php-general Digest 31 May 2010 08:37:29 -0000 Issue 6774
Topics (messages 305659 through 305669):
Re: Credit Card encryption
305659 by: Phpster
305665 by: Paul M Foster
305666 by: Paul M Foster
305667 by: Paul M Foster
Re: Select Values Didn't Get Passed in From Two Different Forms
305660 by: Alice Wei
Re: NetBeans Question
305661 by: Mark Kelly
305662 by: Mark Kelly
305663 by: Ashley Sheridan
305664 by: Mark Kelly
305668 by: DuÅ¡an NovakoviÄ
305669 by: Mario Lacunza
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On May 30, 2010, at 10:50 AM, tedd <tedd.sperl...@gmail.com> wrote:
At 12:43 PM +0200 5/30/10, Peter Lind wrote:
On 30 May 2010 07:49, Paul M Foster <pa...@quillandmouse.com> wrote:
-snip-
Does anyone have a better solution?
I'm sorry if the following sounds a bit harsh, but in matters like
these I prefer blunt directness.
A few notes. 1) one-way encryption means "no decrypting" - that's
what
one-way is (like a one-way street, there's no driving the other
direction). You're looking for encryption that can be decrypted, not
one-way encryption which is otherwise known as hashing. 2) do not
store credit card information. Just don't. It's downright stupid to
do
so, because it's a huge risk for very little gain. 3) farm out risks
like these to companies that specialize in dealing with them - you
will with 100% certainty not be able to do as good a job as these.
The question to ask is not: how to store credit card information
securely? The question to ask is: do I really want to be the next
person in the internet spotlight because my setup turned out to
have a
security hole I overlooked?
Paul:
Let me be equally blunt. Petter is absolutely right!
Do NOT have your client store customer credit card information on a
server -- period! That's the stuff people go to jail over. Instead,
use a credit card clearing house to do the heavy work, that's what
they get paid for.
Besides, most credit card processing agencies even require that you
use the customer's data (cc number, expiry date and CCS) to make the
sale and then immediately dispose of it afterwards, usually within
24 hours under a signed agreement. Holding that information for more
than 24 hours can be a criminal offense regardless of what type of
hashing you use.
While many of my customers have made the argument that they keep
hard-copy records of their customer's credit-card information in-
house and they don't understand why they can't do the same online --
I reply that hard-copy kept in a safe behind "brick and mortar" in
far more secure that digital data behind any "security" code open to
the world. There isn't a security system out there that can't be
hacked. If the client insists on keeping this information online,
then find another client because at some time, someone is going to
jail and it's not going to be me.
So, let the people who can keep up with technology (a continued
effort and expense) worry about hackers -- just use their services
and sleep at night.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I work with some of the largest retailers in north America if not the
world, and I can confirm that the security measures taken to enforce
pci compliance are not something lightly undertaken.
If those entities choose to store the cc#s then they do the following:
1. Store the encrypted values on servers that are NOT web facing
2. Use ridiculously long encryption keys ( well into the 1000s of
characters)
3. They also create a representative value that exists outside the
system that has to allow some basis of data mining.
Really as mentioned you don't want to do this. Especially if you have
no control over the servers.
Bastien
Sent from my iPod
--- End Message ---
--- Begin Message ---
On Sun, May 30, 2010 at 03:12:10AM -0400, Adam Richardson wrote:
> On Sun, May 30, 2010 at 2:16 AM, Ashley Sheridan
> <a...@ashleysheridan.co.uk>wrote:
>
> > On Sun, 2010-05-30 at 01:49 -0400, Paul M Foster wrote:
> >
<snip>
>
> Hi Paul,
>
> When you describe one-way or two-way encryption, what are you describing?
> Are you describing hashing vs encryption where the plain-text is
> recoverable with a key, or are you describing symmetric (one key handles
> encrypting and decrypting) vs asymmetric (separate keys handle encrypting
> and decrypting) encryption?
