1,105,546 Community Members

Decrypting an encrupted credit card number

Member Avatar
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 36 [?]
Skill Endorsements: 0 [?]
 
0
 

I'm tring to display an encrypted number store in sql database I have a key store in my application.cfm. and they number in my database is encrypted. My display code looks like this

<cfloop query="Get_Orders">
<cfoutput>
<tr>
	
	<td><div class="content_black">#Get_Orders.Credit_Card_Type#&nbsp;</div></td>
	
  <cfset key = #application.key#>
  <cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
  <cfset CardDec = decrypt(Cardnum, key)>
   
  
	<td><div class="content_black">#CardDec#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Month#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Year#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Name#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Comments#&nbsp;</div></td>
	<td><textarea name="HL_Comments_#Get_Orders.Order_Estimate_ID#" cols="20" rows="5">#Get_Orders.HL_Comments#</textarea></td>
	<td align="center"><input type="Checkbox" name="Contacted_#Get_Orders.Order_Estimate_ID#" value="1"<cfif Get_Orders.Contacted IS 1> checked</cfif>></td>
	<td><div class="content_black">#Get_Orders.customerNumber#</div></td>
	<td><div class="content_black">#Get_Orders.billing_phone#</div></td>
	<td><div class="content_black">#Get_Orders.Billing_Email#&nbsp;</div></td>
	<td><div class="content_black">#DollarFormat(Get_Orders.invoiceAmt)#</div></td>
	<td align="center"><div class="content_black"><input type="Checkbox" name="Processed_#Get_Orders.Order_Estimate_ID#" value="1"<cfif Get_Orders.invoiceProcessed IS 1> checked</cfif>></div></td>
 
 </tr>
</cfoutput>
</cfloop>
Member Avatar
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 36 [?]
Skill Endorsements: 0 [?]
 
0
 

Well it turns out when every my encrypted string has a " in it when it gets store to my sql database it stops at the " . Is there any way to create the encryption string with no characters?

Member Avatar
arrgh
Posting Pro in Training
408 posts since Dec 2008
Reputation Points: 22 [?]
Q&As Helped to Solve: 50 [?]
Skill Endorsements: 0 [?]
 
0
 

Is that a double quote or two single quotes? What syntax are you using to insert the encrypted string into the database?

Side notes:

Since I don't work with cc's I am curious... is it a good idea to actually display the full credit card number on the web page?

<cfset key = #application.key#>
<cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
<cfset CardDec = decrypt(Cardnum, key)>

This has nothing to do with the problem, but there is no need for those # signs. Just use:

<cfset Cardnum = Get_Orders.Credit_Card_Number>
<cfset CardDec = decrypt(Cardnum, application.key)>

Member Avatar
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 36 [?]
Skill Endorsements: 0 [?]
 
0
 

Here is the syntex

<cfset string = FORM.numCredit>
                    <cfset key = ToBase64(BinaryDecode(#application.key#, "HEX"))>
                    <cfset encrypted = encrypt(string, key)>

here is the encrypted string

0U5K" Z7*%U;#T,(/B?GX)0

it will only insert OU5K into the data base

Here is another
0U5[" ZG&$E/&T\8#BOC[(P

my sql table has
OU5[

I also tried

<cfset key = #application.key#>
<cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
<cfset CardDec = decrypt(Cardnum, key)>

and I still get " in my output


After I get this working thats my next task to trim the credit card being displayed on the page to the last 4 numbers

Member Avatar
arrgh
Posting Pro in Training
408 posts since Dec 2008
Reputation Points: 22 [?]
Q&As Helped to Solve: 50 [?]
Skill Endorsements: 0 [?]
 
0
 

Here is the syntex

<cfset string = FORM.numCredit>
                    <cfset key = ToBase64(BinaryDecode(#application.key#, "HEX"))>
                    <cfset encrypted = encrypt(string, key)>

Are you using cfqueryparam when you insert the value into the database table?

INSERT INTO YourTable ( EncryptedValue )
VALUES 
(
<cfqueryparam value="#encrypted#" cfsqltype="( sql type for the column )">
)
Member Avatar
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 36 [?]
Skill Endorsements: 0 [?]
 
