Re: [PHP] Credit Card encryption
On Sun, May 30, 2010 at 10:50:05AM -0400, tedd wrote: > At 12:43 PM +0200 5/30/10, Peter Lind wrote: >>> On 30 May 2010 07:49, Paul M Foster wrote: >>> -snip- >>> >>> Does anyone have a better solution? >> >> I'm sorry if the following sounds a bit harsh, but in matters like >> these I prefer blunt directness. >> >> A few notes. 1) one-way encryption means "no decrypting" - that's what >> one-way is (like a one-way street, there's no driving the other >> direction). You're looking for encryption that can be decrypted, not >> one-way encryption which is otherwise known as hashing. 2) do not >> store credit card information. Just don't. It's downright stupid to do >> so, because it's a huge risk for very little gain. 3) farm out risks >> like these to companies that specialize in dealing with them - you >> will with 100% certainty not be able to do as good a job as these. >> >> The question to ask is not: how to store credit card information >> securely? The question to ask is: do I really want to be the next >> person in the internet spotlight because my setup turned out to have a >> security hole I overlooked? > > Paul: > > Let me be equally blunt. Petter is absolutely right! > > Do NOT have your client store customer credit card information on a > server -- period! That's the stuff people go to jail over. Instead, > use a credit card clearing house to do the heavy work, that's what > they get paid for. > > Besides, most credit card processing agencies even require that you > use the customer's data (cc number, expiry date and CCS) to make the > sale and then immediately dispose of it afterwards, usually within 24 > hours under a signed agreement. Holding that information for more > than 24 hours can be a criminal offense regardless of what type of > hashing you use. Not true. It depends on the type of merchant and the situation. The PCI validation process allows for storage of all data except the 3-4 digit validation number. What I'm asked for at transaction time is the CC number, expiration date, digits for the billing address, and the billing zip code. And I can get the address and zip digits completely wrong and still have the transaction go through. > > While many of my customers have made the argument that they keep > hard-copy records of their customer's credit-card information > in-house and they don't understand why they can't do the same online > -- I reply that hard-copy kept in a safe behind "brick and mortar" in > far more secure that digital data behind any "security" code open to > the world. There isn't a security system out there that can't be > hacked. If the client insists on keeping this information online, > then find another client because at some time, someone is going to > jail and it's not going to be me. Of course, any system can be hacked. PCI guidelines are designed to ensure that measures are in place to minimize that non-zero risk. > > So, let the people who can keep up with technology (a continued > effort and expense) worry about hackers -- just use their services > and sleep at night. > We've been doing it this way for 14 years and using the type of service you suggest would be expensive and impractical. Only in the last two years has PCI become more stringent in their requirements. And consequently, I'm having to re-evaluate how we store this particular information. Otherwise, our physical and other security is more than adequate. Yes, of course, if you have a machine gun or you're Kevin Mitnick, or you have a network of 20,000 bots pounding on my router, you're coming in anyway. Again, this is about *reasonable* security. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Credit Card encryption
On Sun, May 30, 2010 at 03:30:28PM -0400, Phpster wrote: > > I work with some of the largest retailers in north America if not the > world, and I can confirm that the security measures taken to enforce > pci compliance are not something lightly undertaken. > > If those entities choose to store the cc#s then they do the following: > > 1. Store the encrypted values on servers that are NOT web facing Absolutely! If I were trying to do this on a web server, I *would* use a payment gateway. There's no way I could secure it adequately otherwise. > > 2. Use ridiculously long encryption keys ( well into the 1000s of > characters) > > 3. They also create a representative value that exists outside the > system that has to allow some basis of data mining. > > > Really as mentioned you don't want to do this. Especially if you have > no control over the servers. I have complete control over the server this information is stored on, including physical control. It is behind a NATed firewall and only accessible to certain machines on my internal network. The only personnel with access to the server are myself and my wife. To be clear, we process credit cards MOTO, meaning we have no physical access to the cards themselves. We use a small terminal which dials up our payment processor to get approvals. The problem is that virtually all of our credit card business is with the same customers and recurring. So it's not feasible to call them every month or several times per job to ask for a credit card number. This would aggravate my customers. So I have to store the information one way or another, on 3x5 cards, in the computer or some way. And it appears from all the replies that there is no other way to do it than to have a separate key or password for accessing just these credit card numbers, and every time they must be accessed, the user must provide this key, which would be in addition to the usual password for that user. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Credit Card encryption
