Hi,
I'm the new guy, basically I'm just looking for some reassurance that I've covered my bases.
I have a client who wanted credit card capture in his project, TBH I wasn't all that keen but I've obliged.
This is what I have, let me know if I need to tighten up in some area's or am I good?
1) The whole process is over https
2) user enters cc details.
3) I validate them for presence, length and luhn in js
4) All good I send to my controller via ajax over https. This is where I get nervous. This is all unencrypted/plain text to the controller.
5) I run some similar validity checks in php + a few eregi_replace() parse's then boom into the database it goes.
The controller(s) are "protected" from direct access via .htaccess and I feel I'm okay, but (4) sits a bit rotten. I've played with the idea of my own kinda "shared key" that I could have in my system (set by session or db) that I could encrypt the details with but unsure if 1) it would really make a difference and 2) is it required, am I sweet already?
I realise this is probably a pretty common request, I'm not looking to get flamed for asking a thrashed question. I looked but didn't find any suitable info.
Thanks for any help.
PHP - Credit Card - Ajax
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP - Credit Card - Ajax
Explaining how you do things does not really explain a lot. Vulnerabilities do not just come from design flaws. You should ask at least one security expert to evaluate your source code. Actually, you should be able to show us your code right here without lowering your level of security.
Re: PHP - Credit Card - Ajax
Understood.
I didn't not post code on purpose, just have a lazy streak I guess.
The js code. This is my dev source, production is compressed/obfuscated (kind of).
Also it's outputted from within a php echo, so don't worry if the syntax looks a bit off here, it runs.
So, big dirty tumbler of checks to get past to get to the send. When there, data is appended to the url. __SITE_ROOT_SSL is a constant that holds the site https address.
validate_cc() I've not included, it's the Luhn algorithm.
I'll get back to you with the server side in a bit.
I didn't not post code on purpose, just have a lazy streak I guess.
The js code. This is my dev source, production is compressed/obfuscated (kind of).
Also it's outputted from within a php echo, so don't worry if the syntax looks a bit off here, it runs.
Code: Select all
$(".process-credit").click(function(){
var cDate = ' . date("Y") . date("m") . ';
var tmp = $("#cey").val()+$("#cem").val();
if (!$("#cna").val())
{
jQuery.facebox(\'<div class="admin-error"><p>Credit Card name is missing</p></div>\');
}
else if (!$("#cty").val())
{
jQuery.facebox(\'<div class="admin-error"><p>Credit Card type is missing</p></div>\');
}
else if (!$("#cem").val())
{
jQuery.facebox(\'<div class="admin-error"><p>Credit Card Expiry Month is missing</p></div>\');
}
else if (!$("#cey").val())
{
jQuery.facebox(\'<div class="admin-error"><p>Credit Card Expiry Year is missing</p></div>\');
}
else if (tmp < cDate)
{
jQuery.facebox(\'<div class="admin-error"><p>Credit Card has Expired</p></div>\');
}
else if (!$("#cno").val())
{
jQuery.facebox(\'<div class="admin-error"><p>Credit Card Number is missing</p></div>\');
}
else if (!validate_cc($("#cno").val()))
{
jQuery.facebox(\'<div class="admin-error"><p>Credit Card Number appears invalid</p></div>\');
}
else if (!$("#ccv").val())
{
jQuery.facebox(\'<div class="admin-error"><p>Credit Card Security Number is missing</p></div>\');
}
else
{
var ex = $("#cem").val()+"/"+$("#cey").val();
jQuery.ajax({
type: "POST",
url: "' . __SITE_ROOT_SSL . 'cart/process_credit",
data: "creditName="+$("#cna").val()+"&creditExpir="+ex+"&creditNo="+$("#cno").val()+"&creditCvv="+$("#ccv").val()+"&creditType="+$("#cty").val(),
beforeSend: function(){
jQuery.facebox(\'<div class="admin-working"><p>Working...</p></div>\');
},
error:function(msg, textStatus, errorThrown){},
success: function(result, textStatus){
//set the static display
$("#displayCreditName").html($("#cna").val());
$("#displayCreditType").html($("#cty").val());
$("#displayCreditExpir").html(ex);
$("#displayCreditNo").html($("#cno").val());
$("#displayCreditCvv").html($("#ccv").val());
$("#s4Status").addClass("status-complete-bill").html("Completed");
//slide the inputs for statics
$("#eCreditForm").slideUp("slow",function(){
$("#displayCreditDetails").slideDown("slow",function(){
$("#payment").show("slow");
});
});
$.facebox.close();
}
});
}
return false;
});
validate_cc() I've not included, it's the Luhn algorithm.
I'll get back to you with the server side in a bit.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP - Credit Card - Ajax
You do know that client-side validation is pretty much for giving the user some feedback when she mistypes something? We don't really care about that here. 