Avatar of djlurch
djlurch
 asked on

Encryption of Values: can you output the value to a form?

Say a credit card number stored in a database. Using standard PHP/ASP calls, is it possible to output the original value of the  credit card number to a form field? Is this a safe thing to do?

I am a member of an non-techie industry group. They store our credit card numbers in their database, and when I log on to their site to renew, the credit card number is automatically filled in a web form for renewal.

This doesn't seem safe to me.

Can someone explain if outputting the initial value of an encrypted value is possible?
SecurityEncryptionInternet Protocol Security

Avatar of undefined
Last Comment
djlurch

8/22/2022 - Mon
ozo

It is if you know the encryption key.
apparently either their server or your browse is able to recover the initial value in order to fill in the form.
x_bakos

I would agree with ozo....

But are you sure that they use encryption anyway??? It happens many databases to store such important numbers in plain text and not in an encrypted manner. It is not safe, but it happens.

And regarding to encryption, if you use (for example) the md5 hash function for the encryption, you can't have the original data in any way, except if you insert the original text again. And it is a much safer approach for storing such critical data...

I do not know whether they use encryption anyway, but even if they do use it, have a second thougt about how safe you are... (You may try to ask them...)

ozo

I should have said if you know the decryption key, which is not necessarily the same as the encryption key.
I'm not sure I would call a one way hash encrpytion, but I probably should have mentioned it in case you were referring to it that way.
But I don't the point of storing a credit card with a one-way hash.
You can verify a number when they type in again, but the credit card company would verify it anyway when you try to charge it.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
djlurch

ASKER
I guess my comment originates from an assertion about lost password recovery functionality. The developer claimed that if the recover password function can email you your password in plain text, then the password is not stored securely.

Is there any way to know if the numbers are being encrypted?

I know I can ask, but I don't feel like the admin will be truthful. Their site has been hacked before and I'm fairly concerned for the OTHER members. I called and had them personally remove the number within minutes of discovering that they were storing my number.

x_bakos

> Is there any way to know if the numbers are being encrypted?

try to hack them.... (I can't really think of another way...) :) If you manage to break them, then you have the answer... (It is not that easy though....) And I don't claim that I can do it (I don't want to be misundestood).

As for
> if the recover password function can email you your password in plain text, then the password is not stored securely.

If I was to develop such a function, I would update your password with one that would be created in a randomized manner, and then mail it to you, asking you to change it with the one you wanted after you logged in again. Ofcourse and I would have p/w stored in a non-recoverable way (i.e. one way hash function). In the way described p/w is much more secure than having the option to reproduce it...

Bakos
ASKER CERTIFIED SOLUTION
Rich Rumble

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
djlurch

ASKER
Thanks to everyone for the responses. I'm glad I asked before I jumped down the throat of the site admin :)

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.