On Sun, May 30, 2010 at 03:12:10AM -0400, Adam Richardson wrote: > On Sun, May 30, 2010 at 2:16 AM, Ashley Sheridan > wrote: > > > On Sun, 2010-05-30 at 01:49 -0400, Paul M Foster wrote: > > > > Hi Paul, > > When you describe one-way or two-way encryption, what are you describing? > Are you describing hashing vs encryption where the plain-text is > recoverable with a key, or are you describing symmetric (one key handles > encrypting and decrypting) vs asymmetric (separate keys handle encrypting > and decrypting) encryption? I'm not very good with this terminology. What I mean is that there's no way to decrypt the value without the key, and the key is not stored on the system. This would be like password storage on *nix systems-- if you forget the password, there's no practical way to log in. (Yes, I know there are dictionary-based and brute force methods, but in general, if you forget your password, you're screwed.) What PCI wants is strong encryption. I take this to mean that keys are long enough to be practically invulnerable to hacking. > > Now if you one-way encrypt the credit card numbers in the customer > > records, then it seems to me that any time that field has to be accessed > > (to edit the record or charge something to the card), you'd have to have > > the user enter a specific "password" to unlock the encryption. > > > You can't decrypt (or "unlock") a hashed password (at least if you used a > secure hash), but I'm not sure you're talking about symmetric vs asymmetric > encryption, either. With more details , I can provide feedback on the > encryption schemes you're considering (remember, you have to make sure that > you are managing encryption keys very carefully, as among other things, PCI > requires that "keys are stored in encrypted format and that key- encrypting > keys are stored separately from data- encrypting keys.") By "assymetric", I take it you mean like PGP or GPG, where there are public and private keys? I don't really understand this technology, and I'm not sure it matters. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] NetBeans Question
Hi. On Monday 31 May 2010 at 02:50 Ashley Sheridan wrote: > Yeah, like I mentioned earlier, Dreamweaver is known for having issues > with include files, can be slow when working on large projects with lots > of files, and is only available for Mac and Windows, which limits it > somewhat. Indeed. I can't stand the thing myself - I was just being polite :) I use netbeans on Linux and Windows, so its cross-platform nature is quite important to me. I also appreciate the Subversion integration, which is very nicely done. Tedd: I'm no expert, but I'll chime in if I have any answers for you. Cheers, Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] NetBeans Question
On Mon, 2010-05-31 at 02:46 +0100, Mark Kelly wrote: > Hi Brandon. > > You sent your reply directly to me, instead of to the mailing list. > > Also I don't agree - netbeans is an excellent IDE and to call it a text > editor > is not doing it justice at all. > > Cheers, > > Mark > > On Monday 31 May 2010 at 02:03 you wrote: > > > Dreamweaver is better if you want a real IDE. If you want a regular text > > editor netbeans is the way to go. > > > > On Sun, May 30, 2010 at 8:15 PM, Mark Kelly wrote: > > > Hi Tedd. > > > > > > On Sunday 30 May 2010 at 19:01 tedd wrote: > > > > I wanted to ask my questions on the NetBeans forums, but I am having > > > > trouble logging in. They seem to have a problem with my given ID, > > > > password, and email address and I haven't the time to straighten it > > > > all out -- I just want answers -- so I turned to this list. > > > > > > Just in case you didn't spot it, there is a mailing list specifically for > > > PHP > > > development using netbeans that I have found very useful. You can sign up > > > here: > > > > > > http://netbeans.org/community/lists/top.html#technologies > > > > > > Cheers, > > > > > > Mark > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > Yeah, like I mentioned earlier, Dreamweaver is known for having issues with include files, can be slow when working on large projects with lots of files, and is only available for Mac and Windows, which limits it somewhat. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] NetBeans Question
Hi Brandon. You sent your reply directly to me, instead of to the mailing list. Also I don't agree - netbeans is an excellent IDE and to call it a text editor is not doing it justice at all. Cheers, Mark On Monday 31 May 2010 at 02:03 you wrote: > Dreamweaver is better if you want a real IDE. If you want a regular text > editor netbeans is the way to go. > > On Sun, May 30, 2010 at 8:15 PM, Mark Kelly wrote: > > Hi Tedd. > > > > On Sunday 30 May 2010 at 19:01 tedd wrote: > > > I wanted to ask my questions on the NetBeans forums, but I am having > > > trouble logging in. They seem to have a problem with my given ID, > > > password, and email address and I haven't the time to straighten it > > > all out -- I just want answers -- so I turned to this list. > > > > Just in case you didn't spot it, there is a mailing list specifically for > > PHP > > development using netbeans that I have found very useful. You can sign up > > here: > > > > http://netbeans.org/community/lists/top.html#technologies > > > > Cheers, > > > > Mark > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] NetBeans Question
