Re: Help! Made a boo-boo encrypting credit cards

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 11 Feb 2011 14:42:18 -0800, Brian Dunning wrote:

> Hey all -
> 
> I'm using mcrypt to store credit cards into MySQL. About 90%
> of them decrypt fine, but about 10% decrypt as nonsense
> ("b1ï\ïJEÃUïAïïï" is a good example). Maybe there is a
> character that appears in about 10% of my encryptions that's
> not being encoded properly???

Can you come up with a phony CC number that fails the
decryption? If so, please post:

  $cc_number
  binhex($iv)
  binhex($cc_encrypt)
  binhex($row['encrypt_iv']))
  binhex($row['cc_encrypt']))

More below...

> // Encryption is set up at the top of the script:
> $crypto = mcrypt_module_open('rijndael-256', '', 'ofb', '');
> $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($crypto), MCRYPT_DEV_RANDOM);
> $ks = mcrypt_enc_get_key_size($crypto);
> $key = substr(md5('my_funky_term'), 0, $ks);
> 
> // When the card number is collected by the form, it's encrypted:
> $cc_number = addslashes($_POST['cc_number']);
> mcrypt_generic_init($crypto, $key, $iv);
> $cc_encrypt = mcrypt_generic($crypto, $cc_number);
> mcrypt_generic_deinit($crypto);
> 
> // This is written to the database:
> $query = "update accounts set cc_encrypt='$cc_encrypt', encrypt_iv='$iv', other_fields='$other_stuff' where id='$account_id' limit 1";
> $result = mysql_query($query) or die(mysql_error());

No mysql_real_escape_string()?

> Both the cc_encrypt and encrypt_iv fields are tinytext, latin1_swedish_ci, MyISAM, MySQL 5.0.91

Why are you using text fields for storing binary data?
Sounds like this could go horribly wrong for a number
or reasons.

> In another script, when I retrieve, I first set it up at the top of the script exactly like step #1 above, then retrieve it like this:
> 
> mcrypt_generic_init($crypto, $key, $row['encrypt_iv']);
> $cc_number = trim(mdecrypt_generic($crypto, $row['cc_encrypt']));
> mcrypt_generic_deinit($crypto);


/Nisse

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux