p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

beginning_php thread: question about PHP parsing....


Message #1 by "Dan Ostrowski" <dan@t...> on Sun, 21 Apr 2002 21:11:52
greets all,


i am working on a secure form for simply taking and recording to file 
credit card numbers.

the friend i am working for is maintaining a webpage for a non-profit run 
of somesort and he wants to be able to take credit card numbers... dump 
them into a file.. then pull the numbers up securely.. run them at the 
office... and then delete them.

i am thinking I will take the order info securely.. then, using PHP, write 
ANOTHER PHP file with array data!  It WILL be parsed by a web browser, 
right? so as long as the file simply contains variables that will remain 
server side, it won't matter.  this is how I have heard most include files 
are kept, so it should be safe, right?

even if someone tried to open my file via browser, they couldn't do it, 
and PHP does not allow inclusion or opening of remote files...

yes? no?

cheers,
dan
Message #2 by Peter Simard <pasimard@v...> on Sun, 21 Apr 2002 16:29:15 -0400
Hello Dan,

Sunday, April 21, 2002, 5:11:52 PM, you wrote:

That sounds dangerous to me.  IMHO you should never be storing the
credit card numbers for later retrieval.  The whole process should be
transaction specific: CC#-->approval/decline-->process order-->confirm.
 No CC# data ever being stored.



 


-- 
Best regards,
 Peter                            mailto:pasimard@v...


Message #3 by "Dan Ostrowski" <dan@t...> on Sun, 21 Apr 2002 21:58:18
i don't particularly like it either, but it's what they wanted to do. as 
long as it's a secure proccess, my part is done.

i think i have done it.  in the folder that holds the information, i put 
in a "require SSL" .htaccess file so that you can only get the data over 
secure socket layer.  it also (i tested it with my personal webspace) will 
NOT work in remote includes or file opening.

the only way that the information can be successfully accessed is via an 
include ON THE SEVER.  unless you can ftp to the server, you can't create 
a file that opens it. all the info is safe in transit if you use the 
regular form.

that's all he wanted done, and I think i have it...

but if you think of any loopholes...

dan

  Return to Index