How to use ColdFusion 8 Encrypt and Decrypt function to obfuscate sensitive data in a Form

Eric Bourland
Eric Bourland used Ask the Experts™
on
Hi. I need a way to encrypt credit card information in a database table. Then decrypt it to display on a password protected "control panel" page that only a privileged client ever sees.

Summary: I need to encrypt CC information (CC number and expiration date) in a database table. I also need to decrypt that information to display on a web page that only the client sees. So -- I need to encrypt and decrypt CC information in a database table.

Details:
Currently, users fill out a form to register for a conference:

https://www.ascassociation.org/coding/registration/

I use ColdFusion to collect the data and place it in a table in MS SQL Server 2005. That all works fine.

SidFishes and _agx_ correctly made the observation that I am collecting credit card data and storing it in a database table unencypted. Obviously that is a problem and I need to fix it, stat.

I've been reading up about using Encyption in ColdFusion 8 to encrypt sensitive data:

http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_e-g_01.html

(Note: I do <strong>not</strong> have the Enterprise Edition of CF 8. Only Standard Edition.)

And I set up an encrption example page here:

http://ebwebwork.com/encyption_test.cfm

It encypts and decrypts a string.

My questions:

1. What Encoding and Algorithm should I use? The default UU encoding and the CFMX_COMPAT algorithm seem to work fine in the example page, above. Suggestions? What will make my application compliant with accepted security standards?

2. I need to encrypt five variables that go into my database:

CreditCardNumber
ExpirationDate
PrintedCardHolderName
CreditCardZIPCode
CVV

But, based on the example provided, I am not sure how to include the encrypt function in my form for these five variables. Can
somebody give me a hint about how to do that?

I include, below, the Registration Form page and the Form Action page.

3. On the View Registration page, which is password protected, I need to allow the client to view the Decrypted CC information.

I include, below, the View Registration page. How can I use the ColdFusion Decrypt function to display the information that was encrypted in the Registration Form page, above?

Thanks very much for any advice!

Eric

(I've edited this code for clarity, for purposes of displaying the code here clearly so that you can see the relevant code sections.)
 
 
 
Registration Form:
 
 
 <!--- A form to populate conference registration information in table RegistrationEntries --->
 
<cfform action="coding_data_insert.cfm" enctype="multipart/form-data">
 
 
<h1>PAYMENT INFORMATION</h1> 
 
<p class="float-left"><cfinput type="Checkbox" name="AuthorizeCharge" class="border0" /> I authorize Ambulatory Surgery Foundation to charge my:</p>
 
<p class="float-left" style="margin-left:20px;">
<select name="CreditCard" class="ChicagoSelect red">
<option value="SelectCard">Select a Credit Card</option>
<option value="Visa">Visa</option>
<option value="MasterCard">MasterCard</option>
<option value="AmericanExpress">American Express</option></select></p>
 
 
<div class="clear-both"></div>
 
 
<table class="uvatable">
<tr>
	<td>Credit Card Number:</td>
	<td><cfinput TYPE="text" SIZE="30" NAME="CreditCardNumber" /></td>
	<td>Expiration Date:</td>
	<td><cfinput TYPE="text" SIZE="10" NAME="ExpirationDate" /></td>
</tr>
<tr>
	<td>Printed Cardholder Name:</td>
	<td><cfinput TYPE="text" SIZE="30" NAME="PrintedCardHolderName" /></td>
	<td>Credit Card Billing Zip Code:</td>
	<td><cfinput TYPE="text" SIZE="10" NAME="CreditCardZIPCode" /></td>
</tr>
<tr>
	<td><p>Signature (if printing and mailing):</p></td>
	<td>_______________________________________</td>
	<td>CVV#/3-digit #:</td>
	<td><cfinput TYPE="text" SIZE="10" NAME="CVV" /></td>
</tr>
</table>
 
	
<p class="align-center"><cfinput type="submit" name="submit" value="Submit Registration" /></p>
 
 </cfform>
 
 
 
