Tony Di Croce wrote:
> First I should say that I have NO plans to store CCN's on my site, but
> I do have a related question:
>
> Right now I accept CC info from a posted form and then from a PHP
> script submit that to authorize.net... Is their any way to get PHP to
> clean up any remnants of any
On Tue, 8 Feb 2005 09:23:46 -0800 (PST), Richard Lynch <[EMAIL PROTECTED]>
wrote:
> There's no guarantee that will re-use the same bytes for the new string in
> the low-level C malloc/alloc/???alloc calls, I don't think...
Your right. In fact this script proves just how wrong I was:
#!/usr/bin/
[EMAIL PROTECTED] wrote:
> No the most secure way, but I had a client who was determined not to use
> paypal and store cc'sand do them offline. I am using SSL + Mysql encode to
> do this. Ie
> encode(cc_number,md5('secret'))
This is rife with potential problems...
Stored *where* off-line?
Who can
On 8 Feb 2005 Greg Donald wrote:
> It's pretty simple to scrub the data away.
>
> $cc = '1234123412341234';
>
> // do processing
>
> $cc = md5( time() );
This only works if PHP uses the same storage for both strings. If it
reallocates the storage, for example because the md5 result is longer
Greg Donald wrote:
> On Tue, 8 Feb 2005 08:37:32 -0800, Tony Di Croce <[EMAIL PROTECTED]>
> wrote:
>> So, it doesn't seem like anyone is aware of a way to make PHP paranoid
>> about such things... Perhaps their is a lower level way to get linux
>> to scrub an address space when a process exits? I w
On Tue, 8 Feb 2005 08:37:32 -0800, Tony Di Croce <[EMAIL PROTECTED]> wrote:
> So, it doesn't seem like anyone is aware of a way to make PHP paranoid
> about such things... Perhaps their is a lower level way to get linux
> to scrub an address space when a process exits? I will google
It's prett
I AM going to accept CC's on my site. I am NOT going to store them
anywhere... and I DO think the original question is valid. If a hacker
is able to gain root access they may be able to obtain a CCN from
memory on my server... Perhaps a hacker breaks into a number of sites
and harvests 1 or 2 numbe
On 8 Feb 2005 Jochem Maas wrote:
> don't agree - I'd rather be cautious on a hunch, especially given that I
> have no means to personally verify the risk other than in terms of total
> financial ruin if a real problem occurs even once. besides its a moot point
> there is no need to handle creditca
[EMAIL PROTECTED] wrote:
On 8 Feb 2005 Jochem Maas wrote:
This was aimed at me. I personally wouldn't touch a CCN with a barge pole,
I did say it was 'best' not to accept them at all, although accepting them and
immediately passing them on via an SSL link (e.g. with cURL) is probably
'good enough'
On 8 Feb 2005 Jochem Maas wrote:
> This was aimed at me. I personally wouldn't touch a CCN with a barge pole,
> I did say it was 'best' not to accept them at all, although accepting them and
> immediately passing them on via an SSL link (e.g. with cURL) is probably
> 'good enough' - at least, appa
Marek Kilimajer wrote:
Greg Donald wrote:
On Mon, 07 Feb 2005 22:25:46 -0500, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
I think this is an extraordinary (and unjustified) level of paranoia.
This was aimed at me. I personally wouldn't touch a CCN with a barge pole,
I did say it was 'best' not to
Greg Donald wrote:
On Mon, 07 Feb 2005 22:25:46 -0500, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
I think this is an extraordinary (and unjustified) level of paranoia.
cat /dev/mem | strings | egrep "^[0-9]+$"
cat: /dev/mem: Permission denied
:)
You need root access. If anyone gains root on you
No the most secure way, but I had a client who was determined not to use
paypal and store cc'sand do them offline. I am using SSL + Mysql encode to do
this. Ie
encode(cc_number,md5('secret'))
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Mon, 07 Feb 2005 22:25:46 -0500, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> I think this is an extraordinary (and unjustified) level of paranoia.
cat /dev/mem | strings | egrep "^[0-9]+$"
--
Greg Donald
Zend Certified Engineer
http://destiney.com/
--
PHP General Mailing List (http://ww
On 7 Feb 2005 Jochem Maas wrote:
> > IE, is their a way to get PHP to overwrite the memory
> > used by variables at the termination of a script?
>
> don't know about that but best not to accept the CCNs in the
> first place. let the user enter it at authorize.net.
I think this is an extraor
Tony Di Croce wrote:
First I should say that I have NO plans to store CCN's on my site, but
I do have a related question:
Right now I accept CC info from a posted form and then from a PHP
script submit that to authorize.net... Is their any way to get PHP to
clean up any remnants of any variables th
First I should say that I have NO plans to store CCN's on my site, but
I do have a related question:
Right now I accept CC info from a posted form and then from a PHP
script submit that to authorize.net... Is their any way to get PHP to
clean up any remnants of any variables that might be in memor
17 matches
Mail list logo
