Re: [PHP] Secure monetary transactions
On Mon, Feb 7, 2011 at 2:06 PM, Paul M Foster wrote: > (Sorry-- originally sent without subject.) > > I have a customer who currently has his site set up this way: donors > select (on a non-secure page) the level of donation they want to donate, > provide their name and an attestation, etc. None of the data > confidential. Then they press the button, and we send them off to a > secure payment gateway operated by the merchant service company. They > take down the credit card and other information, clear the transaction, > and pass the approval/disapproval info back to my customer's website. An > email then gets fired to my customer containing all the data about the > transactions EXCEPT the confidential information, like credit card > number, etc. > > In essence, my customer is not responsible for any confidential/secure > information, which is all handled by the merchant gateway. > > For whatever unknown reason, my customer has been convinced they should > go with a different merchant service company. However, this company > doesn't have the same kind of secure payment pages. (Yes, they're > legitimate, but they're simply a payment processor. They don't have the > additional site to accept manual input of payment information and such.) > I've explained to my customer that, in doing this, he will need: > > 1) a fixed IP ($) > > 2) a security certificate ($) > > 3) an online store (as opposed to a single page he has now) > > 4) a whole new set of PCI responsibilities which his organization is not > prepared to fulfill. ($) > > I'm certain people on this list have set up this type of system for > customers. So I have some questions: > > 1) Does the usual online store software (osCommerce or whatever) include > "secure" pages for acceptance of credit cards? I know they have the > capability to pass this info securely off to places like authorize.net > for processing. > > 2) Assuming a customer website, probably hosted in a shared hosting > environment, with appropriate ecommerce store software, how does one > deal with PCI compliance? I mean, the customer would have no control > over the data center where the site is hosted. Moreover, they would > probably have little control over the updating of insecure software, as > demanded by PCI. They likely don't have the facilities to do the type of > penetration testing PCI wants. So how could they (or how do you) deal > with the potentially hundreds of questions the PCI questionnaire asks > about all this stuff? How do you, as a programmer doing this for a > customer, handle this? > > Paul > > -- > Paul M. Foster > http://noferblatz.com > > Paul, >From what I remember of doing PCI compliance a few years back, compliance requires control over the environment (software applications, servers, network, back end storage ie. SQL server, other sites/facilities connected on the company WAN, etc). Everything within the said environment has be secure (including the encryption of PI storage), limited access, and auditing mechanism of all access and changes within the said environment, including constant rotating password/code (logon authentication, code to server room, etc.) where use of past password/code is prohibited. So for your 2nd question, as a programmer, you could do something about the application. For the rest, you'll have to find a hosting provider that already qualified for PCI or your client/boss will have to host it themselves and qualify for PCI. I think the former would be hard to find. The latter will most likely be costly and very time consuming if the need is immediate. Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Secure monetary transactions
(Sorry-- originally sent without subject.) I have a customer who currently has his site set up this way: donors select (on a non-secure page) the level of donation they want to donate, provide their name and an attestation, etc. None of the data confidential. Then they press the button, and we send them off to a secure payment gateway operated by the merchant service company. They take down the credit card and other information, clear the transaction, and pass the approval/disapproval info back to my customer's website. An email then gets fired to my customer containing all the data about the transactions EXCEPT the confidential information, like credit card number, etc. In essence, my customer is not responsible for any confidential/secure information, which is all handled by the merchant gateway. For whatever unknown reason, my customer has been convinced they should go with a different merchant service company. However, this company doesn't have the same kind of secure payment pages. (Yes, they're legitimate, but they're simply a payment processor. They don't have the additional site to accept manual input of payment information and such.) I've explained to my customer that, in doing this, he will need: 1) a fixed IP ($) 2) a security certificate ($) 3) an online store (as opposed to a single page he has now) 4) a whole new set of PCI responsibilities which his organization is not prepared to fulfill. ($) I'm certain people on this list have set up this type of system for customers. So I have some questions: 1) Does the usual online store software (osCommerce or whatever) include "secure" pages for acceptance of credit cards? I know they have the capability to pass this info securely off to places like authorize.net for processing. 2) Assuming a customer website, probably hosted in a shared hosting environment, with appropriate ecommerce store software, how does one deal with PCI compliance? I mean, the customer would have no control over the data center where the site is hosted. Moreover, they would probably have little control over the updating of insecure software, as demanded by PCI. They likely don't have the facilities to do the type of penetration testing PCI wants. So how could they (or how do you) deal with the potentially hundreds of questions the PCI questionnaire asks about all this stuff? How do you, as a programmer doing this for a customer, handle this? Paul -- Paul M. Foster http://noferblatz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload utility ?
On Mon, Feb 7, 2011 at 11:03, Frank Bonnet wrote: > I found nothing that's why I wrote this !!! My point is, you only told everyone what you're trying to do. Not once did you ask a question or mention where you're seeking guidance, other than your ambivalence on file uploads and distribution. The ambiguous nature of your expression makes it even more difficult: you want a utility, not help in authoring it in PHP. This is a PHP programming mailing list for peer-to-peer support by members of the community, not a "tell me the name of software I can download to do this job" group. -- Network Infrastructure Manager Documentation, Webmaster Teams http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload utility ?
