I'm tring to display an encrypted number store in sql database I have a key store in my application.cfm. and they number in my database is encrypted. My display code looks like this

<cfloop query="Get_Orders">
	<td><div class="content_black">#Get_Orders.Credit_Card_Type#&nbsp;</div></td>
  <cfset key = #application.key#>
  <cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
  <cfset CardDec = decrypt(Cardnum, key)>
	<td><div class="content_black">#CardDec#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Month#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Year#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Credit_Card_Name#&nbsp;</div></td>
	<td><div class="content_black">#Get_Orders.Comments#&nbsp;</div></td>
	<td><textarea name="HL_Comments_#Get_Orders.Order_Estimate_ID#" cols="20" rows="5">#Get_Orders.HL_Comments#</textarea></td>
	<td align="center"><input type="Checkbox" name="Contacted_#Get_Orders.Order_Estimate_ID#" value="1"<cfif Get_Orders.Contacted IS 1> checked</cfif>></td>
	<td><div class="content_black">#Get_Orders.customerNumber#</div></td>
	<td><div class="content_black">#Get_Orders.billing_phone#</div></td>
	<td><div class="content_black">#Get_Orders.Billing_Email#&nbsp;</div></td>
	<td><div class="content_black">#DollarFormat(Get_Orders.invoiceAmt)#</div></td>
	<td align="center"><div class="content_black"><input type="Checkbox" name="Processed_#Get_Orders.Order_Estimate_ID#" value="1"<cfif Get_Orders.invoiceProcessed IS 1> checked</cfif>></div></td>

Well it turns out when every my encrypted string has a " in it when it gets store to my sql database it stops at the " . Is there any way to create the encryption string with no characters?

Is that a double quote or two single quotes? What syntax are you using to insert the encrypted string into the database?

Side notes:

Since I don't work with cc's I am curious... is it a good idea to actually display the full credit card number on the web page?

<cfset key = #application.key#>
<cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
<cfset CardDec = decrypt(Cardnum, key)>

This has nothing to do with the problem, but there is no need for those # signs. Just use:

<cfset Cardnum = Get_Orders.Credit_Card_Number>
<cfset CardDec = decrypt(Cardnum, application.key)>

Here is the syntex

<cfset string = FORM.numCredit>
                    <cfset key = ToBase64(BinaryDecode(#application.key#, "HEX"))>
                    <cfset encrypted = encrypt(string, key)>

here is the encrypted string

0U5K" Z7*%U;#T,(/B?GX)0

it will only insert OU5K into the data base

Here is another
0U5[" ZG&$E/&T\8#BOC[(P

my sql table has

I also tried

<cfset key = #application.key#>
<cfset Cardnum = '#Get_Orders.Credit_Card_Number#'>
<cfset CardDec = decrypt(Cardnum, key)>

and I still get " in my output

After I get this working thats my next task to trim the credit card being displayed on the page to the last 4 numbers

Here is the syntex

<cfset string = FORM.numCredit>
                    <cfset key = ToBase64(BinaryDecode(#application.key#, "HEX"))>
                    <cfset encrypted = encrypt(string, key)>

Are you using cfqueryparam when you insert the value into the database table?

INSERT INTO YourTable ( EncryptedValue )
<cfqueryparam value="#encrypted#" cfsqltype="( sql type for the column )">

Here is my insert string

<form action="payments_autopay.cfm" method="post">
				<input type="Hidden" name="action" value="confirm">
				<input type="Hidden" name="selCreditCard" value="#form.selCreditCard#">
				<input type="hidden" name="numCredit" value="#encrypted#">
				<input type="hidden" name="selExpMonth" value="#form.selExpMonth#">
				<input type="Hidden" name="selExpYear" value="#form.selExpYear#">
				<input type="Hidden" name="vcCreditName" value="#form.vcCreditName#">
				<input type="Hidden" name="customerNumber" value="#customerNumber#">
				<!--- <input type="Hidden" name="orderID" value="#findOrder.Order_Estimate_ID#"> --->
				<input type="Hidden" name="comments" value="#form.vccomments#">
				<input type="Hidden" name="email" value="#form.email#">
				<input type="hidden" name="bill_fname" value="#form.bill_vcfname#">
				<input type="hidden" name="bill_lname" value="#form.bill_vclname#">
				<input type="hidden" name="Bill_vcAddress1" value="#form.Bill_vcAddress1#">
				<input type="hidden" name="bill_vcCity" value="#form.bill_vcCity#">
				<input type="hidden" name="bill_vcST" value="#form.bill_vcST#">
				<input type="hidden" name="bill_numZip" value="#form.bill_numZip#">
				<input type="hidden" name="bill_phone" value="#form.bill_numPhone#">
				<td colspan="2">&nbsp;</td>
				<a href="##" onclick="document.forms[0].submit()"><img src="images/button_confirmInfo.gif" width="132" height="18" alt="Confirm Information" title="Confirm Information" border="0"></a><br><br>
				<!-- <input type="Submit" name="submitBtn" value="Confirm"> -->
			<!--- </CFIF> --->
		<CFELSEIF isDefined("form.action") and form.action EQ "confirm">
				<cfquery name="findOrder" datasource="#request.dsn#">
					INSERT INTO HL_OrderEstimates(credit_card_type,credit_card_number,credit_card_month,credit_card_year,credit_card_name,invoiceProcessed,autopay,autopayDate, billing_fname,billing_lname,billing_address1, billing_city,billing_state,billing_zip, billing_phone, customerNumber)
					VALUES('#form.selCreditCard#','#form.numCredit#','#form.selExpMonth#','#form.selExpYear#','#form.vcCreditName#', 0, 1,getDate(),'#form.bill_fname#','#form.bill_lname#','#form.Bill_vcAddress1#','#form.bill_vcCity#', '#form.bill_vcST#', '#form.bill_numZip#', '#form.bill_phone#', '#customerNumber#')

