0

I don't have a SSL for my website, and I need to pass the credit card number from one page to another page. The scenario is like this.

  1. I will check the credit card number (is that a valid number)
  2. Then i will post the value to another one page response.php

  3. The post value should be encrypted from index.php and I should be able to decrypt it in the next page (response.php)

    <script type="text/javascript">
function validate(payment_form){
var error="";

if(trim(payment_form.credit_card_number.value).length==0){
document.getElementById("credit_card_number_error").innerHTML="Enter Credit Card Number";
error+= false;
}else{
if(IsNumeric(payment_form.credit_card_number.value)==false){
document.getElementById("credit_card_number_error").innerHTML="Enter numeric values";
error+= false;
}
else{
document.getElementById("credit_card_number_error").innerHTML="";
error+= "";
}
}

if(error==""){
return true;
}
else{
return false;
}
}


function IsNumeric(strString)
{
var strValidChars = "0123456789.-";
var strChar;
var blnResult = true;
if (strString.length == 0) return false;
for (i = 0; i < strString.length && blnResult == true; i++)
{
strChar = strString.charAt(i);
if (strValidChars.indexOf(strChar) == -1)
{
blnResult = false;
}
}
return blnResult;
}

</script>



<form id='payment-form' name="payment_form" onSubmit="return validate(this)" action='response.php' method='POST'>
<table>
<tr><td>Credit Card Number</td><td><input type="text" placeholder="Credit Card Number" value="" id="credit_card_number" name="credit_card_number"></td><td><label class="error" id="credit_card_number_error"/></td>
<tr><td></td><td><input type="submit" value="PAYMENT" class="login" id="payment" name="payment"></td></tr>
</table>
</form>

To summarize all, I am using a form to post the credit card number and it needs to be encoded and I would be able to decode it in the next page. Is this possible.

Improve this question
4
  • It's totally possible to do this in PHP but I think you're bette off using a popular existing service; what about checkout.google.com/seller/integrate.html Commented Jun 21, 2013 at 7:40
  • 2
    I don't have a SSL for my website, and I need to pass the credit card number from one page to another page.Stop, get SSL for your website. Do not pass confidential information around without it. Do not pass credit card data around without following the PCI rules. Commented Jun 21, 2013 at 7:41
  • No, @redditor, it's totally impossible to do this in any language or framework. Read my answer below, google "man in the middle" attacks. Commented Jun 21, 2013 at 7:46
  • @Quentin - okay, will never do that , i am gonna buy a SSL :) Commented Jun 21, 2013 at 9:00

3 Answers 3

Reset to default
4

It is impossible to do what you want securely without SSL and "real" certificates, ie, signed by trusted certification authorities.

  • If you use symmetric encryption, the client must know the secret key, therefore the attacker can easily capture the key by simple eavesdropping. With some more eavesdropping, he can capture the encrypted credit card number and decrypt it right away.
  • if you use asymmetric encryption, the attacker might be able to perform a man in the middle attack that you cannot even detect (ie, the attacker replaces the public key with one of his own, you encrypt the data to him, he decrypts it, reads the data, re-encrypts it with the real public key sent by the server; with SSL and "real" certificates, the browser would be able to tell the difference between the real public key and the attacker's one)!

Please, please, please: don't try to be creative on security/cryptography unless you are a guru (in which case you would most probably be developing algorithms, and not making websites). Odds are you will build something badly broken.

The reason why SSL with "real" certificates makes this secure is because those certificates are signed by certification authorities, which will make your browser recognize them as valid. If they are not signed by a certification authority recognized by the browser, it will display a horrible screen telling the user that he is probably being attacked. It is not feasible for an attacker to generate a valid signature for a certificate for your domain.

Go buy a certificate. I've recently transferred my domain to a new registrar and they offered me an SSL certificate for $1.99 for 1 year (it is not wonderful -- the CA is not recognized by my Android Chrome; but well... $1.99...)

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

+1 to "never build your own crypto system". Especially since the only real secure way would be asymmetric crypto and implementing this in JavaScript is probably way overkill for what you are trying to do.
@Bruno - Thanks for your straightforward answers to my copious questions. I will get the SSL right-away. Thanks for all your help. +1
@Bruno - One more curious question. Do I need to encode my credit card text field while passing from one page to another after purchasing SSL ?? or SSL will take care of everything?
@hjaffer2001, no need to "encode". As I said before, any kind of non-SSL "encoding" you might create can be easily defeated. SSL alone will guarantee that only the client and the server -- no one in between -- can see or modify the data: whatever the server receives is guaranteed to have been sent by the client, and reciprocally everything the client receives is guaranteed to have been sent by the server. That said, just be careful about what you do with the data on the server! For instance, don't write the CC number on debug logs...
Also, be warned that there are other attack vectors: what if the client has some kind of malware on their computer? Are you avoiding XSS attacks? There are lots of things that SSL (ie, cryptography) won't be able to solve, and you might or might not need to consider. For instance, here in Brazil lots of banks require clients to install some Java plugins that do some kind of out-of-band communication to try to certify that the system is not compromised.
|
0

Use local storage to save the CC number so that it doesn't need to be sent to the server.

localStorage.ccnum = num;

var num = localStorage.ccnum;
Improve this answer

Comments

0

In case you are using SSL it will alweays be good. But consider that you want to make and AJAX call to your own PHP/JSP page then you can do a trick.

Trick:

Option#1: Replace all numeric characters using simple String.replaceAll method with alphabets in your algorithem. For example you replace all '1' by 'a', all '2' with 'b'. Or you can do it other way round. i.e. '1' replaced by 'z' , '2' replaced by 'y', etc.

Option#2: You can use a random character generator to get unique 10 characters. Each for a separate number. Then in your ajax call you need to pass on that random generated string of characters (which length was 10). Then your PHP or JSP page will use the same algorithm to decrypt the creditcard number.

The method 2 is more secure as it will always be random. This can be made more secure in a way that you make an ajax call first to ask your PHP/JSP page to generate the 10 alphabets (each for a number) and store that somewhere in DB or in session. Then it returns the key or index to that stored 10 alphabets and in your AJAX call you will not be passing the actual encryption algorithem string. So no one will be able to understand what is happening.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.