On 2/7/2011 8:03 AM, Frank Bonnet wrote: > On 02/07/2011 05:01 PM, Daniel Brown wrote: >> On Mon, Feb 7, 2011 at 10:56, Frank Bonnet wrote: >>> Hello >>> >>> I'm searching for a utility that let our users upload a file >>> on a server , then generate a temporary link that point >>> to the real file. >>> >>> As this is for internal use we don't need security, the file >>> can be read by anyone. >>> >>> The goal is to distribute the file to our users by sending >>> them an email containing the address of the http temporary >>> link instead of sending it as an email attachement X 1000 ... >> Sounds great. Good luck in your Google search. >> > I found nothing that's why I wrote this !!! > > > Frank, Not sure what words you used, here was mine php file upload examples Those words resulted in these two at the top of the list http://www.tizag.com/phpT/fileupload.php http://www.w3schools.com/PHP/php_file_upload.asp I briefly read each of them and they are sufficient for what you are trying to do. All you have to do is tie in the email portion and that's that. So, again, to google, I typed these wonderful words of wisdom. php email example The first result was this http://www.w3schools.com/PHP/php_mail.asp This will get you a very simple email script working. Personally, I would not do it this way, but since you mention that this will be all internal, it will probably do just fine. If you want a little more control over the email or plan to use this to send email to outside recipients, I would recommend doing it differently. phpmailer Download that package, then follow its tutorials on how to set it up and send emails. phpmailer examples The first result is this http://phpmailer.worxware.com/index.php?pg=examples It has a variety of examples that should cover almost any scenario you can possibly think of. Just one thing, do not try and be a cut/paste god here. Actually take time to read the examples and understand what they do before you put them into production. This will now end my "How to use Google" segment for the day. Jim Lucas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload utility ?
"Frank Bonnet" wrote: >On 02/07/2011 05:01 PM, Daniel Brown wrote: >> On Mon, Feb 7, 2011 at 10:56, Frank Bonnet wrote: >>> Hello >>> >>> I'm searching for a utility that let our users upload a file >>> on a server , then generate a temporary link that point >>> to the real file. >>> >>> As this is for internal use we don't need security, the file >>> can be read by anyone. >>> >>> The goal is to distribute the file to our users by sending >>> them an email containing the address of the http temporary >>> link instead of sending it as an email attachement X 1000 ... >> Sounds great. Good luck in your Google search. >> >I found nothing that's why I wrote this !!! > > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php Try googling for the following bits: File upload form move_uploaded_file() file_get_contents() That will get you going, then if you have written a script and get stuck then you can ask us on specifics here. We don't write whole code for you. Thanks Ash http://www.ashleysheridan.co.uk -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload utility ?
On 02/07/2011 05:01 PM, Daniel Brown wrote: On Mon, Feb 7, 2011 at 10:56, Frank Bonnet wrote: Hello I'm searching for a utility that let our users upload a file on a server , then generate a temporary link that point to the real file. As this is for internal use we don't need security, the file can be read by anyone. The goal is to distribute the file to our users by sending them an email containing the address of the http temporary link instead of sending it as an email attachement X 1000 ... Sounds great. Good luck in your Google search. I found nothing that's why I wrote this !!! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload utility ?
On Mon, Feb 7, 2011 at 10:56, Frank Bonnet wrote: > Hello > > I'm searching for a utility that let our users upload a file > on a server , then generate a temporary link that point > to the real file. > > As this is for internal use we don't need security, the file > can be read by anyone. > > The goal is to distribute the file to our users by sending > them an email containing the address of the http temporary > link instead of sending it as an email attachement X 1000 ... Sounds great. Good luck in your Google search. -- Network Infrastructure Manager Documentation, Webmaster Teams http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] file upload utility ?
Hello I'm searching for a utility that let our users upload a file on a server , then generate a temporary link that point to the real file. As this is for internal use we don't need security, the file can be read by anyone. The goal is to distribute the file to our users by sending them an email containing the address of the http temporary link instead of sending it as an email attachement X 1000 ... Thank you -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] String length output in php-generated response
On 6 February 2011 15:57, Florin Jurcovici wrote: > said it, Bush junior proved it Is this actually part of the output? -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Bilingual strtotime()
Alexis wrote: > So basically, the answer is no :) > Looks like I'll simply do a replace of the French named months with > English ones. > > Would have thought the length of time that PHP has been around and > with people around the world, speaking more than just one language, > that language support would have progressed further than it appears to > have. Apparently not. That's not really fair - IMO, developers of multi-lingual applications usually keep data in a language/locale-neutral format and only transform to language/locale-specific when the data is being presented. strtotime() is an unusual function in that it attempts the reverse - transform arbitrary text into data. -- Per Jessen, Zürich (5.2°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] String length output in php-generated response
> -Original Message- > From: Florin Jurcovici [mailto:florin.jurcov...@gmail.com] > Sent: 06 February 2011 15:57 > I'm trying to build myself a small JSON-RPC server using PHP. > > Using wireshark, here's the conversation: > > Request: [...snip...] > Response: > HTTP/1.1 200 OK > Date: Sun, 06 Feb 2011 15:04:08 GMT > Server: Apache/2.2.14 (Ubuntu) > Accept-Ranges: bytes > X-Powered-By: PHP/5.3.2-1ubuntu4.7 > Keep-Alive: timeout=15, max=100 > Connection: Keep-Alive > Transfer-Encoding: chunked > Content-Type: application/json; charset=UTF-8 > > 6f > {"id":2,"result":{"service":"test.service","method":"method", > "id":2,"params":[{"code":"client"}]},"error":null} > 0 That's nothing to do with PHP -- it's http chunked encoding, as indicated by the "Transfer-Encoding: chunked" header, and is handled by Apache and your browser. It's totally expected and totally harmless. Read about it here: http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.6 Cheers! Mike -- Mike Ford, Electronic Information Developer, Libraries and Learning Innovation, Leeds Metropolitan University, C507 City Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php