ssl to email and database

**Bigjohn** · October 6th, 2004, 8:23 AM

A potential customer asked me if I can do a form on his site that uses SSL to email him (the email may contain credit card information) AND at the same time write the form data (validated) to MySql.

So, I need to do a form, validate some portions of the data, and email it using an SSL certificate? and stash the data into a database....

Any thoughts?

**patrickb** · October 6th, 2004, 2:12 PM

Don't do it.

Seriously, credit card info should NEVER be transferred over email. When if it is sent using SSL and he checks his email using SSL, his computer is subject to virii/trojans and script kiddies. Having the email with information like this on his system isn't a good idea and setting him up for a legal disaster.

I'd recommend analyzing what he really needs in the email. Such as a notice the form was submitted along with maybe summary information for the person that entered it such as their name, email address. But no credit card anything.

Then just drop the info in the mysql DB, and have fun!

**Bigjohn** · October 6th, 2004, 2:22 PM

So perhaps I would:

post to the database
email a notification

then I have to write a webpage that has a secure login and reads that data?

The site will be for reserving a piece of rental equipment.

This of course makes things more difficult for me... I have to have a login page and then keep the calendar online for him (he's been taking the messages and dropping them on his outlook calendar!)

**patrickb** · October 6th, 2004, 7:08 PM

Yes, that is basically what you would have to do. Considering it a hassle is the wrong approach since storing CC info is a very touchy subject in the first place. I don't do projects that require storing information relating to a persons CC. It isn't that I couldn't secure it, it's just a liability I don't want.

After hearing what the reason behind this is, the first question I would ask the client is, do you really think doing this type of a thing over the web is even worth it? It may mean more money in your pocket, but honestly, I would try to talk the client out of thinking this is a good way to go. Things may work perfectly, but one little screwup anywhere in the process (on your part or his) and everything gets messy fast. I mean, imagine a keylogger on his system. These are becoming much more common from what I see in tickets lately, and once his access to the admin area of the site is compromised, it could become a serious legal matter.

**Bigjohn** · October 6th, 2004, 8:29 PM

Ahh, only a hassle in that I've not done any work with SSL before....

I do agree that CC info is a very touchy subject... believe it or not his current host is NOT using any SSL at all!

John

October 6th, 2004, 8:23 AM	#1 (permalink)
Bigjohn minor deity Super #1 Joined in Apr 2004 Lives in Georgia Hosted on XEON 7,395 posts Gave thanks: 28 Thanked 94 times	ssl to email and database A potential customer asked me if I can do a form on his site that uses SSL to email him (the email may contain credit card information) AND at the same time write the form data (validated) to MySql. So, I need to do a form, validate some portions of the data, and email it using an SSL certificate? and stash the data into a database.... Any thoughts? __________________ Proud to be a Surmunity Mod! XEON PASS60 PASS61 Make a fundamental difference! My Sites: Curious about Brewing Beer? Join the community! >>>>> Some Change is GOOD! Keep your paycheck! Support the Fair Tax Get into an Art museum Victorian London It's your brain -*ON WEB* - mybrainhost.com (under development) What SHOULD Government do? Much Less than it Does!

October 6th, 2004, 2:12 PM	#2 (permalink)
patrickb the one who was Super #1 Joined in Jul 2003 Lives in Memphis 1,967 posts Gave thanks: 0 Thanked 3 times	Don't do it. Seriously, credit card info should NEVER be transferred over email. When if it is sent using SSL and he checks his email using SSL, his computer is subject to virii/trojans and script kiddies. Having the email with information like this on his system isn't a good idea and setting him up for a legal disaster. I'd recommend analyzing what he really needs in the email. Such as a notice the form was submitted along with maybe summary information for the person that entered it such as their name, email address. But no credit card anything. Then just drop the info in the mysql DB, and have fun! __________________ Patrick Warnings: The program(s) might crash unexpectedly or behave otherwise strangely. (But of course, so do many commercial programs on Windows.) --www.gimp.org

October 6th, 2004, 2:22 PM	#3 (permalink)
Bigjohn minor deity Super #1 Joined in Apr 2004 Lives in Georgia Hosted on XEON 7,395 posts Gave thanks: 28 Thanked 94 times	So perhaps I would: post to the database email a notification then I have to write a webpage that has a secure login and reads that data? The site will be for reserving a piece of rental equipment. This of course makes things more difficult for me... I have to have a login page and then keep the calendar online for him (he's been taking the messages and dropping them on his outlook calendar!) __________________ Proud to be a Surmunity Mod! XEON PASS60 PASS61 Make a fundamental difference! My Sites: Curious about Brewing Beer? Join the community! >>>>> Some Change is GOOD! Keep your paycheck! Support the Fair Tax Get into an Art museum Victorian London It's your brain -*ON WEB* - mybrainhost.com (under development) What SHOULD Government do? Much Less than it Does!

October 6th, 2004, 7:08 PM	#4 (permalink)
patrickb the one who was Super #1 Joined in Jul 2003 Lives in Memphis 1,967 posts Gave thanks: 0 Thanked 3 times	Yes, that is basically what you would have to do. Considering it a hassle is the wrong approach since storing CC info is a very touchy subject in the first place. I don't do projects that require storing information relating to a persons CC. It isn't that I couldn't secure it, it's just a liability I don't want. After hearing what the reason behind this is, the first question I would ask the client is, do you really think doing this type of a thing over the web is even worth it? It may mean more money in your pocket, but honestly, I would try to talk the client out of thinking this is a good way to go. Things may work perfectly, but one little screwup anywhere in the process (on your part or his) and everything gets messy fast. I mean, imagine a keylogger on his system. These are becoming much more common from what I see in tickets lately, and once his access to the admin area of the site is compromised, it could become a serious legal matter. __________________ Patrick Warnings: The program(s) might crash unexpectedly or behave otherwise strangely. (But of course, so do many commercial programs on Windows.) --www.gimp.org

October 6th, 2004, 8:29 PM	#5 (permalink)
Bigjohn minor deity Super #1 Joined in Apr 2004 Lives in Georgia Hosted on XEON 7,395 posts Gave thanks: 28 Thanked 94 times	Ahh, only a hassle in that I've not done any work with SSL before.... I do agree that CC info is a very touchy subject... believe it or not his current host is NOT using any SSL at all! John __________________ Proud to be a Surmunity Mod! XEON PASS60 PASS61 Make a fundamental difference! My Sites: Curious about Brewing Beer? Join the community! >>>>> Some Change is GOOD! Keep your paycheck! Support the Fair Tax Get into an Art museum Victorian London It's your brain -*ON WEB* - mybrainhost.com (under development) What SHOULD Government do? Much Less than it Does!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread: