compliance.

 

at a certain threshold (transactions per month) you are going to need to get a pen-test to ensure compliance.  You also will need to certify with Visa, etc once you hit a really high threshold.

 

Again, let me say this:  you would be breaking the law storing credit card numbers cleartext.  DO encrypt them.

 

Also, you should have listened to Mchl and realized that AES_ENCRYPT/DECRYPT takes 2 parameters.

 

The first parameter is the string (encrypted/decrypted) and the second is the key.  (It is also illegal to share this key with anyone, so make sure that you take appropriate methods to lock down the method your php acquires this key).

 

AES_DECRYPT(AES_ENCRYPT("1234567890123456", "baloney"), "baloney") = 1234567890123456

 

I was just making sure you use AES, don't store the cvv2, and put in the budget for a licensed CISSP or other security professional to evaluate it.  At least displace your liablility (now that I re-read part of the post I realized you weren't breaking the law and you were attempting to encrypt legally)

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Define: "i'm still not getting antying..."

 

That could mean a blank screen, a failed query, a query that matches zero rows, a failed second query, the wrong value returned,...? What have you done to troubleshoot what it is doing and what are the symptoms so that someone could actually help you?

Link to comment
Share on other sites
svgmx5 Advanced Member

svgmx5

Posted
  • Author
Posted

andrewgauge:

 

Thanks for that info, i will mention that to him, and i'll make sure the number is encrypted

 

PFMaBisMAd:

 

Sorry, for not been specific, what i meant is that i'm getting a blank screen, no errors no nothing

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.