 
Action page (coding_data_insert.cfm):
 
<cfif isDefined('FORM.CheckEnclosed')>
<!--- checkbox has been checked and is present in post data --->
<cfset CheckEnclosed = 1>
<cfelse>
<cfset CheckEnclosed = 0>
<!--- checkbox not checked and not present --->
</cfif>
 
 
<cfif isDefined('FORM.AuthorizeCharge')>
<!--- checkbox has been checked and is present in post data --->
<cfset AuthorizeCharge = 1>
<cfelse>
<cfset AuthorizeCharge = 0>
<!--- checkbox not checked and not present --->
</cfif>
 
 
<cfif isDefined('FORM.MultiAttendeeDiscount')>
<!--- checkbox has been checked and is present in post data --->
<cfset MultiAttendeeDiscount = 1>
<cfelse>
<cfset MultiAttendeeDiscount = 0>
<!--- checkbox not checked and not present --->
</cfif>
 
 
<cfif isDefined('FORM.ASC_Staff')>
<!--- checkbox has been checked and is present in post data --->
<cfset ASC_Staff = 1>
<cfelse>
<cfset ASC_Staff = 0>
<!--- checkbox not checked and not present --->
</cfif>
 
 
<cfif isDefined('FORM.Physician_Office_Staff')>
<!--- checkbox has been checked and is present in post data --->
<cfset Physician_Office_Staff = 1>
<cfelse>
<cfset Physician_Office_Staff = 0>
<!--- checkbox not checked and not present --->
</cfif>
 
 
<!--- Insert values into database columns --->
<cfquery datasource="ascassociation" dbname="ascassociation" name="createRegistration">
	INSERT INTO Coding2009Registration (
		FirstName,
		LastName,
        Credential,
		Title,
		Organization,
		Address1,
		Address2,
		City,
		State,
		Zip,
		Phone,
		Fax,
		Email,
		RNLicenseNumber,
		MemberRegBefore3Jan2009_525,
        MemberRegAfter3Jan2009_575,
        NonMemberRegBefore3Jan2009_600,
        NonMemberRegAfter3Jan2009_640,
        MultiAttendeeDiscount,
        NamesOtherAttendees,
		ASC_Staff,
  		Physician_Office_Staff,        
		TotalEnclosed,
		CheckEnclosed,
		CheckNumber,
		AuthorizeCharge,
		CreditCard,
		CreditCardNumber,
		ExpirationDate,
		PrintedCardHolderName,
		CreditCardZIPCode,
		CVV,
		DateCreated)
	VALUES(
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#FirstName#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#LastName#">,
   		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Credential#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Title#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Organization#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Address1#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Address2#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#City#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#State#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Zip#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Phone#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Fax#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Email#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#RNLicenseNumber#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#MemberRegBefore3Jan2009_525#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#MemberRegAfter3Jan2009_575#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#NonMemberRegBefore3Jan2009_600#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#NonMemberRegAfter3Jan2009_640#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#MultiAttendeeDiscount#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#NamesOtherAttendees#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#ASC_Staff#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#Physician_Office_Staff#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#TotalEnclosed#">,
		<cfqueryparam cfsqltype="cf_sql_bit" value="#CheckEnclosed#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CheckNumber#">,
		<cfqueryparam cfsqltype="cf_sql_bit" value="#AuthorizeCharge#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCard#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCardNumber#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#ExpirationDate#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#PrintedCardHolderName#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCardZIPCode#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CVV#">,
		<cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">);
	SELECT scope_identity() AS ident
</cfquery>
		  
<!--- pass info back to previous page --->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 
<html>
<head>
	<title>Registration Submitted</title>
</head>
 