I'm not very good with this terminology. What I mean is that there's no
way to decrypt the value without the key, and the key is not stored on
the system. This would be like password storage on *nix systems-- if you
forget the password, there's no practical way to log in. (Yes, I know
there are dictionary-based and brute force methods, but in general,
if you forget your password, you're screwed.)
What PCI wants is strong encryption. I take this to mean that keys are
long enough to be practically invulnerable to hacking.
>
> Now if you one-way encrypt the credit card numbers in the customer
>
> records, then it seems to me that any time that field has to be accessed
>
> (to edit the record or charge something to the card), you'd have to have
>
> the user enter a specific "password" to unlock the encryption.
>
>
> You can't decrypt (or "unlock") a hashed password (at least if you used a
> secure hash), but I'm not sure you're talking about symmetric vs asymmetric
> encryption, either. With more details , I can provide feedback on the
> encryption schemes you're considering (remember, you have to make sure that
> you are managing encryption keys very carefully, as among other things, PCI
> requires that "keys are stored in encrypted format and that key- encrypting
> keys are stored separately from data- encrypting keys.")
By "assymetric", I take it you mean like PGP or GPG, where there are
public and private keys? I don't really understand this technology, and
I'm not sure it matters.
<snip>
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
On Sun, May 30, 2010 at 03:30:28PM -0400, Phpster wrote:
<snip>
>
> I work with some of the largest retailers in north America if not the
> world, and I can confirm that the security measures taken to enforce
> pci compliance are not something lightly undertaken.
>
> If those entities choose to store the cc#s then they do the following:
>
> 1. Store the encrypted values on servers that are NOT web facing
Absolutely! If I were trying to do this on a web server, I *would* use a
payment gateway. There's no way I could secure it adequately otherwise.
>
> 2. Use ridiculously long encryption keys ( well into the 1000s of
> characters)
>
> 3. They also create a representative value that exists outside the
> system that has to allow some basis of data mining.
>
>
> Really as mentioned you don't want to do this. Especially if you have
> no control over the servers.
I have complete control over the server this information is stored on,
including physical control. It is behind a NATed firewall and only
accessible to certain machines on my internal network. The only
personnel with access to the server are myself and my wife.
To be clear, we process credit cards MOTO, meaning we have no physical
access to the cards themselves. We use a small terminal which dials up
our payment processor to get approvals. The problem is that virtually
all of our credit card business is with the same customers and
recurring. So it's not feasible to call them every month or several
times per job to ask for a credit card number. This would aggravate my
customers. So I have to store the information one way or another, on 3x5
cards, in the computer or some way.
And it appears from all the replies that there is no other way to do it
than to have a separate key or password for accessing just these credit
card numbers, and every time they must be accessed, the user must
provide this key, which would be in addition to the usual password for
that user.
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
On Sun, May 30, 2010 at 10:50:05AM -0400, tedd wrote:
> At 12:43 PM +0200 5/30/10, Peter Lind wrote:
>>> On 30 May 2010 07:49, Paul M Foster <pa...@quillandmouse.com> wrote:
>>> -snip-
>>>
>>> Does anyone have a better solution?
>>
>> I'm sorry if the following sounds a bit harsh, but in matters like
>> these I prefer blunt directness.
>>
>> A few notes. 1) one-way encryption means "no decrypting" - that's what
>> one-way is (like a one-way street, there's no driving the other
>> direction). You're looking for encryption that can be decrypted, not
>> one-way encryption which is otherwise known as hashing. 2) do not
>> store credit card information. Just don't. It's downright stupid to do
>> so, because it's a huge risk for very little gain. 3) farm out risks
>> like these to companies that specialize in dealing with them - you
>> will with 100% certainty not be able to do as good a job as these.
>>
>> The question to ask is not: how to store credit card information
>> securely? The question to ask is: do I really want to be the next
>> person in the internet spotlight because my setup turned out to have a
>> security hole I overlooked?
