Peter wrote: > So I'm thinking about how to save credit card numbers in the DB, for > re-charging cards for subscriptions, new orders, etc. > I'm also thinking about how to save passwords in the DB, not plaintext, but > not one-way encrypted either. > Any suggestions? How would I secure the database? I'm thinking some > abstract process in code, or something -- security through obscurity.
if you need to perform the bank operations, then you can use GPG to send you by e-mail the last 4 or 5 digits of a credit card when the user makes the registration process or his first purchase. In this way, you can have in your DB only a portion of the card number and you can offer to the user a way to know his own card. Although somebody can be able to enter in your system he cannot find any complete information. Anyway, if your system is compromised, any person can change your own php scripts,etc... so be careful. If you can use Paypal or Bank it is the best option because you are free of responsibility. Note that although you can use Zend encoder or similar, anyone can encode new scripts to supplant your owns. Also, he can obtain memory dumps, reverse your secret-keys scripts, etc.. Unfortunately, until I know, the popular encoders don't provide means to implement security to authentify our own scripts, neither a way to protect passwords residents in memory. Eventually, this utility http://www.ossec.net/owl/ can monitor your webpages performing periodical MD5 checksum but it is not a final solution if somebody is inside your server. Having a good security can be a very hard task while putting a Paypal button is a trivial thing. br, Vicent, -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php