Security Issue with Session variables

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
DudeBori82
Forum Commoner
Posts: 26
Joined: Thu Nov 18, 2004 10:09 am
Location: Florida

Security Issue with Session variables

Post by DudeBori82 »

Is it safe to put credit card #'s into session variabes, or should I put directly into the database. Also, which method is safer for handling the data: POST or GET?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: Security Issue with Session variables

Post by timvw »

DudeBori82 wrote:Is it safe to put credit card #'s into session variabes, or should I put directly into the database. Also, which method is safer for handling the data: POST or GET?
Why would you store credit card # anyway?

As you are doing financial stuff, i presume you are smart enough to understand rfc 2616 which explains you the differences between post and get.

I'm pretty sure that i wouldn't submit my credit card number to a site over http. https is a minimum requirement.
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

definately put it directly into the database, ENCRYPTED
never store in w/out encryption, period.

use post, not get.


most servers log all the urls of every page requested.
if your using get to submit a form,
because get passes info through the url, then your
credit card numbers will be logged as plain text...BAD



please educate yourself extensively on security.
i once bought something online w/ my cc, and the website
wasnt very secure and someone hacked it and pasted everyones
credit card numbers along w/ thier personal info openly on the internet.

it was a huge mess, and the customers are the victims,
and have to fix it at that point.


and you MUST use ssl
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

i just noticed tims post, and it made me think

if your asking the question about whether to use post or get,
its very likely like you shouldnt even do this at all. theres no shame in
it, you just need to realize your not yet skilled enough to safely handle such critical information.

identity theft can ruin peoples lives.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Okay, here's my take on the post vs. get issue. Personally, I always use post UNLESS it it something I know my visitors would want to copy and paste the URL and give it to thier friends. In that case, I use get. I would think that noone would have any reason to copy and paste a URL containing an unencrypted credit card number (for ligitamate purposes anyway), so therefore, you definitly want to use post. And run some kind of encryption on it AS SOON AS YOU GET IT! If you're using a MySQL database, don't wait for MySQL to encrypt it when you insert it into the database. Use PHP. Make sure you're on a secure server that can support SSL and/or TLS. Shared hosting is usually pretty dangerous for things like this.

And finally, remeber: when in doubt, use PayPal.

Good luck!
DudeBori82
Forum Commoner
Posts: 26
Joined: Thu Nov 18, 2004 10:09 am
Location: Florida

Post by DudeBori82 »

The post vs get question was dumb, I know that get is not the way to do it. I was more so wondering if there were any security issues with POST. I have SSL and I know I need to encrypt and I put it straight into the database. I just didn't know how voulnerable session variables are.
- thanks for the help & the insult (rehfeld)
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

for starters, have a look at session.save_path
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

I agree strongly that if you have to ask any sort of question about security you should not be involved in coding an ecommerce site. It's just not fair to your customers to have to run the gauntlet of possible security flaws not to mention bad for the business itself and your own professional reputation if something goes wrong. There should be a law against it.

Also, you must not use a shared host unless you have something like user mode linux.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

evilmonkey wrote: And finally, remeber: when in doubt, use PayPal.
Paypal is a very horrible, horrible, horrible business. Especially if your bringing in real money for them. :P I know thats my biased opinion, but I've had some bad experiences
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

phenom, did you have bad experiences w/ paypal recently, or was it a long time ago?

i know a long time ago they would "freeze" all the money in peoples
accounts for no apparant reason, but ive been under the impression
since ebay bought them they have been improving alot.

ive used them for a few years and never had any issues.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

They locked my account because I overdrew it by 25 cents or so, and I can't even login to add funds to it. Paypal sucks.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

use javascript to encrypt the cc num at form's submission... all it takes is someone with a copy of any freely available packet sniffer to capture some plain text
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

That's what SSL is for...
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Yeah, packet sniffers are mainly just used for viewing data in/out of a pc, not through an internet hub. But the data should be encrypted regardless. Any of you remember sneakers the movie... They had the box that could decrypt anything.
Post Reply