php/mysql blob

[project3]

I have a cart that stores the credit card number in BLOB field. I need to add an area where I can recharge cards. How do I pull the card number. Do I use just a regular select statement or is there something else I need to do.

 

Thanks in advance!

[chronister]

This is just my .02 cents, but before you think about storing credit card info you need to have an encryption algorithm. Don't store CC #'s in plain text. That's just asking for trouble.

 

I would probably use a varchar field with a very good encryption / decryption method.

 

Nate

[project3]

This is just my .02 cents, but before you think about storing credit card info you need to have an encryption algorithm. Don't store CC #'s in plain text. That's just asking for trouble.

 

I would probably use a varchar field with a very good encryption / decryption method.

 

Nate

 

Well I cant change the structure as the cart is using it the way it is set up. I just looked at what they were doing to pull the cards and its in the blob field and its md5 with a salt string.

[PFMaBiSmAd]

MD5 is a one way hash. You cannot get back the original number. Even if you were to create a table of all possible values, because the md5 values are not unique (several starting values produce the same md5 value) you cannot determine what the original value was.

 

The data in the table was hashed to prevent it from being extracted. You cannot do what you want.

[project3]

MD5 is a one way hash. You cannot get back the original number. Even if you were to create a table of all possible values, because the md5 values are not unique (several starting values produce the same md5 value) you cannot determine what the original value was.

 

The data in the table was hashed to prevent it from being extracted. You cannot do what you want.

 

Im just using the function that they are already using in the cart.

 

function &md5_decrypt($enc_text, $password, $iv_len = 16) {
       $enc_text = base64_decode($enc_text);
       $n = strlen($enc_text);
       $i = $iv_len;
       $plain_text = '';
       $iv = substr($password ^ substr($enc_text, 0, $iv_len), 0, 512);
       while ($i < $n) {
           $block = substr($enc_text, $i, 16);
           $plain_text .= $block ^ pack('H*', md5($iv));
           $iv = substr($block . $iv, 0, 512) ^ $password;
           $i += 16;
       }

       return preg_replace('/\\x13\\x00*$/', '', $plain_text);
    }

[chronister]

Then you will have to call the function something like this

 

 

<?php

$enc_text = 'I assume this is the encrypted number';
$password = 'I "think" this is the password of the user';
$plain_text_num = md5_decrypt($enc_text, $password, 16);

echo $plain_text_num;
?>

 

This may return the value in it's plain text format.

 

But seriously, you should only do this if you have complete control over your server; it's settings, security and who has physical access to it. If you are using a shared hosting package, then I would not even attempt it.

 

Basically, if you need to ask for assistance on how to do this, then it could be dangerous for your customers. I understand that it is a convenience for people to not have to input their CC #, but I feel weigh the importance of safety vs convenience.

 

No offense to you or your skills, but storing CC #'s should only be done by someone who knows EXACTLY what they are doing, otherwise you are putting your customers at risk. How long do ya think a site will stay up and bringing in money if there was a data breach and customers data was stolen? I can bet you not very long at all.

 

I am pretty confident in my coding skills and have been coding PHP for a few years now, and this is not something I would attempt because the security risk is just too great.

 

I did a quick search on google and found the exact code your using. If I can find it with a quick search in google, then it means that this decoding algorithm is not exactly a secret and could be broken by someone who wished to break it.

 

http://www.google.com/search?q=md5_decrypt

 

Again, just my 2 cents (well, I guess 4 cents by now)

 

Nate

[project3]

well we are on a private server.

 

number 2 the code comes with the cart i told you that before but you don't seem to understand that.

 

if the cart is using it Im sure they are aware of security. We are using digishop and its pretty expensive I don't think there developers would put their company at risk buy making something insecure.

[chronister]

well we are on a private server.

 

number 2 the code comes with the cart i told you that before but you don't seem to understand that.

 

if the cart is using it Im sure they are aware of security. We are using digishop and its pretty expensive I don't think there developers would put their company at risk buy making something insecure.

 

Good that your on a private server, I do understand that the code comes with the cart but that does not mean that it is safe to do. In this instance I would not just "think" that the developers do or don't do something, I would Make DAMN sure of it. Just because something is expensive don't make it safe or good. Ultimately it is your customers data that is at stake.

 

I gave you the code to call using their own function. Thats the best I can do.

 

Quite frankly, if your company paid a hefty sum for it, then your questions should be directed to their developers. They know the code, they know the security and they are the ones to answer this kind of question.

 

Nate