<body onLoad="document.form.submit();">
 
 <cfoutput>
 
<form name="form" method="post" action="/coding/registration/index.cfm">
 
<!--- set value from newly created RegistrationID --->
<input type="hidden" name="RegistrationID" value="#createRegistration.ident#">
<!--- set rest of values from submitted form --->
<input type="hidden" name="FirstName" value="#FORM.FirstName#">
<input type="hidden" name="LastName" value="#FORM.LastName#">
<input type="hidden" name="Credential" value="#FORM.Credential#">
<input type="hidden" name="Title" value="#FORM.Title#">
<input type="hidden" name="Organization" value="#FORM.Organization#">
<input type="hidden" name="Address1" value="#FORM.Address1#">
<input type="hidden" name="Address2" value="#FORM.Address2#">
<input type="hidden" name="City" value="#FORM.City#">
<input type="hidden" name="State" value="#FORM.State#">
<input type="hidden" name="Zip" value="#FORM.Zip#">
<input type="hidden" name="Phone" value="#FORM.Phone#">
<input type="hidden" name="Fax" value="#FORM.Fax#">
<input type="hidden" name="Email" value="#FORM.Email#">
<input type="hidden" name="RNLicenseNumber" value="#FORM.RNLicenseNumber#">
<input type="hidden" name="MemberRegBefore3Jan2009_525" value="#FORM.MemberRegBefore3Jan2009_525#">
<input type="hidden" name="MemberRegAfter3Jan2009_575" value="#FORM.MemberRegAfter3Jan2009_575#">
<input type="hidden" name="NonMemberRegBefore3Jan2009_600" value="#FORM.NonMemberRegBefore3Jan2009_600#">
<input type="hidden" name="NonMemberRegAfter3Jan2009_640" value="#FORM.NonMemberRegAfter3Jan2009_640#">
 
<cfif isdefined("form.MultiAttendeeDiscount")>
<input type="hidden" name="MultiAttendeeDiscount" value="#FORM.MultiAttendeeDiscount#">
<cfelse>
<input type="hidden" name="MultiAttendeeDiscount" value="0">
</cfif>
 
<input type="hidden" name="NamesOtherAttendees" value="#FORM.NamesOtherAttendees#">
 
<input type="hidden" name="TotalEnclosed" value="#FORM.TotalEnclosed#">
 
 
<cfif isdefined("form.CheckEnclosed")>
<input type="hidden" name="CheckEnclosed" value="#FORM.CheckEnclosed#">
<cfelse>
<input type="hidden" name="CheckEnclosed" value="0">
</cfif>
 
 
<cfif isdefined("form.ASC_Staff")>
<input type="hidden" name="ASC_Staff" value="#FORM.ASC_Staff#">
<cfelse>
<input type="hidden" name="ASC_Staff" value="0">
</cfif>
 
 
 
<cfif isdefined("form.Physician_Office_Staff")>
<input type="hidden" name="Physician_Office_Staff" value="#FORM.Physician_Office_Staff#">
<cfelse>
<input type="hidden" name="Physician_Office_Staff" value="0">
</cfif>
 
 
<input type="hidden" name="CheckNumber" value="#FORM.CheckNumber#">
 
<cfif isdefined("form.AuthorizeCharge")>
<input type="hidden" name="AuthorizeCharge" value="#FORM.AuthorizeCharge#">
<cfelse>
<input type="hidden" name="AuthorizeCharge" value="0">
</cfif>
 
 
<input type="hidden" name="CreditCard" value="#FORM.CreditCard#">
<input type="hidden" name="CreditCardNumber" value="#FORM.CreditCardNumber#">
<input type="hidden" name="ExpirationDate" value="#FORM.ExpirationDate#">
<input type="hidden" name="PrintedCardHolderName" value="#FORM.PrintedCardHolderName#">
<input type="hidden" name="CreditCardZIPCode" value="#FORM.CreditCardZIPCode#">
<input type="hidden" name="CVV" value="#FORM.CVV#">
<input type="hidden" name="DateCreated" value="#DateFormat(now(), "mm/dd/yyyy")#">
 
</form>
 </cfoutput>
</body>
</html>
 
 
 
 
This is the password protected "control panel" page that only the privileged client sees. In this page I will need to decrypt the data that was encrypted in the 
 
Coding2009_view_registration.cfm:
 