Hi Tedd. On Sunday 30 May 2010 at 19:01 tedd wrote: > I wanted to ask my questions on the NetBeans forums, but I am having > trouble logging in. They seem to have a problem with my given ID, > password, and email address and I haven't the time to straighten it > all out -- I just want answers -- so I turned to this list. Just in case you didn't spot it, there is a mailing list specifically for PHP development using netbeans that I have found very useful. You can sign up here: http://netbeans.org/community/lists/top.html#technologies Cheers, Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Select Values Didn't Get Passed in From Two Different Forms
> Date: Sun, 30 May 2010 11:53:44 -0400 > To: php-general@lists.php.net; aj...@alumni.iu.edu > From: tedd.sperl...@gmail.com > Subject: RE: [PHP] Select Values Didn't Get Passed in From Two Different > Forms > > At 12:08 PM -0400 5/29/10, Alice Wei wrote: > > > >At the time of writing this, I got all the functionality I wanted, > >only that it takes 3 submits, which is 4 pages in total, which > >includes two dependent select menus based on user input by clicking > >on the radio button and some other static drop downs and text inputs. > > > >I am not sure if it is possible to cut it down two only two submits, > >I just went online and found this, > >http://www.w3schools.com/dhtml/tryit.asp?filename=trydhtml_event_onchange. > >If I could change this function to using the radio button, and > >process the other searching for the dependent drop downs using case > >statements with PHP , do you think this is a good idea? > > > >Anyway, I found this method is kind of ugly for the time being, but > >less daunting with what I was doing before. Thanks. > > > >Alice > > Alice: > > The example you provided above is very basic and I think what you > want is far more complex. > > I realize that it's hard to convey what it is that you actually want > because you don't know all that can be done -- and the number of > possibilities of how to organize controls is far too vast for me to > guess. > > For example, here's another example of what can be done: > > http://www.webbytedd.com/a/ajax-select/index.php > > But I know this doesn't fully solve your problem but it comes closer > than the example you provided above. > > Sometimes it's best to "story-board" what you want so that both you > and to whom you're asking questions can have a better idea of the > problem. > > For example, let's say you want to gather data from a user -- in > option A, the user is asked Y/N. If the user answers N, then the user > is sent to option B. If the user answers Y, then the user is sent to > option C. In option B the user is presented with... and Option C the > user is presented with... and so on. -- I'm sure you get the idea. > > So, if you want to continue with this, please prepare a "story-board" > and present your problem again. > > Cheers, > > tedd > > -- Tedd, Looks like I finally found the answer to my question, and the key is the term, dependent drop down menu. There is an example that I found here, http://www.huanix.com/files/dependent_select/dependent_select.txt, and after editing everything, looks like what I want is not so far to reach. As I am writing now, I got the code I desired to work after studying what went on in the code from the above link. Thanks for your help, and looks like I solved the problem, I may be able to close the thread now. Alice > --- > http://sperling.com http://ancientstones.com http://earthstones.com _ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2
Re: [PHP] Credit Card encryption
On May 30, 2010, at 10:50 AM, tedd wrote: At 12:43 PM +0200 5/30/10, Peter Lind wrote: On 30 May 2010 07:49, Paul M Foster wrote: -snip- Does anyone have a better solution? I'm sorry if the following sounds a bit harsh, but in matters like these I prefer blunt directness. A few notes. 1) one-way encryption means "no decrypting" - that's what one-way is (like a one-way street, there's no driving the other direction). You're looking for encryption that can be decrypted, not one-way encryption which is otherwise known as hashing. 2) do not store credit card information. Just don't. It's downright stupid to do so, because it's a huge risk for very little gain. 3) farm out risks like these to companies that specialize in dealing with them - you will with 100% certainty not be able to do as good a job as these. The question to ask is not: how to store credit card information securely? The question to ask is: do I really want to be the next person in the internet spotlight because my setup turned out to have a security hole I overlooked? Paul: Let me be equally blunt. Petter is absolutely right! Do NOT have your client store customer credit card information on a server -- period! That's the stuff people go to jail over. Instead, use a credit card clearing house to do the heavy work, that's what they get paid for. Besides, most credit card processing agencies even require that you use the customer's data (cc number, expiry date and CCS) to make the sale and then immediately dispose of it afterwards, usually within 24 hours under a signed