I'm currently writing a shopping cart in PHP. I'm having no problems except when using credit card encryption.

The problem is when writing the encrypted value to the database. There are no problems 90% of the time, but sometimes there seems to be some characters that mess it up? I use the 'addSlashes' function before it is written to the database, and all this seemed to do was reduce the frequency of the errors.

Are there any other 'stripping' functions I should be using? I obviously need to be able to reverse the function when reading from the database in order to decrypt it.

mysql_escape_string() (http://www.php.net/mysql_escape_string) (if you use mysql)

The problem is when writing the encrypted value to the database....
I would seriously evaluate the need to store entire credit card numbers. If you use an online payment gateway, you should not need to store the entire numbers, only the last 4 digits.

With all the new card regulations coming down the pipe about when you can and cannot store certain information, and certification cost associated with storing the data (they are talking about third party certification of your application AND data center), not to mention liability issues, you would be better off not storing it unless ABSOLUTELY necessary.

Yeah it's very true... I think at the moment it's just illegal to store the credit card security digits? But like you say there's always new laws coming in.

Unfortunately my client at the moment is quite low volume and it's more cost-effective for them to process the transactions themselves - believe me I've tried to persuade them otherwise.

The numbers are deleted straight after they've been used, and that's declared in the Privacy Statement, so hopefully it's legal at the moment.

In reference to the problem with writing the numbers, I used a different encryption method, and for some reason it didn't generate those characters that messed up the mySQL string.

Even with encryption storing more than the last four digits of a CC is a nono.

if you are using rijndael-* algorithm, i have experienced a similar problem, it seems that a part of the ciphertext is a null terminator, which cannot be processed. the way to get around it is to convert the ciphertext to base64

Yeah that's the algorithm I was using, is that the only one you've had a problem with?

I'm using DES now and that works fine.

Is storing an encrypted cc number actually illegal then?

Wasn't DES broken? 3DES was made for a reason.

At least the site isn't live yet!

...Is storing an encrypted cc number actually illegal then?
No, the blanket statement that storing CC info is illegal is not a true statement BUT there are many regulations covering this topic. At a minimum, all card information needs to be stored in an encrypted format and (here is where it starts getting difficult) the data cannot reside in the DMZ and multiple firewalls must be used to create a DMZ meaning: Internet --> Firewall --> Web server (DMZ) --> Another firewall -- Data server. If you are using a hosting provider, certifying this requirement can be problematical.

There are regs convering encryption methods, encryption key generation and key managment (stuff like SHA-1 is legal but MD-5 is not), etc. etc. etc. Also, there are regs defining liability and fines in the event of a hack, not to mention any PR nightmare if you're a big site.

Every attempt should be made to design the application to not store CC data as there are all sorts of costs, security considerations and liability issues if you do.

Interesting. Seems like it's crazy not to just use a gateway and forget even trying to store it.

The server I have is dedicated, fully redundant and has the necessary firewall protection to store the data to seeminly be within the law, but it doesn't seem worth it.