 
<cfinclude template="/SiteHeader.cfm">
 
<p class="align-center">[ Sort By: <a href="/meetings/coding2009/Coding2009_view_registration.cfm?sort=RegistrationID">Registration ID</a> | <a href="/meetings/coding2009/Coding2009_view_registration.cfm?sort=DateCreated">Date Submitted</a> | <a href="/meetings/coding2009/Coding2009_view_registration.cfm?sort=Lastname">Last Name</a> | <a href="/meetings/coding2009/Coding2009_view_registration.cfm?sort=Organization">Organization</a> ]</p>
 
 
 <h1 class="align-center">ASC Coding 2009 Seminar</h1>
 
 
 
 <!--- Display values into database columns --->
<cfquery datasource="ascassociation" dbname="ascassociation" name="viewRegistration">
	SELECT RegistrationID,
		FirstName,
		LastName,
        Credential,
		Title,
		Organization,
		Address1,
		Address2,
		City,
		State,
		Zip,
		Phone,
		Fax,
		Email,
		RNLicenseNumber,
		MemberRegBefore3Jan2009_525,
        MemberRegAfter3Jan2009_575,
        NonMemberRegBefore3Jan2009_600,
        NonMemberRegAfter3Jan2009_640,
        MultiAttendeeDiscount,
        NamesOtherAttendees,
		ASC_Staff,
  		Physician_Office_Staff,        
		TotalEnclosed,
		CheckEnclosed,
		CheckNumber,
		AuthorizeCharge,
		CreditCard,
		CreditCardNumber,
		ExpirationDate,
		PrintedCardHolderName,
		CreditCardZIPCode,
		CVV,
		DateCreated
        		
FROM Coding2009Registration
ORDER BY RegistrationID
 
</cfquery>
 
 
<cfoutput query="viewRegistration">
 
	  <cfif CurrentRow MOD 2 IS 1>
<cfset bgcolor="##ffffff">
<cfelse>
<cfset bgcolor="##ebebeb">
</cfif>
 
<p style="background-color:#bgcolor#;padding:10px;margin:20px 0;">
 
<strong>RegistrationID:</strong> #RegistrationID# [<a href="/meetings/coding2009/delete_Coding2009.cfm?RegistrationID=#RegistrationID#" onclick="return confirm('Are you sure you want to delete this Registration Entry?')">Delete</a>]
 
<br />
<strong>First Name:</strong> #FirstName#<br />
<strong>Last Name:</strong> #LastName#<br />
<strong>Credential:</strong> #Credential#<br />
<strong>Title:</strong> #Title#<br />
<CFIF Organization IS NOT ""><strong>Organization:</strong> #Organization#<br /></CFIF>
<strong>Address Line 1:</strong> #Address1#<br />
<CFIF Address2 IS NOT ""><strong>Address Line 2:</strong> #Address2#<br /></CFIF>
<strong>City:</strong> #City#<br />
<strong>State:</strong> #State#<br />
<strong>Zip:</strong> #Zip#<br />
<strong>Phone:</strong> #Phone#<br />
<CFIF Fax IS NOT ""><strong>Fax:</strong> #Fax#<br /></CFIF>
<strong>Email:</strong> #Email#<br />
 
 
<CFIF MemberRegBefore3Jan2009_525 IS NOT ""><strong>Member Registration Before 3 January 2009:</strong> $#MemberRegBefore3Jan2009_525#<br /></CFIF>
 
<CFIF MemberRegAfter3Jan2009_575 IS NOT ""><strong>Member Registration After 3 January 2009:</strong> $#MemberRegAfter3Jan2009_575#<br /></CFIF>
 
<CFIF NonMemberRegBefore3Jan2009_600 IS NOT ""><strong>Non-Member Registration Before 3 January 2009:</strong> $#NonMemberRegBefore3Jan2009_600#<br /></CFIF>
 
<CFIF NonMemberRegAfter3Jan2009_640 IS NOT ""><strong>Non-Member Registration After 3 January 2009:</strong> $#NonMemberRegAfter3Jan2009_640#<br /></CFIF>
 