agreement. Holding that information for more than 24 hours can be a criminal offense regardless of what type of hashing you use. While many of my customers have made the argument that they keep hard-copy records of their customer's credit-card information in- house and they don't understand why they can't do the same online -- I reply that hard-copy kept in a safe behind "brick and mortar" in far more secure that digital data behind any "security" code open to the world. There isn't a security system out there that can't be hacked. If the client insists on keeping this information online, then find another client because at some time, someone is going to jail and it's not going to be me. So, let the people who can keep up with technology (a continued effort and expense) worry about hackers -- just use their services and sleep at night. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I work with some of the largest retailers in north America if not the world, and I can confirm that the security measures taken to enforce pci compliance are not something lightly undertaken. If those entities choose to store the cc#s then they do the following: 1. Store the encrypted values on servers that are NOT web facing 2. Use ridiculously long encryption keys ( well into the 1000s of characters) 3. They also create a representative value that exists outside the system that has to allow some basis of data mining. Really as mentioned you don't want to do this. Especially if you have no control over the servers. Bastien Sent from my iPod -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Credit Card encryption
On Sun, May 30, 2010 at 11:50 AM, tedd wrote: > At 12:43 PM +0200 5/30/10, Peter Lind wrote: > >> On 30 May 2010 07:49, Paul M Foster wrote: >>> -snip- >>> >>> >>> Does anyone have a better solution? >>> >> >> I'm sorry if the following sounds a bit harsh, but in matters like >> these I prefer blunt directness. >> >> A few notes. 1) one-way encryption means "no decrypting" - that's what >> one-way is (like a one-way street, there's no driving the other >> direction). You're looking for encryption that can be decrypted, not >> one-way encryption which is otherwise known as hashing. 2) do not >> store credit card information. Just don't. It's downright stupid to do >> so, because it's a huge risk for very little gain. 3) farm out risks >> like these to companies that specialize in dealing with them - you >> will with 100% certainty not be able to do as good a job as these. >> >> The question to ask is not: how to store credit card information >> securely? The question to ask is: do I really want to be the next >> person in the internet spotlight because my setup turned out to have a >> security hole I overlooked? >> > > Paul: > > Let me be equally blunt. Petter is absolutely right! > > Do NOT have your client store customer credit card information on a server > -- period! That's the stuff people go to jail over. Instead, use a credit > card clearing house to do the heavy work, that's what they get paid for. > > Besides, most credit card processing agencies even require that you use the > customer's data (cc number, expiry date and CCS) to make the sale and then > immediately dispose of it afterwards, usually within 24 hours under a signed > agreement. Holding that information for more than 24 hours can be a criminal > offense regardless of what type of hashing you use. > > While many of my customers have made the argument that they keep hard-copy > records of their customer's credit-card information in-house and they don't > understand why they can't do the same online -- I reply that hard-copy kept > in a safe behind "brick and mortar" in far more secure that digital data > behind any "security" code open to the world. There isn't a security system > out there that can't be hacked. If the client insists on keeping this > information online, then find another client because at some time, someone > is going to jail and it's not going to be me. > > So, let the people who can keep up with technology (a continued effort and > expense) worry about hackers -- just use their services and sleep at night. > > > Cheers, > > tedd > > > To add my two cents - if you plan to store card information, in the eyes of the Payment Card Industry you will have to be Tier One compliant. How high are the standards? Visit hackerguardian.com and take the free test. We *thought* it might be cool to store the CC info for a new enterprise, provide convenient "one-click" shopping, etc, so we ran through the questionnaire at that level. It would take more time to design, implement and test the security and audit systems than to write the app. Furthermore, since we were doing the new project in the cloud we could not meet the requirements for physical security. So we settled for Tier4 - we take the information as part of the transaction, https to CC processor, get an "OK" or "Not OK" back, and no cardholder info stored on our server at all, apart from the transaction number. Cheers - Miles Thompson ~~ "The piano keys are black and white, But they sound like a million colours in your mind" Spider's Web - Katie Melua
Re: [PHP] NetBeans Question
