Peter wrote:

> So I'm thinking about how to save credit card numbers in the DB, for
> re-charging cards for subscriptions, new orders, etc.
> I'm also thinking about how to save passwords in the DB, not plaintext, but
> not one-way encrypted either.
> Any suggestions?  How would I secure the database?  I'm thinking some
> abstract process in code, or something -- security through obscurity.

if you need to perform the bank operations, then you can use GPG to
send you by e-mail the last 4 or 5 digits of a credit card when the
user makes the registration process or his first purchase.
In this way, you can have in your DB only a portion of the card number
and you can offer to the user a way to know his own card.
Although somebody can be able to enter in your system he cannot find
any complete information.
Anyway, if your system is compromised, any person can change your own
php scripts,etc...  so be careful. If you can use Paypal or Bank it
is the best option because you are free of responsibility.

Note that although you can use Zend encoder or similar, anyone can
encode  new scripts to supplant your owns. Also, he can obtain memory
dumps, reverse your secret-keys scripts, etc.. Unfortunately, until I
know, the popular encoders don't provide means to implement security
to authentify our own scripts, neither a way to protect passwords
residents in memory. Eventually, this utility can monitor your webpages performing
periodical MD5 checksum but it is not a final solution if somebody is
inside your server. 

Having a good security can be a very hard task while putting a Paypal
button is a trivial thing.



PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to