>Sorry to be slightly OT, but I've prolly answered 1000 OT posts in the last
>year, and this IS related for all those without mycrypt, so...
>I'm on a shared server which does not have mcrypt... not good, since i want
>to temporarily store credit card numbers in an encrypted manner, either in a
>MySQL database, or in a text file.
>So I started google'ing for a class or something that someone may have
>written for two-way encryption WITH A KEY TO UNLOCK.
>Couldn't find much, then did a search on MySQL.com, and found the ENCRYPT(),
>DECRYPT(), ENCODE() and DECODE() functions.
>Am I barking up the wrong tree, or can these be used for storing sensitive
>information (credit card, etc etc) in a mysql table?
>The MySQL manual isn't particularly in-depth about it all:

You're barking down the wrong well. :-)

If PHP can *DECRYPT* the data in your database, then it's not very secure AT
ALL.  It's just too easy for a hacker to get a script uploaded/installed and
then run it and snatch all the cc #'s

To answer your question:

ENCRYPT will not help, as it's one-way.  You could ask somebody to re-enter
their CC# and see if it's the same as before or not, but not "un-do" the

Plain old ENCODE and DECODE don't even tell you which algorithm is used, so
that's useless.

AES_ENCRYPT/AES_DECRYPT is using 128-bit encryption, which would be fine,
but *ANYBODY* who manages to read your "password" (aka "key_string" in the
arg_list) could snatch the CC#s.  Since PHP can read the source to execute
to get the password, that makes this suitable *ONLY* if:
1. You are using SSL (HTTPS)
2. You *NEVER* store the password anywhere -- It must be typed by a human
into the web-page to store/retrieve the CC#s.
That doesn't sound like what you want.

DES_ENCRYPT/DES_DECRYPT is using DES which doesn't totally suck, but, again,
the issue is the des_key_files.  If *THOSE* are secure from prying eyes, but
MySQL can still read them somehow, it might be "okay"...  But making it
possible for MySQL to read them, but not "too open" for other users is
somewhat of an oxymoron, maybe.  I dunno enough about how MySQL accesses
these files and if it starts as 'root' like Apache and then does 'su' or
what, but I'd be very, very careful figuring out *exactly* how MySQL can
read these files safely, but a rogue user should have *NO* *CHANCE* at
getting to them.

Bottom line -- You've *GOT* to make sure you have no chinks in the armour.

Like Music?  http://l-i-e.com/artists.htm
I'm looking for a PRO QUALITY two-input sound card supported by Linux (any
major distro).  Need to record live events (mixed already) to stereo
CD-quality.  Soundcard Recommendations?
Software to handle the recording? Don't need fancy mixer stuff.  Zero (0)
post-production time.  Just raw PCM/WAV/AIFF 16+ bit, 44.1KHz, Stereo

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to