At 6:01 PM +0100 5/30/10, Ashley Sheridan wrote: This thread has made me want to have a look at the IDE. Will the base IDE package be enough, or is there something specific it needs for PHP development, like a netbeans-php package? I'm using Linux (Fedora 11) btw ;) Thanks, Ash Ash: I'm really new at NetBeans and am having some minor questions I was keeping off-list -- however -- can go on list if there is interest. As for specific needs that NetBeans requires being an IDE for php, they make a special one just for php, see here: http://netbeans.org/downloads/index.html Find the one that fits your needs, like the one that covers only php and download it -- that's what I did. It's very easy to install and its learning curve is pretty easy. There are just some minor things that are not obvious, such as downloading a remote file to your local directory. You see, I use two different computers and have two accesses to the same server. Occasionally, I may change a file remotely and my second computer needs to be updated. I know this could be solved via some version scheme, but I don't want to make a big production out of it -- all I need to do is download a remote file, but I didn't see an easy way to do that. So, I searched for a couple of hours until I found someone said "Simply, right-click on the file locally and choose 'download' and you'll overwrite the file" -- that was simple enough. But I had to find out how to do it. These are the types of questions I have. I wanted to ask my questions on the NetBeans forums, but I am having trouble logging in. They seem to have a problem with my given ID, password, and email address and I haven't the time to straighten it all out -- I just want answers -- so I turned to this list. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] NetBeans Question
On Sun, 2010-05-30 at 13:48 -0400, Brandon Rampersad wrote: > i use dreamweaver and it's better > > > On Sun, May 30, 2010 at 1:01 PM, Ashley Sheridan > wrote: > > On Sun, 2010-05-30 at 12:58 -0400, Jason Pruim wrote: > > > On May 30, 2010, at 12:32 PM, php wrote: > > > > > On 05/30/2010 05:57 PM, tedd wrote: > > >> Hi gang: > > >> > > >> Do any of you use NetBeans for your IDE? > > >> > > > Yes, i do. Since 2 Years (Netbeans 6.5 then), now with 6.8 > > > > > > I work very well with netbeans on Mac OS-X and Ubuntu, > using SVN as > > > version-backend, XDEBUG for debugging, Code-Coverage > etc... > > > > > >> It looks like a great IDE, but I have some questions. > > >> > > > > > > Tell me, maybe i can answer > > > > > > > Hey tedd, > > > > I actually just started using it a little bit ago as I > wanted > > something more robust then just a text editor with some > syntax > > highlighting :) > > > > So feel free to ask away and I'll see what I can answer :) > > > > > > > > > > > This thread has made me want to have a look at the IDE. Will > the base > IDE package be enough, or is there something specific it needs > for PHP > development, like a netbeans-php package? I'm using Linux > (Fedora 11) > btw ;) > > > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > > > > > > -- > A Brandon_R Production I don't know about that. I prefer a standard text editor to Dreamweaver. Dw is full of bloat, really screws up include files and isn't available on Linux anyway. As an editor for people more visually orientated it's not bad, but for someone coming from a programming background, it hinders in many places. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] NetBeans Question
On Sun, 2010-05-30 at 12:58 -0400, Jason Pruim wrote: > On May 30, 2010, at 12:32 PM, php wrote: > > > On 05/30/2010 05:57 PM, tedd wrote: > >> Hi gang: > >> > >> Do any of you use NetBeans for your IDE? > >> > > Yes, i do. Since 2 Years (Netbeans 6.5 then), now with 6.8 > > > > I work very well with netbeans on Mac OS-X and Ubuntu, using SVN as > > version-backend, XDEBUG for debugging, Code-Coverage etc... > > > >> It looks like a great IDE, but I have some questions. > >> > > > > Tell me, maybe i can answer > > > > Hey tedd, > > I actually just started using it a little bit ago as I wanted > something more robust then just a text editor with some syntax > highlighting :) > > So feel free to ask away and I'll see what I can answer :) > > > This thread has made me want to have a look at the IDE. Will the base IDE package be enough, or is there something specific it needs for PHP development, like a netbeans-php package? I'm using Linux (Fedora 11) btw ;) Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] NetBeans Question
On May 30, 2010, at 12:32 PM, php wrote: On 05/30/2010 05:57 PM, tedd wrote: Hi gang: Do any of you use NetBeans for your IDE? Yes, i do. Since 2 Years (Netbeans 6.5 then), now with 6.8 I work very well with netbeans on Mac OS-X and Ubuntu, using SVN as version-backend, XDEBUG for debugging, Code-Coverage etc... It looks like a great IDE, but I have some questions. Tell me, maybe i can answer Hey tedd, I actually just started using it a little bit ago as I wanted something more robust then just a text editor with some syntax highlighting :) So feel free to ask away and I'll see what I can answer :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] NetBeans Question
On 05/30/2010 05:57 PM, tedd wrote: Hi gang: Do any of you use NetBeans for your IDE? Yes, i do. Since 2 Years (Netbeans 6.5 then), now with 6.8 I work very well with netbeans on Mac OS-X and Ubuntu, using SVN as version-backend, XDEBUG for debugging, Code-Coverage etc... It looks like a great IDE, but I have some questions. Tell me, maybe i can answer Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] NetBeans Question