Personally, I'd be worried by how readily reversible the encryption of valuable credit card details appears to be.

look my friend i had the same problem and i solved using this kind of encryption

<cfparam name="Request.PasswordKey" default="keyyyyyyyyyyyyyy">
 <cfset Encrypted = Encrypt(form.number,  Request.PasswordKey)>
<cfquery datasource="db">
		Insert Into table (field1, field2, ,field3)
        (<cfqueryparam value="#form.na#">, <cfqueryparam value="#Encrypted#">)
and when you want to decrypt the date
<cfset decrypt = decrypt(fildes, Request.PasswordKey)>

hope it help

look my friend i had the same problem and i solved using this kind of encryption

Encryption was not the problem. It was the lack of cfqueryparam, as I already mentioned.

Though, I agree with Salem about security. If you are storing credit card information security and encryption should be very tight. If you are not well versed in it or don't have the experience and resources, there are reputable companies that do. Consider the liability if security is poor ..

Nope still stops inputing the value at "

Tried this

<cfquery name="findOrder" datasource="#request.dsn#">
					INSERT INTO HL_OrderEstimates(credit_card_type,credit_card_number)
				Values (<cfqueryparam value="#form.selCreditCard#" cfsqltype="(Varchar)">,<cfqueryparam value="#form.numCredit#">)

what is the data type in the database for credit_card_type,credit_card_number, isn't varchar, and another thing take off the cfsqltype="(Varchar)" from the cfqueryparam.
and if you want to solve the problem just use the encryption method i send it to you.
i do have the link for the encryption example and i will send it to you tomorrow from work.

I did take out the cfsqltype anything I try I can't get it to store the encryption string. Database types i tried varchar nvarchar and ntext right now it's back to varchar

You need to use the correct syntax. "cfsqltype="(Varchar)"> is not a valid cfsqltype. If you use an invalid type ColdFusion defaults to the type for "char" which may cause unexpected results. All cfsqltypes start with "cf_" like: cf_sql_varchar, cf_sql_integer, etc... You can look up the types in the online documentation.


I tried it with MySQL and cfqueryparam and it worked perfectly. That also assumes the column is long enough to hold the inserted value.

How reversable are they if you don't have the key?

Adobe's own documentation states that Encrypt uses the CFMX_COMPAT method by default and "This algorithm is the least secure option (default). " Not very secure in comparison to other, better, encryption algorithms. Would you use it if you thought you might be held liable for the consequences?

All the others you need to use generate secret key. How would that work how do I decrypt the credit card if I don't know what the key is?

OK let me get this straight, We have a pay invoice on our website you submit your info that gets stored in a sql database. Every day a girl in our office checks a password protected back end that displays the info in from the sql database. My question is if I use DES BLOWFISH OR AES i have to use generatesecretkey which is random. If I don't know what that key is how do I decrypt the cc info on the back end. I can't store that key in the database next to the cc number that would defeat the whole purpose.

That's why i ask why can't I use CFMX_COMPAT if they get into the database and don't know what the key is how do they decrypt the number.

Well, like I said at am not familiar with storing CC's. So I am really not the one to be giving you advice on how to properly secure them. What I will say is that assumedly, Adobe engineers are familiar with encryption, and if they say it is the least secure of the methods, I personally believe them.

Plus, credit card companies can have their own restrictions about merchants storing credit card information. As I understand it, it is not like you can just decide to store information and it is okay with them. You have to be certified and meet certain requirements - of which encryption is probably only one. Only they can say whether or not your setup meets their requirements.

While I may not be able to answer your questions, I think hhamdan is giving you bad advice. He seems more interested in providing "an answer" than trying to provide the correct answer. My advice would be to seek an another area or another forum with more focus and experience with security. But that is just me, and I am not the one who may be held liable. So the choice is yours.

Well I got the strong encryption to work further investigation i can use a stored key for aes, des, and blowfish, I guess I'll worry about the " when i come across it. So far I tested about 15 cards and none show the "

Thanks for everyone's input at least I learned something new!

Do the customers know you are storing there credit card numbers? Do the credit card companies know about this? I think that both parties would have a problem with you storing this information without their knowing and without you having the proper security credentials.

Yes indeed, a disaster waiting to happen. We should be told the name of the store, so we can avoid it.
This article has been dead for over six months. Start a new discussion instead.