<CFIF MultiAttendeeDiscount IS NOT ""><strong>Selected Multi-Attendee Discount:</strong> #MultiAttendeeDiscount# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
 
<CFIF NamesOtherAttendees IS NOT ""><strong>Names of Other Attendees:</strong> #NamesOtherAttendees#<br /></CFIF>
 
<CFIF ASC_Staff IS NOT ""><strong>ASC Staff Attending:</strong> #ASC_Staff# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
 
 
<CFIF Physician_Office_Staff IS NOT ""><strong>Physician Office Staff Attending:</strong> #Physician_Office_Staff# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
 
 
 
 
 
<CFIF TotalEnclosed IS NOT ""><strong>Total Enclosed:</strong> $#TotalEnclosed#<br /></CFIF>
<CFIF CheckEnclosed IS NOT ""><strong>Check Enclosed:</strong> #CheckEnclosed# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
<CFIF CheckNumber IS NOT ""><strong>Check Number:</strong> #CheckNumber#<br /></CFIF>
<CFIF AuthorizeCharge IS NOT ""><strong>Authorize Charge:</strong> #AuthorizeCharge# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
<CFIF CreditCard IS NOT ""><strong>Credit Card:</strong> #CreditCard#<br /></CFIF>
<CFIF CreditCardNumber IS NOT ""><strong>Credit Card Number:</strong> #CreditCardNumber#<br /></CFIF>
<CFIF ExpirationDate IS NOT ""><strong>Expiration Date:</strong> #ExpirationDate#<br /></CFIF>
<CFIF PrintedCardHolderName IS NOT ""><strong>Printed Card Holder Name:</strong> #PrintedCardHolderName#<br /></CFIF>
<CFIF CreditCardZIPCode IS NOT ""><strong>Credit Card ZIP Code:</strong> #CreditCardZIPCode#<br /></CFIF>
<CFIF CVV IS NOT ""><strong>CVV:</strong> #CVV#<br /></CFIF>
<strong>Date Submitted:</strong> #DateCreated#
 
  </p>
</cfoutput>
  
 
 
 
<cfinclude template="/SiteFooter.cfm">

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Encrypt it as:

on action page as:

<cfset form.cc = #URLEncodedFormat(Encrypt("formvalueCC","key"))#">

for better security go this again

<cfset form.cc2 = #ToBase64(form.cc)#>

then store store in database

to decrypt you have to convert the tobase64 to the value of encryption as:

<cfset a = "tostring(tobinary(form.cc2))">

<cfset b = UrlDecode(Decypt(a,"key"))>

to show up.

Let me know what u think

Author

Commented:
myselfrandhawa,

Thanks for this. I will try it out and get back to you later today.

Eric

Author

Commented:
myselfrandhawa, I did not get a chance to try this today. Busy day. I will definitely follow up with this task tomorrow. Thank you again for your help. Have a great evening.

Eric
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Hi Eric,  long time..

Credit card handling convention would say that you should not decrypt the card information just to display it to the user.   You should never show the full credit card number to the screen and the only time you would need to decrypt it would be to process the transaction.

The user should see only the last four digits:   xxxx  xxxx xxxx 1234
You could also display the card type:   Visa **** 1234

I recommend adding another field to your table, you could call it:  accountDisplay  varchar(50)

The purpose of this field is to store the information about the card that could be displayed to the end user without having to decrypt it.  

So, just after the card information is entered, you grab the last four digits and store it into the accountDisplay field (with card type if you wish).   Then you display this to the user and never decrypt the card number and never display it on the screen.

Here is what I use for encryption:

Get the last four digits..
<cfset accountDisplay = right(trim(form.ccnumber),4)>

Encrypt the card number..
<cfset encryptedCreditCard = encrypt(form.ccnumber,request.encryptionKey)>

request.encyrptionKey is a variable you define that holds a secret password, a complex one.
You must keep this key safe, and never lose it, because it is the only way to decrypt your card numbers

Decrypt...