0
 

Here is my insert string

<form action="payments_autopay.cfm" method="post">
				<input type="Hidden" name="action" value="confirm">
				<input type="Hidden" name="selCreditCard" value="#form.selCreditCard#">
				<input type="hidden" name="numCredit" value="#encrypted#">
				<input type="hidden" name="selExpMonth" value="#form.selExpMonth#">
				<input type="Hidden" name="selExpYear" value="#form.selExpYear#">
				<input type="Hidden" name="vcCreditName" value="#form.vcCreditName#">
				<input type="Hidden" name="customerNumber" value="#customerNumber#">
				<!--- <input type="Hidden" name="orderID" value="#findOrder.Order_Estimate_ID#"> --->
				<input type="Hidden" name="comments" value="#form.vccomments#">
				<input type="Hidden" name="email" value="#form.email#">
				<input type="hidden" name="bill_fname" value="#form.bill_vcfname#">
				<input type="hidden" name="bill_lname" value="#form.bill_vclname#">
				<input type="hidden" name="Bill_vcAddress1" value="#form.Bill_vcAddress1#">
				<input type="hidden" name="bill_vcCity" value="#form.bill_vcCity#">
				<input type="hidden" name="bill_vcST" value="#form.bill_vcST#">
				<input type="hidden" name="bill_numZip" value="#form.bill_numZip#">
				<input type="hidden" name="bill_phone" value="#form.bill_numPhone#">
				<tr>
				<td colspan="2">&nbsp;</td>
				</tr>
				<tr>
				<td>
				<a href="##" onclick="document.forms[0].submit()"><img src="images/button_confirmInfo.gif" width="132" height="18" alt="Confirm Information" title="Confirm Information" border="0"></a><br><br>
				<!-- <input type="Submit" name="submitBtn" value="Confirm"> -->
				</td>
				</tr>
				</form>
				</table>
				</cfoutput>
				
			<!--- </CFIF> --->
		<CFELSEIF isDefined("form.action") and form.action EQ "confirm">
				<cfquery name="findOrder" datasource="#request.dsn#">
					INSERT INTO HL_OrderEstimates(credit_card_type,credit_card_number,credit_card_month,credit_card_year,credit_card_name,invoiceProcessed,autopay,autopayDate, billing_fname,billing_lname,billing_address1, billing_city,billing_state,billing_zip, billing_phone, customerNumber)
					VALUES('#form.selCreditCard#','#form.numCredit#','#form.selExpMonth#','#form.selExpYear#','#form.vcCreditName#', 0, 1,getDate(),'#form.bill_fname#','#form.bill_lname#','#form.Bill_vcAddress1#','#form.bill_vcCity#', '#form.bill_vcST#', '#form.bill_numZip#', '#form.bill_phone#', '#customerNumber#')
				</cfquery>
Member Avatar
arrgh
Posting Pro in Training
408 posts since Dec 2008
Reputation Points: 22 [?]
Q&As Helped to Solve: 50 [?]
Skill Endorsements: 0 [?]
 
0
 

Try using cfqueryparam on all of the insert values. It works for me with MySQL.

Member Avatar
Salem
Posting Sage
7,177 posts since Dec 2005
Reputation Points: 5,138 [?]
Q&As Helped to Solve: 970 [?]
Skill Endorsements: 41 [?]
Team Colleague
 
1
 

Personally, I'd be worried by how readily reversible the encryption of valuable credit card details appears to be.

Member Avatar
hhamdan
Newbie Poster
21 posts since Nov 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

look my friend i had the same problem and i solved using this kind of encryption

<cfparam name="Request.PasswordKey" default="keyyyyyyyyyyyyyy">
 <cfset Encrypted = Encrypt(form.number,  Request.PasswordKey)>
<cfquery datasource="db">
		Insert Into table (field1, field2, ,field3)
		Values
        (<cfqueryparam value="#form.na#">, <cfqueryparam value="#Encrypted#">)
      	</cfquery>
and when you want to decrypt the date
use 
<cfset decrypt = decrypt(fildes, Request.PasswordKey)>

hope it help
Thanks

Member Avatar
arrgh
Posting Pro in Training
408 posts since Dec 2008
Reputation Points: 22 [?]
Q&As Helped to Solve: 50 [?]
Skill Endorsements: 0 [?]
 
