+- Form Tools (https://forums.formtools.org)
+-- Forum: Form Tools (https://forums.formtools.org/forumdisplay.php?fid=1)
+--- Forum: General Discussion (https://forums.formtools.org/forumdisplay.php?fid=5)
+--- Thread: Storing Credit card numbers (/showthread.php?tid=1642)
Storing Credit card numbers - qedao - Sep 18th, 2011
Hello:
I read the documentation and search the forums, but could not find anything about storing credit cards.
I guess there must be a simple way to avoid having the credit card numbers stored as plain strings in the database?
Thanks everyone
RE: Storing Credit card numbers - Ben - Sep 19th, 2011
Actually, I'm afraid not! Right now, there's no encryption done on any fields except Form Tools user account password fields.
Generally it's never a good idea to store credit card information. I know that sometimes it's a necessity, but I'd avoid it if you can.
Quick explanation about why encryption hasn't been added yet.
The thing is, if you were to store credit card info, you'd need to use what's called "two-way encryption", unlike password encryption which is one-way. One way is far more secure than two-way.
To explain: when you log in, you always type in your password. To confirm that that password is valid, the system encrypts the supplied password and compares it with the encrypted value stored in the database. This way, the saved, encrypted password is never actually decrypted - and in fact, it can't be: that's the purpose of 1-way encryption.
But if you ever need to encrypt other information (like credit cards), it means you want to re-use it later on, which means it'll have to be decrypted later on. Two-way encryption is so limited from a security point of view, it never struck me as worth it... if someone were to get access to your database, they could easily find out the encryption method and decrypt it themselves.
So that's why I haven't bothered adding this feature yet. That said, it would be a relatively easy module to put together, I suppose...
Sorry I couldn't be any help.
- Ben
RE: Storing Credit card numbers - qedao - Sep 19th, 2011
Ben,
Thanks for the answer.
Unfortunately for us is mandatory to store the CC info.
So i guess I will have to code that two-way encryption.
Where would you recommend to put the code that will alter the values before they are stored in the database?
Thanks!
RE: Storing Credit card numbers - Ben - Sep 19th, 2011
Check out the Submission Pre-Parser module. That lets you execute arbitrary code on the form submission data after it's inserted / updated.
http://modules.formtools.org/submission_pre_parser/
Good luck!
- Ben
RE: Storing Credit card numbers - qedao - Sep 19th, 2011
This is precisely what i needed, I don't know how I overlooked it when I browse the list of available modes.
Again thank you!
RE: Storing Credit card numbers - Ben - Sep 20th, 2011
No worries - good luck getting it all configured.
- Ben
RE: Storing Credit card numbers - bgarlock - Mar 1st, 2012
Would it be possible to show an example of how you would use this to store encrypted data in a textarea field?
RE: Storing Credit card numbers - Ben - Mar 1st, 2012
Hi bgarlock,
This morning I caught your post and thought I'd rustle up a quick fix. 8 hours later I finally have a solution. Yowch!
Turns out I need to release a Core + Hooks Manager update to allow for this to work properly. I'll release the Hooks Manager 1.1.3 tomorrow, and Core 2.2.2 early next week. Once that's done, I'll put together a tutorial explaining how to do it. It's not the most elegant thing in the world (it really lends itself to a module), but it seems to work pretty well.
If you don't hear back from me after 2.2.2 is released, let me know.
- Ben
RE: Storing Credit card numbers - bgarlock - Mar 2nd, 2012
Wow! Thanks so much for this, Ben :-) I'll give it a whirl..
RE: Storing Credit card numbers - bill09 - Mar 26th, 2012
Hi Ben,
Did you get a chance to create the tutorial mentioned in post #8? This will be very useful!
Thanks!
Bill