>
> Paul:
>
> Let me be equally blunt. Petter is absolutely right!
>
> Do NOT have your client store customer credit card information on a
> server -- period! That's the stuff people go to jail over. Instead,
> use a credit card clearing house to do the heavy work, that's what
> they get paid for.
>
> Besides, most credit card processing agencies even require that you
> use the customer's data (cc number, expiry date and CCS) to make the
> sale and then immediately dispose of it afterwards, usually within 24
> hours under a signed agreement. Holding that information for more
> than 24 hours can be a criminal offense regardless of what type of
> hashing you use.
Not true. It depends on the type of merchant and the situation. The PCI
validation process allows for storage of all data except the 3-4 digit
validation number. What I'm asked for at transaction time is the CC
number, expiration date, digits for the billing address, and the billing
zip code. And I can get the address and zip digits completely wrong and
still have the transaction go through.
>
> While many of my customers have made the argument that they keep
> hard-copy records of their customer's credit-card information
> in-house and they don't understand why they can't do the same online
> -- I reply that hard-copy kept in a safe behind "brick and mortar" in
> far more secure that digital data behind any "security" code open to
> the world. There isn't a security system out there that can't be
> hacked. If the client insists on keeping this information online,
> then find another client because at some time, someone is going to
> jail and it's not going to be me.
Of course, any system can be hacked. PCI guidelines are designed to
ensure that measures are in place to minimize that non-zero risk.
>
> So, let the people who can keep up with technology (a continued
> effort and expense) worry about hackers -- just use their services
> and sleep at night.
>
We've been doing it this way for 14 years and using the type of service
you suggest would be expensive and impractical. Only in the last two
years has PCI become more stringent in their requirements. And
consequently, I'm having to re-evaluate how we store this particular
information. Otherwise, our physical and other security is more than
adequate. Yes, of course, if you have a machine gun or you're Kevin
Mitnick, or you have a network of 20,000 bots pounding on my router,
you're coming in anyway. Again, this is about *reasonable* security.
Paul
--
Paul M. Foster
--- End Message ---
--- Begin Message ---
> Date: Sun, 30 May 2010 11:53:44 -0400
> To: php-gene...@lists.php.net; aj...@alumni.iu.edu
> From: tedd.sperl...@gmail.com
> Subject: RE: [PHP] Select Values Didn't Get Passed in From Two Different
> Forms
>
> At 12:08 PM -0400 5/29/10, Alice Wei wrote:
> >
> >At the time of writing this, I got all the functionality I wanted,
> >only that it takes 3 submits, which is 4 pages in total, which
> >includes two dependent select menus based on user input by clicking
> >on the radio button and some other static drop downs and text inputs.
> >
> >I am not sure if it is possible to cut it down two only two submits,
> >I just went online and found this,
> >http://www.w3schools.com/dhtml/tryit.asp?filename=trydhtml_event_onchange.
> >If I could change this function to using the radio button, and
> >process the other searching for the dependent drop downs using case
> >statements with PHP , do you think this is a good idea?
> >
> >Anyway, I found this method is kind of ugly for the time being, but
> >less daunting with what I was doing before. Thanks.
> >
> >Alice
>
> Alice:
>
> The example you provided above is very basic and I think what you
> want is far more complex.
>
> I realize that it's hard to convey what it is that you actually want
> because you don't know all that can be done -- and the number of
> possibilities of how to organize controls is far too vast for me to
> guess.
>
> For example, here's another example of what can be done:
>
> http://www.webbytedd.com/a/ajax-select/index.php
>
> But I know this doesn't fully solve your problem but it comes closer
> than the example you provided above.
>
> Sometimes it's best to "story-board" what you want so that both you
> and to whom you're asking questions can have a better idea of the
> problem.