0
 

look my friend i had the same problem and i solved using this kind of encryption

Encryption was not the problem. It was the lack of cfqueryparam, as I already mentioned.

Though, I agree with Salem about security. If you are storing credit card information security and encryption should be very tight. If you are not well versed in it or don't have the experience and resources, there are reputable companies that do. Consider the liability if security is poor ..

Member Avatar
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 36 [?]
Skill Endorsements: 0 [?]
 
0
 

Nope still stops inputing the value at "

Tried this

<cfquery name="findOrder" datasource="#request.dsn#">
					INSERT INTO HL_OrderEstimates(credit_card_type,credit_card_number)
				Values (<cfqueryparam value="#form.selCreditCard#" cfsqltype="(Varchar)">,<cfqueryparam value="#form.numCredit#">)
				</cfquery>
Member Avatar
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 36 [?]
Skill Endorsements: 0 [?]
 
0
 

How reversable are they if you don't have the key?

Member Avatar
hhamdan
Newbie Poster
21 posts since Nov 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

what is the data type in the database for credit_card_type,credit_card_number, isn't varchar, and another thing take off the cfsqltype="(Varchar)" from the cfqueryparam.
and if you want to solve the problem just use the encryption method i send it to you.
i do have the link for the encryption example and i will send it to you tomorrow from work.
Thanks

Member Avatar
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 36 [?]
Skill Endorsements: 0 [?]
 
0
 

I did take out the cfsqltype anything I try I can't get it to store the encryption string. Database types i tried varchar nvarchar and ntext right now it's back to varchar

Member Avatar
arrgh
Posting Pro in Training
408 posts since Dec 2008
Reputation Points: 22 [?]
Q&As Helped to Solve: 50 [?]
Skill Endorsements: 0 [?]
 
0
 

You need to use the correct syntax. "cfsqltype="(Varchar)"> is not a valid cfsqltype. If you use an invalid type ColdFusion defaults to the type for "char" which may cause unexpected results. All cfsqltypes start with "cf_" like: cf_sql_varchar, cf_sql_integer, etc... You can look up the types in the online documentation.

http://www.google.com/url?sa=U&start=1&q=http://livedocs.adobe.com/coldfusion/8/Tags_p-q_18.html&ei=-PdKSYTXOYnYsAPK45imDQ&usg=AFQjCNHJC-VdBegBKH1uclqArulJB8sCkw

I tried it with MySQL and cfqueryparam and it worked perfectly. That also assumes the column is long enough to hold the inserted value.

Member Avatar
arrgh
Posting Pro in Training
408 posts since Dec 2008
Reputation Points: 22 [?]
Q&As Helped to Solve: 50 [?]
Skill Endorsements: 0 [?]
 
0
 

How reversable are they if you don't have the key?

Adobe's own documentation states that Encrypt uses the CFMX_COMPAT method by default and "This algorithm is the least secure option (default). " Not very secure in comparison to other, better, encryption algorithms. Would you use it if you thought you might be held liable for the consequences?

Member Avatar
hhamdan
Newbie Poster
21 posts since Nov 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Try this encryption method
http://tutorial113.easycfm.com/

Member Avatar
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 36 [?]
Skill Endorsements: 0 [?]
 
0
 

All the others you need to use generate secret key. How would that work how do I decrypt the credit card if I don't know what the key is?

Member Avatar
arrgh
Posting Pro in Training
408 posts since Dec 2008
Reputation Points: 22 [?]
Q&As Helped to Solve: 50 [?]
Skill Endorsements: 0 [?]
 
0
 

Try this encryption method
http://tutorial113.easycfm.com/

Now I know you are joking around .. because that still uses Encrypt - with the default CFMX_COMPAT. Hardly good enough security for credit card information.

Member Avatar
arrgh
Posting Pro in Training
408 posts since Dec 2008
Reputation Points: 22 [?]
Q&As Helped to Solve: 50 [?]
Skill Endorsements: 0 [?]
 
0
 

All the others you need to use generate secret key. How would that work how do I decrypt the credit card if I don't know what the key is?

It is not just encryption. Some credit card companies require merchants to meet certain requirements and also pass a certification process if they intend to store credit card info.

http://extranet.mivamerchant.com/forums/showthread.php?t=19217

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
Tags Related to this Article