Link to home
Start Free TrialLog in
Avatar of djlurch

asked on

Encryption of Values: can you output the value to a form?

Say a credit card number stored in a database. Using standard PHP/ASP calls, is it possible to output the original value of the  credit card number to a form field? Is this a safe thing to do?

I am a member of an non-techie industry group. They store our credit card numbers in their database, and when I log on to their site to renew, the credit card number is automatically filled in a web form for renewal.

This doesn't seem safe to me.

Can someone explain if outputting the initial value of an encrypted value is possible?
Avatar of ozo
Flag of United States of America image

It is if you know the encryption key.
apparently either their server or your browse is able to recover the initial value in order to fill in the form.
I would agree with ozo....

But are you sure that they use encryption anyway??? It happens many databases to store such important numbers in plain text and not in an encrypted manner. It is not safe, but it happens.

And regarding to encryption, if you use (for example) the md5 hash function for the encryption, you can't have the original data in any way, except if you insert the original text again. And it is a much safer approach for storing such critical data...

I do not know whether they use encryption anyway, but even if they do use it, have a second thougt about how safe you are... (You may try to ask them...)

I should have said if you know the decryption key, which is not necessarily the same as the encryption key.
I'm not sure I would call a one way hash encrpytion, but I probably should have mentioned it in case you were referring to it that way.
But I don't the point of storing a credit card with a one-way hash.
You can verify a number when they type in again, but the credit card company would verify it anyway when you try to charge it.
Avatar of djlurch


I guess my comment originates from an assertion about lost password recovery functionality. The developer claimed that if the recover password function can email you your password in plain text, then the password is not stored securely.

Is there any way to know if the numbers are being encrypted?

I know I can ask, but I don't feel like the admin will be truthful. Their site has been hacked before and I'm fairly concerned for the OTHER members. I called and had them personally remove the number within minutes of discovering that they were storing my number.

> Is there any way to know if the numbers are being encrypted?

try to hack them.... (I can't really think of another way...) :) If you manage to break them, then you have the answer... (It is not that easy though....) And I don't claim that I can do it (I don't want to be misundestood).

As for
> if the recover password function can email you your password in plain text, then the password is not stored securely.

If I was to develop such a function, I would update your password with one that would be created in a randomized manner, and then mail it to you, asking you to change it with the one you wanted after you logged in again. Ofcourse and I would have p/w stored in a non-recoverable way (i.e. one way hash function). In the way described p/w is much more secure than having the option to reproduce it...

Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of djlurch


Thanks to everyone for the responses. I'm glad I asked before I jumped down the throat of the site admin :)