Storing credit card numbers is dangerous, look at the mcrypt functions like previously mentioned.
I would encrypt the user's credit card number with a key based on their account password this gives you the ability to not store the encryption key on the webserver. You should mangle it, encrypt it with a temp key, etc. I would mangle their password someway to make it a more secure password, don't trust a user to pick a safe or secure password. Make sure you store the users password as an md5 hash so that if your machine is compromised the bad guys can't easily get your users passwords. Just running the database server on an isolated machine does not solve the problem of keeping the data secure, neither does running a firewall between the two, obviously your web server needs access to the database, that in itself will enable a "bad guy" to access your database once he has access to your web server because the firewall allows access from your webserver to the database server, speed of connection to the database server doesn't really matter, how long does it take to transfer 16 characters?, if you are not using encryption or store the key on your web server he has full access to all of your credit card numbers. Secure both your webserver and your database server and the host os they run on (I would NOT use Windows), run tripwire or another similar program to monitor your PHP scripts, if someone were to hack your machine they could modify your PHP code to email them your users passwords, also conduct all transactions accross at least 128 bit SSL. Do NOT store the credit card number or login password unencrypted in a session, sessions are plain text by default and someone with access to your machine can read the session files or access your database and read the information. Make sure you really need to store credit cards, one bug and some script kiddie has your credit card information. Jason -----Original Message----- From: Someone Somewhere [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 10:48 AM To: [EMAIL PROTECTED] Subject: [PHP] Secure storage of credit card information I'm working on a e commerce site and I need to store the credit card info of people who purchase stuff, on the site. How can I encrypt the credit card # put it in a dbase and decrypt it when I need to Using Php4.* and Mysql. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
