Security Issue with Session variables
Moderator: General Moderators
-
DudeBori82
- Forum Commoner
- Posts: 26
- Joined: Thu Nov 18, 2004 10:09 am
- Location: Florida
Security Issue with Session variables
Is it safe to put credit card #'s into session variabes, or should I put directly into the database. Also, which method is safer for handling the data: POST or GET?
Re: Security Issue with Session variables
Why would you store credit card # anyway?DudeBori82 wrote:Is it safe to put credit card #'s into session variabes, or should I put directly into the database. Also, which method is safer for handling the data: POST or GET?
As you are doing financial stuff, i presume you are smart enough to understand rfc 2616 which explains you the differences between post and get.
I'm pretty sure that i wouldn't submit my credit card number to a site over http. https is a minimum requirement.
definately put it directly into the database, ENCRYPTED
never store in w/out encryption, period.
use post, not get.
most servers log all the urls of every page requested.
if your using get to submit a form,
because get passes info through the url, then your
credit card numbers will be logged as plain text...BAD
please educate yourself extensively on security.
i once bought something online w/ my cc, and the website
wasnt very secure and someone hacked it and pasted everyones
credit card numbers along w/ thier personal info openly on the internet.
it was a huge mess, and the customers are the victims,
and have to fix it at that point.
and you MUST use ssl
never store in w/out encryption, period.
use post, not get.
most servers log all the urls of every page requested.
if your using get to submit a form,
because get passes info through the url, then your
credit card numbers will be logged as plain text...BAD
please educate yourself extensively on security.
i once bought something online w/ my cc, and the website
wasnt very secure and someone hacked it and pasted everyones
credit card numbers along w/ thier personal info openly on the internet.
it was a huge mess, and the customers are the victims,
and have to fix it at that point.
and you MUST use ssl
i just noticed tims post, and it made me think
if your asking the question about whether to use post or get,
its very likely like you shouldnt even do this at all. theres no shame in
it, you just need to realize your not yet skilled enough to safely handle such critical information.
identity theft can ruin peoples lives.
if your asking the question about whether to use post or get,
its very likely like you shouldnt even do this at all. theres no shame in
it, you just need to realize your not yet skilled enough to safely handle such critical information.
identity theft can ruin peoples lives.
- evilmonkey
- Forum Regular
- Posts: 823
- Joined: Sun Oct 06, 2002 1:24 pm
- Location: Toronto, Canada
Okay, here's my take on the post vs. get issue. Personally, I always use post UNLESS it it something I know my visitors would want to copy and paste the URL and give it to thier friends. In that case, I use get. I would think that noone would have any reason to copy and paste a URL containing an unencrypted credit card number (for ligitamate purposes anyway), so therefore, you definitly want to use post. And run some kind of encryption on it AS SOON AS YOU GET IT! If you're using a MySQL database, don't wait for MySQL to encrypt it when you insert it into the database. Use PHP. Make sure you're on a secure server that can support SSL and/or TLS. Shared hosting is usually pretty dangerous for things like this.
And finally, remeber: when in doubt, use PayPal.
Good luck!
And finally, remeber: when in doubt, use PayPal.
Good luck!
-
DudeBori82
- Forum Commoner
- Posts: 26
- Joined: Thu Nov 18, 2004 10:09 am
- Location: Florida
The post vs get question was dumb, I know that get is not the way to do it. I was more so wondering if there were any security issues with POST. I have SSL and I know I need to encrypt and I put it straight into the database. I just didn't know how voulnerable session variables are.
- thanks for the help & the insult (rehfeld)
- thanks for the help & the insult (rehfeld)
I agree strongly that if you have to ask any sort of question about security you should not be involved in coding an ecommerce site. It's just not fair to your customers to have to run the gauntlet of possible security flaws not to mention bad for the business itself and your own professional reputation if something goes wrong. There should be a law against it.
Also, you must not use a shared host unless you have something like user mode linux.
Also, you must not use a shared host unless you have something like user mode linux.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
phenom, did you have bad experiences w/ paypal recently, or was it a long time ago?
i know a long time ago they would "freeze" all the money in peoples
accounts for no apparant reason, but ive been under the impression
since ebay bought them they have been improving alot.
ive used them for a few years and never had any issues.
i know a long time ago they would "freeze" all the money in peoples
accounts for no apparant reason, but ive been under the impression
since ebay bought them they have been improving alot.
ive used them for a few years and never had any issues.