08-30-2007, 06:21 PM
I know this may be a little vague, but I have not dealt with it before. I am trying to get a handle on encryption and security for my web pages. Eventually I will want to have a site that allows customers to use their credit cards. So I will have to encrypt every form etc. The problem is I don't have a good understanding of the practices or of using SHA1 or Hashes or any of that. For example a user fills out an email form and clicks send. I take the message part of the form and encrypt it than it is sent to me. Where does it get un-encrypted? I mean, the web site host is going to forward that email to my inbox.
Your responses most welcome. I hope this is the correct forum, but since this is being done with PHP I figured it was. If not, then I'll apologize now.
08-30-2007, 08:44 PM
SHA1 and MD5 encryption cannot be decrypted (without a lot of resources) so they are generally used for user passwords (eg. if a MD5ed pass in a database equals to the MD5 of an entered pass login). I don't know much about credit cards but you will need to get a SSL (https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979) certificate for your website.
08-30-2007, 08:50 PM
As a matter of fact, that is one thing I did follow early on (the password thing). But I don't understand how I can read a customer's message to me if I have to encrypt it before sending. I never have to read the customer's password so I don't care. But if unscrupulous hackers are just siting around waiting to mess with someone's open text email, what can you do besides encrypt it. If it is encrypted how do you read it?
why are you using email?
Decent payment gateways will allow you to send your users' details through to them (XMLRPC, SOAP or similar, over SSL) and inform you of success or failure.
08-30-2007, 08:56 PM
For customer messages I don't think it would be worth encrypting, as if you can decrypt something, so can anyone else. Here (http://www.ecommerce-guide.com/article.php/10183_484911)'s a guide on holding CC info.
08-31-2007, 04:08 AM
MD5 encryption cannot be decrypted (without a lot of resources)
MD5 and SHA* are just algorithms. They take an input string and pass it through some complicated math to achieve a hash. They are not encryption. They can be figured out. The more complicated the hash the harder it is to figure out. Also, combining the input with a salt will help.