We're a community of 1077K IT Pros here for help, advice, solutions, professional growth and fun. Join us!
1,076,494 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Start New Discussion Reply to this Discussion
Ad: Free Investment Planning kit
4 Years Ago
0

Decrypting an encrupted credit card number

I'm tring to display an encrypted number store in sql database I have a key store in my application.cfm. and they number in my database is encrypted. My display code looks like this

<cfloop query="Get_Orders">
<cfoutput>
<tr>
	
	<td><div class="content_black">#Get_Orders.Credit_Card_Type#&nbsp;</div></td>
	
  <cfset key = #application.key#>
  <cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
  <cfset CardDec = decrypt(Cardnum, key)>
   
  
	<td><div class="content_black">#CardDec#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Month#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Year#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Name#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Comments#&nbsp;</div></td>
	<td><textarea name="HL_Comments_#Get_Orders.Order_Estimate_ID#" cols="20" rows="5">#Get_Orders.HL_Comments#</textarea></td>
	<td align="center"><input type="Checkbox" name="Contacted_#Get_Orders.Order_Estimate_ID#" value="1"<cfif Get_Orders.Contacted IS 1> checked</cfif>></td>
	<td><div class="content_black">#Get_Orders.customerNumber#</div></td>
	<td><div class="content_black">#Get_Orders.billing_phone#</div></td>
	<td><div class="content_black">#Get_Orders.Billing_Email#&nbsp;</div></td>
	<td><div class="content_black">#DollarFormat(Get_Orders.invoiceAmt)#</div></td>
	<td align="center"><div class="content_black"><input type="Checkbox" name="Processed_#Get_Orders.Order_Estimate_ID#" value="1"<cfif Get_Orders.invoiceProcessed IS 1> checked</cfif>></div></td>
 
 </tr>
</cfoutput>
</cfloop>
5
Contributors
23
Replies
1 Week
Discussion Span
4 Years Ago
Last Updated
24
Views
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 12
Solved Threads: 36
Skill Endorsements: 0
4 Years Ago
0

Well it turns out when every my encrypted string has a " in it when it gets store to my sql database it stops at the " . Is there any way to create the encryption string with no characters?

freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 12
Solved Threads: 36
Skill Endorsements: 0
4 Years Ago
0

Is that a double quote or two single quotes? What syntax are you using to insert the encrypted string into the database?

Side notes:

Since I don't work with cc's I am curious... is it a good idea to actually display the full credit card number on the web page?

<cfset key = #application.key#>
<cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
<cfset CardDec = decrypt(Cardnum, key)>

This has nothing to do with the problem, but there is no need for those # signs. Just use:

<cfset Cardnum = Get_Orders.Credit_Card_Number>
<cfset CardDec = decrypt(Cardnum, application.key)>

arrgh
Posting Pro in Training
405 posts since Dec 2008
Reputation Points: 32
Solved Threads: 50
Skill Endorsements: 0
4 Years Ago
0

Here is the syntex

<cfset string = FORM.numCredit>
                    <cfset key = ToBase64(BinaryDecode(#application.key#, "HEX"))>
                    <cfset encrypted = encrypt(string, key)>

here is the encrypted string

0U5K" Z7*%U;#T,(/B?GX)0

it will only insert OU5K into the data base

Here is another
0U5[" ZG&$E/&T\8#BOC[(P

my sql table has
OU5[

I also tried

<cfset key = #application.key#>
<cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
<cfset CardDec = decrypt(Cardnum, key)>

and I still get " in my output


After I get this working thats my next task to trim the credit card being displayed on the page to the last 4 numbers

freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 12
Solved Threads: 36
Skill Endorsements: 0
4 Years Ago
0

Here is the syntex

<cfset string = FORM.numCredit>
                    <cfset key = ToBase64(BinaryDecode(#application.key#, "HEX"))>
                    <cfset encrypted = encrypt(string, key)>

Are you using cfqueryparam when you insert the value into the database table?