Hi gang: Do any of you use NetBeans for your IDE? It looks like a great IDE, but I have some questions. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Select Values Didn't Get Passed in From Two Different Forms
At 12:08 PM -0400 5/29/10, Alice Wei wrote: At the time of writing this, I got all the functionality I wanted, only that it takes 3 submits, which is 4 pages in total, which includes two dependent select menus based on user input by clicking on the radio button and some other static drop downs and text inputs. I am not sure if it is possible to cut it down two only two submits, I just went online and found this, http://www.w3schools.com/dhtml/tryit.asp?filename=trydhtml_event_onchange. If I could change this function to using the radio button, and process the other searching for the dependent drop downs using case statements with PHP , do you think this is a good idea? Anyway, I found this method is kind of ugly for the time being, but less daunting with what I was doing before. Thanks. Alice Alice: The example you provided above is very basic and I think what you want is far more complex. I realize that it's hard to convey what it is that you actually want because you don't know all that can be done -- and the number of possibilities of how to organize controls is far too vast for me to guess. For example, here's another example of what can be done: http://www.webbytedd.com/a/ajax-select/index.php But I know this doesn't fully solve your problem but it comes closer than the example you provided above. Sometimes it's best to "story-board" what you want so that both you and to whom you're asking questions can have a better idea of the problem. For example, let's say you want to gather data from a user -- in option A, the user is asked Y/N. If the user answers N, then the user is sent to option B. If the user answers Y, then the user is sent to option C. In option B the user is presented with... and Option C the user is presented with... and so on. -- I'm sure you get the idea. So, if you want to continue with this, please prepare a "story-board" and present your problem again. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Credit Card encryption
At 12:43 PM +0200 5/30/10, Peter Lind wrote: On 30 May 2010 07:49, Paul M Foster wrote: -snip- Does anyone have a better solution? I'm sorry if the following sounds a bit harsh, but in matters like these I prefer blunt directness. A few notes. 1) one-way encryption means "no decrypting" - that's what one-way is (like a one-way street, there's no driving the other direction). You're looking for encryption that can be decrypted, not one-way encryption which is otherwise known as hashing. 2) do not store credit card information. Just don't. It's downright stupid to do so, because it's a huge risk for very little gain. 3) farm out risks like these to companies that specialize in dealing with them - you will with 100% certainty not be able to do as good a job as these. The question to ask is not: how to store credit card information securely? The question to ask is: do I really want to be the next person in the internet spotlight because my setup turned out to have a security hole I overlooked? Paul: Let me be equally blunt. Petter is absolutely right! Do NOT have your client store customer credit card information on a server -- period! That's the stuff people go to jail over. Instead, use a credit card clearing house to do the heavy work, that's what they get paid for. Besides, most credit card processing agencies even require that you use the customer's data (cc number, expiry date and CCS) to make the sale and then immediately dispose of it afterwards, usually within 24 hours under a signed agreement. Holding that information for more than 24 hours can be a criminal offense regardless of what type of hashing you use. While many of my customers have made the argument that they keep hard-copy records of their customer's credit-card information in-house and they don't understand why they can't do the same online -- I reply that hard-copy kept in a safe behind "brick and mortar" in far more secure that digital data behind any "security" code open to the world. There isn't a security system out there that can't be hacked. If the client insists on keeping this information online, then find another client because at some time, someone is going to jail and it's not going to be me. So, let the people who can keep up with technology (a continued effort and expense) worry about hackers -- just use their services and sleep at night. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Convert UTF-8 to PHP defines
At 10:20 PM +0200 5/29/10, Nisse =?utf-8?Q?Engstr=C3=B6m?= wrote: On Sat, 29 May 2010 10:16:39 -0400, tedd wrote: At 7:15 AM +0200 5/29/10, Nisse =?utf-8?Q?Engstr=C3=B6m?= wrote: No. There are no glyphs in Unicode. This is spelled out for you in chapter 2, figure 2-2. "Characters versus Glyphs". Code points are simply unique numbers assigned to specific characters in an approved char set. To better understand which character is represented a representative Glyph is used -- what else would we use, Right. I should have phrased that differently. a chicken? U+9e21 ? U+540D ? LOL I forgot that the word chicken appears in several other languages as a single character. Interesting to note that in the Chinese Dictionary, the character "U+9e21" Chicken (ji) is interchangeable with prostitution. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Credit Card encryption
