1.11M Members

Decrypting an encrupted credit card number

 
0
 

I'm tring to display an encrypted number store in sql database I have a key store in my application.cfm. and they number in my database is encrypted. My display code looks like this

<cfloop query="Get_Orders">
<cfoutput>
<tr>
	
	<td><div class="content_black">#Get_Orders.Credit_Card_Type#&nbsp;</div></td>
	
  <cfset key = #application.key#>
  <cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
  <cfset CardDec = decrypt(Cardnum, key)>
   
  
	<td><div class="content_black">#CardDec#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Month#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Year#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Name#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Comments#&nbsp;</div></td>
	<td><textarea name="HL_Comments_#Get_Orders.Order_Estimate_ID#" cols="20" rows="5">#Get_Orders.HL_Comments#</textarea></td>
	<td align="center"><input type="Checkbox" name="Contacted_#Get_Orders.Order_Estimate_ID#" value="1"<cfif Get_Orders.Contacted IS 1> checked</cfif>></td>
	<td><div class="content_black">#Get_Orders.customerNumber#</div></td>
	<td><div class="content_black">#Get_Orders.billing_phone#</div></td>
	<td><div class="content_black">#Get_Orders.Billing_Email#&nbsp;</div></td>
	<td><div class="content_black">#DollarFormat(Get_Orders.invoiceAmt)#</div></td>
	<td align="center"><div class="content_black"><input type="Checkbox" name="Processed_#Get_Orders.Order_Estimate_ID#" value="1"<cfif Get_Orders.invoiceProcessed IS 1> checked</cfif>></div></td>
 
 </tr>
</cfoutput>
</cfloop>
 
0
 

Well it turns out when every my encrypted string has a " in it when it gets store to my sql database it stops at the " . Is there any way to create the encryption string with no characters?

 
0
 

Is that a double quote or two single quotes? What syntax are you using to insert the encrypted string into the database?

Side notes:

Since I don't work with cc's I am curious... is it a good idea to actually display the full credit card number on the web page?

<cfset key = #application.key#>
<cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
<cfset CardDec = decrypt(Cardnum, key)>

This has nothing to do with the problem, but there is no need for those # signs. Just use:

<cfset Cardnum = Get_Orders.Credit_Card_Number>
<cfset CardDec = decrypt(Cardnum, application.key)>

 
0
 

Here is the syntex

<cfset string = FORM.numCredit>
                    <cfset key = ToBase64(BinaryDecode(#application.key#, "HEX"))>
                    <cfset encrypted = encrypt(string, key)>

here is the encrypted string

0U5K" Z7*%U;#T,(/B?GX)0

it will only insert OU5K into the data base

Here is another
0U5[" ZG&$E/&T\8#BOC[(P

my sql table has
OU5[

I also tried

<cfset key = #application.key#>
<cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
<cfset CardDec = decrypt(Cardnum, key)>

and I still get " in my output


After I get this working thats my next task to trim the credit card being displayed on the page to the last 4 numbers

 
0
 

Here is the syntex

<cfset string = FORM.numCredit>
                    <cfset key = ToBase64(BinaryDecode(#application.key#, "HEX"))>
                    <cfset encrypted = encrypt(string, key)>

Are you using cfqueryparam when you insert the value into the database table?

INSERT INTO YourTable ( EncryptedValue )
VALUES 
(
<cfqueryparam value="#encrypted#" cfsqltype="( sql type for the column )">
)
 
0
 

Here is my insert string

<form action="payments_autopay.cfm" method="post">
				<input type="Hidden" name="action" value="confirm">
				<input type="Hidden" name="selCreditCard" value="#form.selCreditCard#">
				<input type="hidden" name="numCredit" value="#encrypted#">
				<input type="hidden" name="selExpMonth" value="#form.selExpMonth#">
				<input type="Hidden" name="selExpYear" value="#form.selExpYear#">
				<input type="Hidden" name="vcCreditName" value="#form.vcCreditName#">
				<input type="Hidden" name="customerNumber" value="#customerNumber#">
				<!--- <input type="Hidden" name="orderID" value="#findOrder.Order_Estimate_ID#"> --->
				<input type="Hidden" name="comments" value="#form.vccomments#">
				<input type="Hidden" name="email" value="#form.email#">
				<input type="hidden" name="bill_fname" value="#form.bill_vcfname#">
				<input type="hidden" name="bill_lname" value="#form.bill_vclname#">
				<input type="hidden" name="Bill_vcAddress1" value="#form.Bill_vcAddress1#">
				<input type="hidden" name="bill_vcCity" value="#form.bill_vcCity#">
				<input type="hidden" name="bill_vcST" value="#form.bill_vcST#">
				<input type="hidden" name="bill_numZip" value="#form.bill_numZip#">
				<input type="hidden" name="bill_phone" value="#form.bill_numPhone#">
				<tr>
				<td colspan="2">&nbsp;</td>
				</tr>
				<tr>
				<td>
				<a href="##" onclick="document.forms[0].submit()"><img src="images/button_confirmInfo.gif" width="132" height="18" alt="Confirm Information" title="Confirm Information" border="0"></a><br><br>
				<!-- <input type="Submit" name="submitBtn" value="Confirm"> -->
				</td>
				</tr>
				</form>
				</table>
				</cfoutput>
				