INSERT INTO YourTable ( EncryptedValue )
VALUES 
(
<cfqueryparam value="#encrypted#" cfsqltype="( sql type for the column )">
)
arrgh
Posting Pro in Training
405 posts since Dec 2008
Reputation Points: 32
Solved Threads: 50
Skill Endorsements: 0
4 Years Ago
0

Here is my insert string

<form action="payments_autopay.cfm" method="post">
				<input type="Hidden" name="action" value="confirm">
				<input type="Hidden" name="selCreditCard" value="#form.selCreditCard#">
				<input type="hidden" name="numCredit" value="#encrypted#">
				<input type="hidden" name="selExpMonth" value="#form.selExpMonth#">
				<input type="Hidden" name="selExpYear" value="#form.selExpYear#">
				<input type="Hidden" name="vcCreditName" value="#form.vcCreditName#">
				<input type="Hidden" name="customerNumber" value="#customerNumber#">
				<!--- <input type="Hidden" name="orderID" value="#findOrder.Order_Estimate_ID#"> --->
				<input type="Hidden" name="comments" value="#form.vccomments#">
				<input type="Hidden" name="email" value="#form.email#">
				<input type="hidden" name="bill_fname" value="#form.bill_vcfname#">
				<input type="hidden" name="bill_lname" value="#form.bill_vclname#">
				<input type="hidden" name="Bill_vcAddress1" value="#form.Bill_vcAddress1#">
				<input type="hidden" name="bill_vcCity" value="#form.bill_vcCity#">
				<input type="hidden" name="bill_vcST" value="#form.bill_vcST#">
				<input type="hidden" name="bill_numZip" value="#form.bill_numZip#">
				<input type="hidden" name="bill_phone" value="#form.bill_numPhone#">
				<tr>
				<td colspan="2">&nbsp;</td>
				</tr>
				<tr>
				<td>
				<a href="##" onclick="document.forms[0].submit()"><img src="images/button_confirmInfo.gif" width="132" height="18" alt="Confirm Information" title="Confirm Information" border="0"></a><br><br>
				<!-- <input type="Submit" name="submitBtn" value="Confirm"> -->
				</td>
				</tr>
				</form>
				</table>
				</cfoutput>
				
			<!--- </CFIF> --->
		<CFELSEIF isDefined("form.action") and form.action EQ "confirm">
				<cfquery name="findOrder" datasource="#request.dsn#">
					INSERT INTO HL_OrderEstimates(credit_card_type,credit_card_number,credit_card_month,credit_card_year,credit_card_name,invoiceProcessed,autopay,autopayDate, billing_fname,billing_lname,billing_address1, billing_city,billing_state,billing_zip, billing_phone, customerNumber)
					VALUES('#form.selCreditCard#','#form.numCredit#','#form.selExpMonth#','#form.selExpYear#','#form.vcCreditName#', 0, 1,getDate(),'#form.bill_fname#','#form.bill_lname#','#form.Bill_vcAddress1#','#form.bill_vcCity#', '#form.bill_vcST#', '#form.bill_numZip#', '#form.bill_phone#', '#customerNumber#')
				</cfquery>
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 12
Solved Threads: 36
Skill Endorsements: 0
4 Years Ago
0

Try using cfqueryparam on all of the insert values. It works for me with MySQL.

arrgh
Posting Pro in Training
405 posts since Dec 2008
Reputation Points: 32
Solved Threads: 50
Skill Endorsements: 0
4 Years Ago
1

Personally, I'd be worried by how readily reversible the encryption of valuable credit card details appears to be.

Salem
Posting Sage
Team Colleague
11,531 posts since Dec 2005
Reputation Points: 5,875
Solved Threads: 953
Skill Endorsements: 27
4 Years Ago
0

look my friend i had the same problem and i solved using this kind of encryption

<cfparam name="Request.PasswordKey" default="keyyyyyyyyyyyyyy">
 <cfset Encrypted = Encrypt(form.number,  Request.PasswordKey)>
<cfquery datasource="db">
		Insert Into table (field1, field2, ,field3)
		Values
        (<cfqueryparam value="#form.na#">, <cfqueryparam value="#Encrypted#">)
      	</cfquery>
and when you want to decrypt the date
use 
<cfset decrypt = decrypt(fildes, Request.PasswordKey)>

hope it help
Thanks

hhamdan
Newbie Poster
21 posts since Nov 2008
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
4 Years Ago
0

look my friend i had the same problem and i solved using this kind of encryption

Encryption was not the problem. It was the lack of cfqueryparam, as I already mentioned.