On 30 May 2010 07:49, Paul M Foster wrote: > This question is for people who take and store credit card information > for customers. > > Credit card companies, in an attempt to lessen fraud, are tightening the > screws on merchants who take credit cards. One aspect of this is a > requirement to store credit card information from customers encrypted. > > So let's say you have a customer whose credit card you keep on file, > because they'll be charging other items with you. The credit card > companies would like you to store this information with strong > encryption, which in their mind is one-way encryption. > > Now let's say that the credit card number is part of the customer > record. When looking at the customer record, you see just the last four > digits of the card. But when editing the record or when printing out > reports of things which must be charged, you will see the whole number. > Assume the users of the system have logins and passwords. > > Now if you one-way encrypt the credit card numbers in the customer > records, then it seems to me that any time that field has to be accessed > (to edit the record or charge something to the card), you'd have to have > the user enter a specific "password" to unlock the encryption. This > would be quite in addition to their username and password. Moreover for > this to be as secure as the credit card companies would like it, > whatever "password" is used would need to be changed frequently, > particularly at any change of personnel. This means you'd have to > re-encrypt all the credit card numbers using the new "password" every > few months or when you fire someone who had access to the data. > > This seems like an excessively cumbersome solution. Is this seriously > the way it's done? Does anyone have a better solution? > I'm sorry if the following sounds a bit harsh, but in matters like these I prefer blunt directness. A few notes. 1) one-way encryption means "no decrypting" - that's what one-way is (like a one-way street, there's no driving the other direction). You're looking for encryption that can be decrypted, not one-way encryption which is otherwise known as hashing. 2) do not store credit card information. Just don't. It's downright stupid to do so, because it's a huge risk for very little gain. 3) farm out risks like these to companies that specialize in dealing with them - you will with 100% certainty not be able to do as good a job as these. The question to ask is not: how to store credit card information securely? The question to ask is: do I really want to be the next person in the internet spotlight because my setup turned out to have a security hole I overlooked? Regards Peter -- WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] date_default_timezone_get() differs from ini_get('date.timezone');
Hi there i think i did not understand the timezone-settings right. In php.ini, i wrote date.timezone="Europe/Berlin". echo ini_get('date.timezone'); returns "Europe/Berlin". But the Class "DateTime" is using another timezone (Europe/London). When i do 'echo date_default_timezone_get()', it returns "Europe/London" and not the same as described in php.ini. In phpinfo() the date.timezone-setting will also be empty. I am sure to work with the right php.ini, due two facts: 1. phpinfo() displays the same ini and all settings from the file (but not timezone) 2. ini_get() returns the right setting as well (but it will not be used). Can somebody explain to me, what happens here? Thanks a lot and kind regards, Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] get classname without namespace
"Adam Richardson" wrote in message news:aanlktin0wqqlgwgm2lowcdv4i0c6bzsbfxhjwxv_j...@mail.gmail.com... > On Sat, May 29, 2010 at 4:20 PM, Tanel Tammik wrote: > >> Hi, >> >> is there a way to get the called classname without the namespace? >> >> > //PHP 5.3.x >> namespace some\where; >> >> abstract class ParentClass { >> public static function name() { >>return strtolower(get_called_class()); >> } >> >> public static function get_name() { >>echo 'name: ' . static::name(); >> } >> } >> >> class ChildClass extends ParentClass { >> } >> >> ChildClass::get_name(); >> ?> >> >> the result i need: childclass >> the result i get: some\where\childclass >> >> also is it possible to get the name() into the static variable if only >> static method is called? >> >> Br >> Tanel >> >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > $childclass = end(explode('\', $class_name_with_ns)); > > also is it possible to get the name() into the static variable if only > > static method is called? > > > Not sure I understand this part. > > Adam > > -- > Nephtali: PHP web framework that functions beautifully > http://nephtaliproject.com > yes, the static method is called and it's not possible... basicalli i'm making dynamic class for database manipulation where the child classname == tablename i just thought it would be not good to each time call name() as a method when tablename is need for sql query! Br Tanel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Credit Card encryption