<cfset ccnumber = decrypt(form.ccnumber,request.encryptionKey)>


Regarding the other fields:  zipcode, name on card, expiration date.   If you want to encyrpt those for added security, no problem.   You can decrypt them to show the end user.


Author

Commented:
gdemaria -- this is really good advice. I'm going to talk to the client about this. I agree -- it's best to never display the card number on a screen, even if it's on a web page with password protection.

I'm working on this task later today.

I really appreciate your time.

Hope you've been well.

Author

Commented:
myselfrandhawa -- I was able to encrypt. On my action page I did:

<cfset form.CreditCardNumber = #URLEncodedFormat(Encrypt("CreditCardNumber","key"))#>

<cfset form.CreditCardNumber2 = #ToBase64(form.CreditCardNumber)#>

This causes a string of numbers that I enter in field CreditCardNumber:

347854683568568

to appear like this in the database:

0%3EIE%5E%25PZY%3C%2D1%3FW3TFVZV1JP%20%20%0A

I believe that is an encrypted string.

I have been unable to decrypt.

I put:


<cfset a = "tostring(tobinary(form.cc2))">

<cfset b = UrlDecode(Decypt(a,"key"))>

at the start of my "View Registrations" page. But I still see the encrypted string, above, rather than the decrypted string.

I have also tried:

<cfset CreditCardNumber = "tostring(tobinary(form.CreditCardNumber2))">

<cfset CreditCardNumber2 = UrlDecode(Decrypt(CreditCardNumber,"key"))>

and variations thereupon. However, no luck -- the string still appears encrypted on the page where I want the string to appear decrypted.

Where am I going wrong? Thanks again for any help.

****

gdemaria -- I've been thinking about your solution -- it makes a lot of sense. I am going to work on this after I successfully figure out how to decrypt (see above -- I want to understand what i am doing wrong, above.) I am going to open a new question, since I think this question deserves its own topic.

I have already set up a new column: accountDisplay  varchar(50) and am trying out your ideas above -- as a separate project -- which I will open as a separate question -- even though of course, when I implement your ideas, that will obviate the need to view decrypted CC numbers on the "View Registrations" page.

Thanks to myselfrandhawa and gdemaria for helping me to make my applications more secure. I really appreciate your time and ideas. Eric
Eric,  please try my example for encyption and decryption.   I am not sure why myselfrandhawa  is suggesting conversion to binary and URL format, I have never seen it done that way before.   All you need is to encyrpt and decrypt as my example shows.  



<cfset request.encryptionKey = "yourSecretPassword">
 
Encrypt the card number..
 
<cfset encryptedCreditCard = encrypt(form.ccnumber,request.encryptionKey)>
 
Decrypt...
 
<cfset ccnumber = decrypt(form.ccnumber,request.encryptionKey)>

Open in new window

Author

Commented:
hmmm. OK. working on this.

Author

Commented:
gdemaria,

I got the encryption to work, and I understand what is going on. In my action page, I did:

<cfset accountDisplay = right(trim(form.CreditCardNumber),4)>
<cfset request.encryptionKey = "yourSecretPassword">

That encrypts field CreditCardNumber. Sweet!

Then, on my "View" page, I did:

<CFIF CreditCardNumber IS NOT ""><strong>Credit Card Number (Encrypted for security):</strong> #CreditCardNumber#<br /></CFIF>
<CFIF accountDisplay IS NOT ""><strong>Credit Card Number (Last Four Digits):</strong> #accountDisplay#<br /></CFIF>

And now the "View" page displays the encrypted CC number, and the last 4 digits of the unencrypted CC number. Sweet!

I am still having trouble with the Decrypt function. You said:

<cfset ccnumber = decrypt(form.ccnumber,request.encryptionKey)>

So, I added to my action page:

<cfset CreditCardNumber = decrypt(form.CreditCardNumber,request.encryptionKey)>

(My encryption key, for now, is simply: "yourSecretPassword". I will greatly complicate "yourSecretPassword" later.)

