Re: [PHP] Re: Help! Made a boo-boo encrypting credit cards

Fri, 04 Mar 2011 06:26:41 -0800 

2011/3/4 Nisse Engström <news.nospam.0ixbt...@luden.se>:
> On Fri, 11 Feb 2011 14:42:18 -0800, Brian Dunning wrote:
>
>> Hey all -
>>
>> I'm using mcrypt to store credit cards into MySQL. About 90%
>> of them decrypt fine, but about 10% decrypt as nonsense
>> ("b1�\�JEÚU�A���" is a good example). Maybe there is a
>> character that appears in about 10% of my encryptions that's
>> not being encoded properly???
>
> Can you come up with a phony CC number that fails the
> decryption? If so, please post:
>
>  $cc_number
>  binhex($iv)
>  binhex($cc_encrypt)
>  binhex($row['encrypt_iv']))
>  binhex($row['cc_encrypt']))
>
> More below...
>
>> // Encryption is set up at the top of the script:
>> $crypto = mcrypt_module_open('rijndael-256', '', 'ofb', '');
>> $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($crypto), MCRYPT_DEV_RANDOM);
>> $ks = mcrypt_enc_get_key_size($crypto);
>> $key = substr(md5('my_funky_term'), 0, $ks);
>>
>> // When the card number is collected by the form, it's encrypted:
>> $cc_number = addslashes($_POST['cc_number']);
>> mcrypt_generic_init($crypto, $key, $iv);
>> $cc_encrypt = mcrypt_generic($crypto, $cc_number);
>> mcrypt_generic_deinit($crypto);
>>
>> // This is written to the database:
>> $query = "update accounts set cc_encrypt='$cc_encrypt', encrypt_iv='$iv', 
>> other_fields='$other_stuff' where id='$account_id' limit 1";
>> $result = mysql_query($query) or die(mysql_error());
>
> No mysql_real_escape_string()?
>
>> Both the cc_encrypt and encrypt_iv fields are tinytext, latin1_swedish_ci, 
>> MyISAM, MySQL 5.0.91
>
> Why are you using text fields for storing binary data?
> Sounds like this could go horribly wrong for a number
> or reasons.
>
>> In another script, when I retrieve, I first set it up at the top of the 
>> script exactly like step #1 above, then retrieve it like this:
>>
>> mcrypt_generic_init($crypto, $key, $row['encrypt_iv']);
>> $cc_number = trim(mdecrypt_generic($crypto, $row['cc_encrypt']));
>> mcrypt_generic_deinit($crypto);
>
>
> /Nisse
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Considering their is no validation of the credit card number, you
could just use a random string of numbers starting with 99.

According to 
http://en.wikipedia.org/wiki/List_of_Bank_Identification_Numbers#References,
nothing starts with 99.



-- 
Richard Quadling
Twitter : EE : Zend
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to