Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Applying MD5 to cc_number?


jacobr

Recommended Posts

I'm looking for a way to keep the credit card information in my database, but encrypted (either with MD5 or whatever - I don't know much about encryption techniques) - so that if I pull up the order through my SSL Admin, it's safe for it to show me the credit card number so I can process the order (which I do manually). I'm not really happy with the 'rip out the middle 8 digits and email them to me separately' solution that the stock cc.php provides because of the logistical nightmare if an email doesn't come through, gets lost, etc. I haven't found the OSC emailer to be the most reliable thing on earth, and if the middle half of a credit card didn't come through, I'd hate to call the customer to ask for it.

 

I've seen people in other posts from my multiple searches mention contributions that do what I'm talking about (encrypt CC # in full in database, display only in admin, don't email to anybody), but after searching over there for a bit, I can't find one that does it.

 

I'm hoping it's as simple as the Master Password contrib SQL - i.e.:

INSERT INTO a_table (password) VALUES (MD5('yourpassword');

which makes 'yourpassword' encrypted with MD5

 

 

I just want the cc_number to be encrypted and accessible through Admin (after which I'll delete it when I'm done with the order). I hunted through the cc module, checkout_process.php, etc but couldn't find the SQL statement that inserts the cc_number value into the database.

 

Is this possible?

 

Jacob

Link to comment
Share on other sites

MD5 is not encryption, it's a one-way hash.

 

When someone chooses a password, that doesn't get stored in the database. Instead, the hash function is run against it, and the resulting value is stored in the database.

 

When someone inputs their password for a subsequent login, osC runs the hash function against it to see if the resultant hash matches what we have in the database.

 

Hashing isn't encryption, it's a mathematical way to uniquely identify the password without actually storing the password. You can't "un-hash" it.

 

I'm sure that there are better explanations of hashing somewhere . . .

 

-jared

Link to comment
Share on other sites

MD5 is not encryption, it's a one-way hash. 

 

When someone chooses a password, that doesn't get stored in the database.  Instead, the hash function is run against it, and the resulting value is stored in the database. 

 

When someone inputs their password for a subsequent login, osC runs the hash function against it to see if the resultant hash matches what we have in the database.

 

Hashing isn't encryption, it's a mathematical way to uniquely identify the password without actually storing the password.  You can't "un-hash" it.

 

I'm sure that there are better explanations of hashing somewhere . . .

 

-jared

 

Ok, I get it then. Since I wouldn't know the original CC number to verify against the hash equivalent, that wouldn't really work (I think). Thanks for the good info on hashing though.

 

Do you (or anybody) know of a way to do what I'm looking for, or a contribution that can do it?

 

Jacob

Link to comment
Share on other sites

I just searched for "encrypt" and found this one: http://www.oscommerce.com/community/contributions,2013

 

 

take note of the following, though:

These changes are in the main file, just forgot to include them in the text.

 

Changes:

Install alters orders table to allow for a GPG Encrypted CC

CC of Orders are now stored in the DB GPG Encrypted

 

TODOs:

Add option to have GPG Decryption in Admin Order Display

 

*Currently you will have to use a GPG Decryption Program to get the CC off the Admin Page

 

-jared

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...