>
> For example, let's say you want to gather data from a user -- in
> option A, the user is asked Y/N. If the user answers N, then the user
> is sent to option B. If the user answers Y, then the user is sent to
> option C. In option B the user is presented with... and Option C the
> user is presented with... and so on. -- I'm sure you get the idea.
>
> So, if you want to continue with this, please prepare a "story-board"
> and present your problem again.
>
> Cheers,
>
> tedd
>
> --
Tedd,
Looks like I finally found the answer to my question, and the key is the
term, dependent drop down menu. There is an example that I found here,
http://www.huanix.com/files/dependent_select/dependent_select.txt, and after
editing everything, looks like what I want is not so far to reach. As I am
writing now, I got the code I desired to work after studying what went on in
the code from the above link.
Thanks for your help, and looks like I solved the problem, I may be able to
close the thread now.
Alice
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
_________________________________________________________________
Hotmail is redefining busy with tools for the New Busy. Get more from your
inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2
--- End Message ---
--- Begin Message ---
Hi Tedd.
On Sunday 30 May 2010 at 19:01 tedd wrote:
> I wanted to ask my questions on the NetBeans forums, but I am having
> trouble logging in. They seem to have a problem with my given ID,
> password, and email address and I haven't the time to straighten it
> all out -- I just want answers -- so I turned to this list.
Just in case you didn't spot it, there is a mailing list specifically for PHP
development using netbeans that I have found very useful. You can sign up
here:
http://netbeans.org/community/lists/top.html#technologies
Cheers,
Mark
--- End Message ---
--- Begin Message ---
Hi Brandon.
You sent your reply directly to me, instead of to the mailing list.
Also I don't agree - netbeans is an excellent IDE and to call it a text editor
is not doing it justice at all.
Cheers,
Mark
On Monday 31 May 2010 at 02:03 you wrote:
> Dreamweaver is better if you want a real IDE. If you want a regular text
> editor netbeans is the way to go.
>
> On Sun, May 30, 2010 at 8:15 PM, Mark Kelly <p...@wastedtimes.net> wrote:
> > Hi Tedd.
> >
> > On Sunday 30 May 2010 at 19:01 tedd wrote:
> > > I wanted to ask my questions on the NetBeans forums, but I am having
> > > trouble logging in. They seem to have a problem with my given ID,
> > > password, and email address and I haven't the time to straighten it
> > > all out -- I just want answers -- so I turned to this list.
> >
> > Just in case you didn't spot it, there is a mailing list specifically for
> > PHP
> > development using netbeans that I have found very useful. You can sign up
> > here:
> >
> > http://netbeans.org/community/lists/top.html#technologies
> >
> > Cheers,
> >
> > Mark
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
On Mon, 2010-05-31 at 02:46 +0100, Mark Kelly wrote:
> Hi Brandon.
>
> You sent your reply directly to me, instead of to the mailing list.
>
> Also I don't agree - netbeans is an excellent IDE and to call it a text
> editor
> is not doing it justice at all.
>
> Cheers,
>
> Mark
>
> On Monday 31 May 2010 at 02:03 you wrote:
>
> > Dreamweaver is better if you want a real IDE. If you want a regular text
> > editor netbeans is the way to go.
> >
> > On Sun, May 30, 2010 at 8:15 PM, Mark Kelly <p...@wastedtimes.net> wrote:
> > > Hi Tedd.
> > >
> > > On Sunday 30 May 2010 at 19:01 tedd wrote:
> > > > I wanted to ask my questions on the NetBeans forums, but I am having
> > > > trouble logging in. They seem to have a problem with my given ID,
> > > > password, and email address and I haven't the time to straighten it
> > > > all out -- I just want answers -- so I turned to this list.