			<!--- </CFIF> --->
		<CFELSEIF isDefined("form.action") and form.action EQ "confirm">
				<cfquery name="findOrder" datasource="#request.dsn#">
					INSERT INTO HL_OrderEstimates(credit_card_type,credit_card_number,credit_card_month,credit_card_year,credit_card_name,invoiceProcessed,autopay,autopayDate, billing_fname,billing_lname,billing_address1, billing_city,billing_state,billing_zip, billing_phone, customerNumber)
					VALUES('#form.selCreditCard#','#form.numCredit#','#form.selExpMonth#','#form.selExpYear#','#form.vcCreditName#', 0, 1,getDate(),'#form.bill_fname#','#form.bill_lname#','#form.Bill_vcAddress1#','#form.bill_vcCity#', '#form.bill_vcST#', '#form.bill_numZip#', '#form.bill_phone#', '#customerNumber#')
				</cfquery>
 
0
 

Try using cfqueryparam on all of the insert values. It works for me with MySQL.

 
1
 

Personally, I'd be worried by how readily reversible the encryption of valuable credit card details appears to be.

 
0
 

look my friend i had the same problem and i solved using this kind of encryption

<cfparam name="Request.PasswordKey" default="keyyyyyyyyyyyyyy">
 <cfset Encrypted = Encrypt(form.number,  Request.PasswordKey)>
<cfquery datasource="db">
		Insert Into table (field1, field2, ,field3)
		Values
        (<cfqueryparam value="#form.na#">, <cfqueryparam value="#Encrypted#">)
      	</cfquery>
and when you want to decrypt the date
use 
<cfset decrypt = decrypt(fildes, Request.PasswordKey)>

hope it help
Thanks

 
0
 

look my friend i had the same problem and i solved using this kind of encryption

Encryption was not the problem. It was the lack of cfqueryparam, as I already mentioned.

Though, I agree with Salem about security. If you are storing credit card information security and encryption should be very tight. If you are not well versed in it or don't have the experience and resources, there are reputable companies that do. Consider the liability if security is poor ..

 
0
 

Nope still stops inputing the value at "

Tried this

<cfquery name="findOrder" datasource="#request.dsn#">
					INSERT INTO HL_OrderEstimates(credit_card_type,credit_card_number)
				Values (<cfqueryparam value="#form.selCreditCard#" cfsqltype="(Varchar)">,<cfqueryparam value="#form.numCredit#">)
				</cfquery>
 
0
 

How reversable are they if you don't have the key?

 
0
 

what is the data type in the database for credit_card_type,credit_card_number, isn't varchar, and another thing take off the cfsqltype="(Varchar)" from the cfqueryparam.
and if you want to solve the problem just use the encryption method i send it to you.
i do have the link for the encryption example and i will send it to you tomorrow from work.
Thanks

 
0
 

I did take out the cfsqltype anything I try I can't get it to store the encryption string. Database types i tried varchar nvarchar and ntext right now it's back to varchar

 
0
 

You need to use the correct syntax. "cfsqltype="(Varchar)"> is not a valid cfsqltype. If you use an invalid type ColdFusion defaults to the type for "char" which may cause unexpected results. All cfsqltypes start with "cf_" like: cf_sql_varchar, cf_sql_integer, etc... You can look up the types in the online documentation.

http://www.google.com/url?sa=U&start=1&q=http://livedocs.adobe.com/coldfusion/8/Tags_p-q_18.html&ei=-PdKSYTXOYnYsAPK45imDQ&usg=AFQjCNHJC-VdBegBKH1uclqArulJB8sCkw

I tried it with MySQL and cfqueryparam and it worked perfectly. That also assumes the column is long enough to hold the inserted value.

 
0
 

How reversable are they if you don't have the key?

Adobe's own documentation states that Encrypt uses the CFMX_COMPAT method by default and "This algorithm is the least secure option (default). " Not very secure in comparison to other, better, encryption algorithms. Would you use it if you thought you might be held liable for the consequences?

 
0
 

All the others you need to use generate secret key. How would that work how do I decrypt the credit card if I don't know what the key is?

 
0
 

Try this encryption method
http://tutorial113.easycfm.com/

Now I know you are joking around .. because that still uses Encrypt - with the default CFMX_COMPAT. Hardly good enough security for credit card information.

 
0
 

All the others you need to use generate secret key. How would that work how do I decrypt the credit card if I don't know what the key is?

It is not just encryption. Some credit card companies require merchants to meet certain requirements and also pass a certification process if they intend to store credit card info.

http://extranet.mivamerchant.com/forums/showthread.php?t=19217

Isn't it about time forums rewarded their contributors?

Earn rewards points for helping others. Gain kudos. Cash out. Get better answers yourself.

It's as simple as contributing editorial or replying to discussions labeled or OP Kudos

You
This article has been dead for over six months: Start a new discussion instead
Post:
Start New Discussion
Tags Related to this Article