On Sun, May 30, 2010 at 2:16 AM, Ashley Sheridan wrote: > On Sun, 2010-05-30 at 01:49 -0400, Paul M Foster wrote: > > > This question is for people who take and store credit card information > > for customers. > > > > Credit card companies, in an attempt to lessen fraud, are tightening the > > screws on merchants who take credit cards. One aspect of this is a > > requirement to store credit card information from customers encrypted. > > > > So let's say you have a customer whose credit card you keep on file, > > because they'll be charging other items with you. The credit card > > companies would like you to store this information with strong > > encryption, which in their mind is one-way encryption. > > > > Now let's say that the credit card number is part of the customer > > record. When looking at the customer record, you see just the last four > > digits of the card. But when editing the record or when printing out > > reports of things which must be charged, you will see the whole number. > > Assume the users of the system have logins and passwords. > > > > Now if you one-way encrypt the credit card numbers in the customer > > records, then it seems to me that any time that field has to be accessed > > (to edit the record or charge something to the card), you'd have to have > > the user enter a specific "password" to unlock the encryption. This > > would be quite in addition to their username and password. Moreover for > > this to be as secure as the credit card companies would like it, > > whatever "password" is used would need to be changed frequently, > > particularly at any change of personnel. This means you'd have to > > re-encrypt all the credit card numbers using the new "password" every > > few months or when you fire someone who had access to the data. > > > > This seems like an excessively cumbersome solution. Is this seriously > > the way it's done? Does anyone have a better solution? > > > > > > Paul > > > > -- > > Paul M. Foster > > > > > It's not just a matter of encrypting the credit card details. You also > have to ensure the server meets specific security requirements, every > last little bit of software has to be updated and patched. There are > services that will check your server out for you (last one I used was > McAffee Secure) I am certain that this is a legal requirement in order > to allow you to process credit card details. > > You won't have to encrypt the password against the username of whoever > has access to it. Just encrypt it the once, and use the DBMS side of > things to manage access rights. Maybe use a couple of fields in the DB > to store the credit card number in two versions, one that is two-way > encrypted, the second that is one-way. You can set up your web system to > only have access to the one-way version, meaning that the actual number > can't be got by that user. The two-way encrypted version would be > accessible only by a specific second DB user, the access details of > which could change when personnel changes. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > Hi Paul, When you describe one-way or two-way encryption, what are you describing? Are you describing hashing vs encryption where the plain-text is recoverable with a key, or are you describing symmetric (one key handles encrypting and decrypting) vs asymmetric (separate keys handle encrypting and decrypting) encryption? Now if you one-way encrypt the credit card numbers in the customer records, then it seems to me that any time that field has to be accessed (to edit the record or charge something to the card), you'd have to have the user enter a specific "password" to unlock the encryption. You can't decrypt (or "unlock") a hashed password (at least if you used a secure hash), but I'm not sure you're talking about symmetric vs asymmetric encryption, either. With more details , I can provide feedback on the encryption schemes you're considering (remember, you have to make sure that you are managing encryption keys very carefully, as among other things, PCI requires that "keys are stored in encrypted format and that key- encrypting keys are stored separately from data- encrypting keys.") However, I'd strongly recommend letting a payment gateway do the heavy lifting. You let the payment gateway store the credit card details, and when you want to process another transaction for a visitor, you use the id for the visitor that's stored in your DB (if they already have set up an account) to process the request. For example, this type of scheme is documented at Rackspace (PDF): http://cloudsites.rackspacecloud.com/index.php/Can_I_host_a_PCI_compliant_site_on_Cloud_Sites%3F Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
Re: [PHP] get classname without namespace
On Sat, May 29, 2010 at 4:20 PM, Tanel Tammik wrote: > Hi, > > is there a way to get the called classname without the namespace? > > //PHP 5.3.x > namespace some\where; > > abstract class ParentClass { > public static function name() { >return strtolower(get_called_class()); > } > > public static function get_name() { >echo 'name: ' . static::name(); > } > } > > class ChildClass extends ParentClass { > } > > ChildClass::get_name(); > ?> > > the result i need: childclass > the result i get: some\where\childclass > > also is it possible to get the name() into the static variable if only > static method is called? > > Br > Tanel > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > $childclass = end(explode('\', $class_name_with_ns)); also is it possible to get the name() into the static variable if only static method is called? Not sure I understand this part. Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com