pgp encryption doesnt work

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
vasilis
Forum Commoner
Posts: 40
Joined: Tue Apr 22, 2003 7:37 am

pgp encryption doesnt work

Post by vasilis »

I have finished setting up a web database-driven site with php and mysql. THe only thing that is left to finish is the pgp encryption part. In this site, a customer can use his/her credit card to order a product. The credit card data are sent through a form with SSL and when the data arrive to the server that contains the site, the data are GNU-gpg encrypted and then, are e-mailed to the computer of the owner of the company that sells the product (the owner then decrypts the data with his private key). The cc data submit takes place only when a new customer is registered in the company database, or when he modifies his data.
I am testing the site on the running server, and I have created a temporary pgp key-pair through a "Manage OpenPGP Keys" utility of the server in order to test the pgp encryption (if this is of any help, the server has a cPanelX utilities page through which the site administrator can do certain things).
The characteristics of the server are:
Operating system Linux
Kernel version 2.4.23-ow2
Apache version 1.3.29 (Unix)
Path to sendmail /usr/sbin/sendmail
PHP version 4.3.4
MySQL version 4.0.15-standard
cPanel Build 8.5.3-STABLE 3


My problem is that although the credit card data is submitted through the form, it doesnt get encrypted and therefore it is not e-mailed to the computer of the company owner (temporarily, for testing purposes I have set this e-mail address to my e-mail so I can check the code from my own computer).

I give you some paths from the server:
gpg path: /usr/bin/gpg
$keyring_location="/home/patrino/.gnupg";


Below, I am presenting all the php code related to the pgp data encryption.

When the customer submits the form with the credit card data the "process_card.php" script runs:
Listing of process_card.php:

Code: Select all

<?php
 session_start(); //to get the value of $valid_user in order to pass it to the display_order_confirm() function
 require_once("user_auth_fns.php");
 require_once("output_fns.php");
 foreach ($_POST as $name=>$value)  &#123;
          if (empty($value))  &#123;
             echo "you didnt fill in all the data. Please try again";
             // code to display credit card form            
             exit();
          &#125;
 &#125;
 if (process_card($valid_user, $_POST&#1111;'cardtype'], $_POST&#1111;'cardno'], $_POST&#1111;'month_expir'], $_POST&#1111;'year_expir'], $_POST&#1111;'cardholder'])) &#123;       
        // code for displaying message that says that credit card data were sent
  &#125;
  else  &#123;
                          echo "<br>your credit card data couldnot be sent<br> try again.";
                          // code for displaying the credit card form
                          exit();
  &#125;
?>
Listing of process_card() function:

Code: Select all

//the method here is that the card data are sent via an encrypted (by GPG) email to the mail server of the company's owner
function process_card($username, $cardtype, $cardno, $month_expir, $year_expir, $cardholder)
&#123;
global $keyring_location, $public_key_id, $viotopos_email;   //these values are taken from an included script named "init.php"
//code to check correct user input first

$to_email = $company_owner_email;  //taken from init.php
$title="cc data";
$body="cc data for the customer with user name: $username";   //$username is a local variable
$body .="<br>cardtype: $cardtype\r\n card no: $cardno\r\n month expiry: $month_expir\r\n year expir: $year_expir\r\n cardholder: $cardholder";  //these are the form submitted variables 
$encrypted_text=pgp_encrypt($keyring_location, $public_key_id, $body);
if(empty($encrypted_text) || $encrypted_text=="")  &#123;
  echo "<br>your cc data could not be encrypted";	
  return false;
&#125;
if (mail($to_email, $title, $encrypted_text)==true)      &#123;
		echo 	"cc data were sent encrypted
		return true;
&#125;
elseif(mail($to_email, $title, $body)==false)      &#123;    
          return false;
&#125;

&#125;
Now, this is maybe the part where the problem lies

Listing of pgp_encrypt() function:

Code: Select all

function pgp_encrypt($keyring_location, $public_key_id, $plain_text)
&#123;
global $gpg;
$key_id = EscapeShellArg($public_key_id);

// encrypt the message
$pipe=popen("/usr/bin/gpg/gpg --recipient $key_id --armor --no-secmemwarning --always-trust --homedir $keyring_location --encrypt &>~/pgp_error.txt", "r");
fwrite($pipe, $plain_text);
$encrypted_text = '';
while($s = fgets($pipe, 1024)) &#123;
// read from the pipe
$encrypted_text .= $s;
&#125;
pclose($pipe);


//below is another alternative encryption code which still doesnt work
//alternative encryption code 2
//exec('echo ' . escapeshellarg($plain_text) . '| ' . $gpg . ' -ear ' .  $key_id . ' --batch --no-secmemwarning --always-trust --homedir ' . $keyring_location, $resultarray); 
//$encrypted_text = join('',$resultarray); 


return $encrypted_text;
&#125;
I really have tried different syntax alternatives in the pgp command but it doesnt work
Is there something wrong with my code, or is it OK (if it is OK, is there something I should check with the server paths? )
I appreciate any help
Post Reply