On Wed, May 11, 2005 10:02 am, Colin Ross said: > I am working on a bit of code for credit-card processing, so please keep > in > mind, security of the data is essential.. > On part of it i wish to use a buffer, but i wonder if that data is saved > anywhere on the running system (as a temp file, etc), or is it just held > in > the system's memory? What kind of a buffer? Actually, scratch that question. There is no guarantee, in PHP, that the data in your running script will not be stored in swap (temp file) on disk as the script runs. It would be nice, perhaps, if there were a way to allocate memory only in RAM that could not be swapped. There are, in some OSes, low-level calls to do this, but I don't think PHP wrappers exist (yet) for them. At any rate, my point is that if the Bad Guys can read your swap files, you're probably already in so much trouble that the credit card numbers isn't your #1 concern. It is that bad. > My concern is that if an error occurs in the processing, i don't want that > buffer to remain (with possible valid Credit Card data) on the system... You want to catch/handle as many possible errors as you can, and work through them intelligently. No matter what you do, it's possible that you'll end up with a core dump (or similar) with your RAM including CC#s in it. You'll want to make this as unlikely as you can, but you'll also want to think about what you'll do if it *DOES* happen. Should you turn off core dumps on a production server? Probably, if you can. Does that guarantee that somebody (maybe you a year from now) trying to detect some other issue won't turn it back on, yes, even on a production server? Probably not. So, prepare for it, and do the right thing, whatever you think that is. Back to your buffers: It really all depends on how you build the buffer, and where they are allocated/stored/free'd. PHP has no data type of "buffer" so we don't really understand the question until you clarify that a bit. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