Though, I agree with Salem about security. If you are storing credit card information security and encryption should be very tight. If you are not well versed in it or don't have the experience and resources, there are reputable companies that do. Consider the liability if security is poor ..

arrgh
Posting Pro in Training
405 posts since Dec 2008
Reputation Points: 32
Solved Threads: 50
Skill Endorsements: 0
4 Years Ago
0

Nope still stops inputing the value at "

Tried this

<cfquery name="findOrder" datasource="#request.dsn#">
					INSERT INTO HL_OrderEstimates(credit_card_type,credit_card_number)
				Values (<cfqueryparam value="#form.selCreditCard#" cfsqltype="(Varchar)">,<cfqueryparam value="#form.numCredit#">)
				</cfquery>
freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 12
Solved Threads: 36
Skill Endorsements: 0
4 Years Ago
0

How reversable are they if you don't have the key?

freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 12
Solved Threads: 36
Skill Endorsements: 0
4 Years Ago
0

what is the data type in the database for credit_card_type,credit_card_number, isn't varchar, and another thing take off the cfsqltype="(Varchar)" from the cfqueryparam.
and if you want to solve the problem just use the encryption method i send it to you.
i do have the link for the encryption example and i will send it to you tomorrow from work.
Thanks

hhamdan
Newbie Poster
21 posts since Nov 2008
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
4 Years Ago
0

I did take out the cfsqltype anything I try I can't get it to store the encryption string. Database types i tried varchar nvarchar and ntext right now it's back to varchar

freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 12
Solved Threads: 36
Skill Endorsements: 0
4 Years Ago
0

You need to use the correct syntax. "cfsqltype="(Varchar)"> is not a valid cfsqltype. If you use an invalid type ColdFusion defaults to the type for "char" which may cause unexpected results. All cfsqltypes start with "cf_" like: cf_sql_varchar, cf_sql_integer, etc... You can look up the types in the online documentation.

http://www.google.com/url?sa=U&start=1&q=http://livedocs.adobe.com/coldfusion/8/Tags_p-q_18.html&ei=-PdKSYTXOYnYsAPK45imDQ&usg=AFQjCNHJC-VdBegBKH1uclqArulJB8sCkw

I tried it with MySQL and cfqueryparam and it worked perfectly. That also assumes the column is long enough to hold the inserted value.

arrgh
Posting Pro in Training
405 posts since Dec 2008
Reputation Points: 32
Solved Threads: 50
Skill Endorsements: 0
4 Years Ago
0

How reversable are they if you don't have the key?

Adobe's own documentation states that Encrypt uses the CFMX_COMPAT method by default and "This algorithm is the least secure option (default). " Not very secure in comparison to other, better, encryption algorithms. Would you use it if you thought you might be held liable for the consequences?

arrgh
Posting Pro in Training
405 posts since Dec 2008
Reputation Points: 32
Solved Threads: 50
Skill Endorsements: 0
4 Years Ago
0

Try this encryption method
http://tutorial113.easycfm.com/

hhamdan
Newbie Poster
21 posts since Nov 2008
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
4 Years Ago
0

All the others you need to use generate secret key. How would that work how do I decrypt the credit card if I don't know what the key is?

freshfitz
Posting Pro in Training
436 posts since Sep 2008
Reputation Points: 12
Solved Threads: 36
Skill Endorsements: 0
4 Years Ago
0

Try this encryption method
http://tutorial113.easycfm.com/

Now I know you are joking around .. because that still uses Encrypt - with the default CFMX_COMPAT. Hardly good enough security for credit card information.

arrgh
Posting Pro in Training
405 posts since Dec 2008
Reputation Points: 32
Solved Threads: 50
Skill Endorsements: 0
4 Years Ago
0

All the others you need to use generate secret key. How would that work how do I decrypt the credit card if I don't know what the key is?

It is not just encryption. Some credit card companies require merchants to meet certain requirements and also pass a certification process if they intend to store credit card info.

http://extranet.mivamerchant.com/forums/showthread.php?t=19217

arrgh
Posting Pro in Training
405 posts since Dec 2008
Reputation Points: 32
Solved Threads: 50
Skill Endorsements: 0

This article has been dead for over three months: Start a new discussion instead

Post: Markdown Syntax: Formatting Help
 
You
 
Web Development > ColdFusion
 
© 2013 DaniWeb® LLC
Page rendered in 0.1263 seconds using 2.8MB