> I'm new to PHP and to e-commerce. Needless to say, I've done a lot of
> studying over the last few weeks and I'm ready to dive in head first!

Actually, you're not...  Sorry.  The fact that you want to store data in
flat files, and that you want to store CREDIT CARD INFO the way you describe
tells me that you haven't read enough.

> I'll be building an e-commerce site and I'll be using PHP. I'd like
> customers to have the option of saving their information so that they
> have to enter it each time they purchase -- much like Buy.com does or like
> Amazon.com's One-Click feature.

Those are nice features, *IF* the information is stored and accessed

> This means that the customer will be storing information like one or more
> credit cards, shipping addresses, billing addresses, etc.
> I'm planing on storing all information in flat files so that I don't have
> the additional expense of using MySQL (My ISP is charging 24.95/month
> for MySQL service).

Consider moving to a different server.  $24.95/month should get you
everything you need including MySQL *UNLESS* you're a high-volume site with
10,000+ hits/day or heavy bandwidth like audio/video.

> So the question is: How can I store each customer's information safely?
> I use .htaccess and .htpasswd to help me out? Or don't they even apply?

.htaccess and htpasswd would be okay for AUTHENTICATION of a few people, but
if your server is running PHP as a Module, you're better off using PHP to do
the HTTP Authentication.  See the PHP manual online for sample code.

Authenticating a user as a specific customer is COMPLETELY SEPARATE from
safely storing their credit card information.

> My intention is to store the user's password encoded with md5 or something
> and also to develop my own cipher for disguising the credit card numbers
> well.
> Any suggestions?


md5 is useless for this, and developing your own cipher is out-and-out silly
unless you are a cryptography expert.

When Amazon et al store a credit card number, they have a very specific
custom setup for that, involving:

A separate dedicated computer *NOT* directly connected to the Internet to
store the cc info.  These machines are:
  accessible via a SECOND Ethernet card in the web-servers
  invisible to the outside world
  only accept connections to the Database server -- no other software
  only accept data from that one Ethernet cable
  physically accessible only to trusted few

Further, even their web-servers are DEDICATED machines, not shared-access at
an ISP.  These machines will have an extremely limited number of users able
to directly access them.  Yours has several hundred untrusted users.

In short, if you are balking at $24.95 a month for MySQL, your budget is
*NOWHERE* *NEAR* within reach of the hardware/software/facilities required
to safely STORE credit card numbers.

By all means, feel free to hook up with a third-party firm to process your
credit cards in real-time.

But you'll have to forego the STORAGE of credit card info feature for now.

WARNING [EMAIL PROTECTED] address is an endangered species -- Use
Wanna help me out?  Like Music?  Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to