On 11 February 2011 22:42, Brian Dunning <brian@xxxxxxxxxxxxxxxx> wrote:
> Hey all -
>
> I'm using mcrypt to store credit cards into MySQL. About 90% of them decrypt fine, but about 10% decrypt as nonsense ("b1ï\ïJEÃUïAïïï" is a good example). Maybe there is a character that appears in about 10% of my encryptions that's not being encoded properly???
Unrelated to the code, but considering the frequency of credit card
theft from big sites, is it really safe to store CC details, even if
they are encrypted? Considering the site's code CAN decrypt it, it
wouldn't be that difficult to use your code to get the card details.
Sure, having the details is a benefit to the client in terms of saving
them the hassle of entering the card details for each purchase/usage,
but how secure is it overall?
Related to the code, do you validate the card details first? You are
using addslashes($_POST['cc_number']). Considering a credit card
number is purely numeric, the addslashes would seem to be redundant as
you don't need to escape numbers. And you can run a Luhn10 check
against the card number to make sure it is valid before storing it.
Richard.
--
Richard Quadling
Twitter : EE : Zend
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