> > >
> > > Just in case you didn't spot it, there is a mailing list specifically for
> > > PHP
> > > development using netbeans that I have found very useful. You can sign up
> > > here:
> > >
> > > http://netbeans.org/community/lists/top.html#technologies
> > >
> > > Cheers,
> > >
> > > Mark
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
Yeah, like I mentioned earlier, Dreamweaver is known for having issues
with include files, can be slow when working on large projects with lots
of files, and is only available for Mac and Windows, which limits it
somewhat.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
Hi.
On Monday 31 May 2010 at 02:50 Ashley Sheridan wrote:
> Yeah, like I mentioned earlier, Dreamweaver is known for having issues
> with include files, can be slow when working on large projects with lots
> of files, and is only available for Mac and Windows, which limits it
> somewhat.
Indeed. I can't stand the thing myself - I was just being polite :)
I use netbeans on Linux and Windows, so its cross-platform nature is quite
important to me. I also appreciate the Subversion integration, which is very
nicely done.
Tedd: I'm no expert, but I'll chime in if I have any answers for you.
Cheers,
Mark
--- End Message ---
--- Begin Message ---
Hi, I've been using NetBeans for some time and I found that there are
some issues like for Web applications if you write html tag
incorrectlly, you wont be informed about that, for stand alone
applications in Java there were also some stupid errors, etc. So, I
strongly suggest to check out Eclipse(http://www.eclipse.org/)! You
can easily download Eclipse for PHP on Windows, Linux and MAC, and the
best part is that you can also easily find and add different plugins
like SVN, JS, etc. Just check it out... ;-)
Regards,
Dusan
On Mon, May 31, 2010 at 4:13 AM, Mark Kelly <p...@wastedtimes.net> wrote:
> Hi.
>
> On Monday 31 May 2010 at 02:50 Ashley Sheridan wrote:
>> Yeah, like I mentioned earlier, Dreamweaver is known for having issues
>> with include files, can be slow when working on large projects with lots
>> of files, and is only available for Mac and Windows, which limits it
>> somewhat.
>
> Indeed. I can't stand the thing myself - I was just being polite :)
>
> I use netbeans on Linux and Windows, so its cross-platform nature is quite
> important to me. I also appreciate the Subversion integration, which is very
> nicely done.
>
> Tedd: I'm no expert, but I'll chime in if I have any answers for you.
>
> Cheers,
>
> Mark
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
made by ndusan
--- End Message ---
--- Begin Message ---
Hello,
what about the Netbeans ram eating?
Mario
On 31/05/10 02:03, Dušan Novaković wrote:
Hi, I've been using NetBeans for some time and I found that there are
some issues like for Web applications if you write html tag
incorrectlly, you wont be informed about that, for stand alone
applications in Java there were also some stupid errors, etc. So, I
strongly suggest to check out Eclipse(http://www.eclipse.org/)! You
can easily download Eclipse for PHP on Windows, Linux and MAC, and the
best part is that you can also easily find and add different plugins
like SVN, JS, etc. Just check it out... ;-)
Regards,
Dusan
On Mon, May 31, 2010 at 4:13 AM, Mark Kelly<p...@wastedtimes.net> wrote:
Hi.
On Monday 31 May 2010 at 02:50 Ashley Sheridan wrote:
Yeah, like I mentioned earlier, Dreamweaver is known for having issues
with include files, can be slow when working on large projects with lots
of files, and is only available for Mac and Windows, which limits it
somewhat.
Indeed. I can't stand the thing myself - I was just being polite :)
I use netbeans on Linux and Windows, so its cross-platform nature is quite
important to me. I also appreciate the Subversion integration, which is very
nicely done.
Tedd: I'm no expert, but I'll chime in if I have any answers for you.
Cheers,
Mark
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Saludos / Best regards
Mario Lacunza
Email:: mlacu...@gmail.com
Personal Website:: http://lacunza.biz/
Hosting:: http://mlv-host.com/
Google Talk: mlacunzav Skype: mlacunzav
MSN: mlacun...@hotmail.com Y! messenger: mlacunzav
--- End Message ---
