I am testing the site on the running server, and I have created a temporary pgp key-pair through a "Manage OpenPGP Keys" utility of the server in order to test the pgp encryption (if this is of any help, the server has a cPanelX utilities page through which the site administrator can do certain things).
The characteristics of the server are:
Operating system Linux
Kernel version 2.4.23-ow2
Apache version 1.3.29 (Unix)
Path to sendmail /usr/sbin/sendmail
PHP version 4.3.4
MySQL version 4.0.15-standard
cPanel Build 8.5.3-STABLE 3
My problem is that although the credit card data is submitted through the form, it doesnt get encrypted and therefore it is not e-mailed to the computer of the company owner (temporarily, for testing purposes I have set this e-mail address to my e-mail so I can check the code from my own computer).
I give you some paths from the server:
gpg path: /usr/bin/gpg
$keyring_location="/home/patrino/.gnupg";
Below, I am presenting all the php code related to the pgp data encryption.
When the customer submits the form with the credit card data the "process_card.php" script runs:
Listing of process_card.php:
Code: Select all
<?php
session_start(); //to get the value of $valid_user in order to pass it to the display_order_confirm() function
require_once("user_auth_fns.php");
require_once("output_fns.php");
foreach ($_POST as $name=>$value) {
if (empty($value)) {
echo "you didnt fill in all the data. Please try again";
// code to display credit card form
exit();
}
}
if (process_card($valid_user, $_POSTї'cardtype'], $_POSTї'cardno'], $_POSTї'month_expir'], $_POSTї'year_expir'], $_POSTї'cardholder'])) {
// code for displaying message that says that credit card data were sent
}
else {
echo "<br>your credit card data couldnot be sent<br> try again.";
// code for displaying the credit card form
exit();
}
?>Code: Select all
//the method here is that the card data are sent via an encrypted (by GPG) email to the mail server of the company's owner
function process_card($username, $cardtype, $cardno, $month_expir, $year_expir, $cardholder)
{
global $keyring_location, $public_key_id, $viotopos_email; //these values are taken from an included script named "init.php"
//code to check correct user input first
$to_email = $company_owner_email; //taken from init.php
$title="cc data";
$body="cc data for the customer with user name: $username"; //$username is a local variable
$body .="<br>cardtype: $cardtype\r\n card no: $cardno\r\n month expiry: $month_expir\r\n year expir: $year_expir\r\n cardholder: $cardholder"; //these are the form submitted variables
$encrypted_text=pgp_encrypt($keyring_location, $public_key_id, $body);
if(empty($encrypted_text) || $encrypted_text=="") {
echo "<br>your cc data could not be encrypted";
return false;
}
if (mail($to_email, $title, $encrypted_text)==true) {
echo "cc data were sent encrypted
return true;
}
elseif(mail($to_email, $title, $body)==false) {
return false;
}
}Listing of pgp_encrypt() function:
Code: Select all
function pgp_encrypt($keyring_location, $public_key_id, $plain_text)
{
global $gpg;
$key_id = EscapeShellArg($public_key_id);
// encrypt the message
$pipe=popen("/usr/bin/gpg/gpg --recipient $key_id --armor --no-secmemwarning --always-trust --homedir $keyring_location --encrypt &>~/pgp_error.txt", "r");
fwrite($pipe, $plain_text);
$encrypted_text = '';
while($s = fgets($pipe, 1024)) {
// read from the pipe
$encrypted_text .= $s;
}
pclose($pipe);
//below is another alternative encryption code which still doesnt work
//alternative encryption code 2
//exec('echo ' . escapeshellarg($plain_text) . '| ' . $gpg . ' -ear ' . $key_id . ' --batch --no-secmemwarning --always-trust --homedir ' . $keyring_location, $resultarray);
//$encrypted_text = join('',$resultarray);
return $encrypted_text;
}Is there something wrong with my code, or is it OK (if it is OK, is there something I should check with the server paths? )
I appreciate any help