However, here is where I need more help.

In what interface will my client be able to enter her encryption key and view the unencrypted CC number? At some point, she will need to be able to view and record the unencrypted CC number, so she can enter the CC number into her VISA / Mastercard / American Express interface, and get her customers' payments processed.

I'm missing that piece.

Thanks again for your help. This application is really shaping up. I've been needing to get this done.

Peace,

Eric
Hi Eric,

> Credit Card Number (Encrypted for security):

There's no reason to show the encrypted string.  This only reduces your security.   If they have the encrypted string, all they need is your password to get the credit card number.  

It should be more than enough to show   *** *** **** 1234
(which is the last 4 digits of the number)

> I am still having trouble with the Decrypt function.

First, you need to know where you're going to use the decrypt function.   The encrypted number is saved in the database, right?   So you will decyrpt it when you pull it out of the database, when you go to process the transaction.

So, when you pull the number out of the database, take the encrypted value and put it into that decrypt line to decrypt the number.  Pass the decrypted number to the credit card processor and that's it, you're done.

<cfset ccnumber = decrypt(XXXXXX, request.encryptionKey)>

So where I placed XXXXX above, is where you put the encrypted value.  Probably pulled from your database.   So it could be ..

<cfset ccnumber = decrypt(myQuery.encryptedCCnumber, request.encryptionKey)>

... assuming you have a column encryptedCCnumber in a query called MyQuery

>  In what interface will my client be able to enter her encryption key and view the unencrypted CC number?

She doesn't get the Key, that is a secret value that is stored in your system and only you know.   If she has the key, it reduces the security of your database.    

> At some point, she will need to be able to view and record the unencrypted CC number, so she can enter the CC number into her VISA / Mastercard / American Express interface, and get her customers' payments processed.

Is that the way they are doing it?   Usually, that is done by your software.   You pull the card number from the database, decrypt it, pass it to the credit card processor electronically and then charge their card.

If you don't have that ability (the credit card API) and she has to do it manually, then you need to create a screen just for her.   The screen should be protected by SSL and be password protected, of course.




Author

Commented:
OK, this is making more sense to me now. =) I am working on this. I'll get back to you with a result in a while. Thank you again.
Hey Eric!

Try This:

<form name="form1" method="post" action="">
  <table width="100%" border="0" cellspacing="2" cellpadding="1">
    <tr>
      <td width="20%">Credit Card Number:</td>
      <td width="80%"><input type="text" name="account" id="account">
      <input type="submit" name="go" id="go" value="Submit"></td>
    </tr>
   
    <tr>
      <td colspan="2">Output:</td>
    </tr>
    <cfif isDefined('form.go')>
    <tr>
    	<td>Both:</td>
        <cfset pp = #form.account#>
        <cfoutput>#pp#</cfoutput><br />
        <td><cfset s = "#ToBase64(account)#">
        	<cfoutput>#s#</cfoutput><br />
        <cfset n = "#Encrypt(s,"ahsdg*")#">
        	<cfoutput>#n#</cfoutput><br />
       Decyption:
       	<cfset m = #Decrypt(trim(n),"ahsdg*")#>
        	<cfoutput>#m#</cfoutput>
        <cfset q = #trim(ToString(ToBinary(m)))#>
        	<cfoutput>#q#</cfoutput>    
            </td>
    </cfif>
  </table>
</form>

Open in new window

Author

Commented:
myselfrandhawa,

Thank you very much. I am going to study your code and make sure I understand it. I really appreciate your and gdemaria's time. I'm working on this task now and will get back to you in a little while. Hope you are great.

Eric

Author

Commented:
gdemaria,

I have a better perspective on this problem.

* The client does, indeed, manually view and record the unencrypted credit card number from a screen. This screen is password protected, and she connects to the screen using HTTPS, with the SSL certificate issued by Trustwave.

* Thanks to your and myselfrandhawa's help I have been able to encrypt the credit card data that is stored in the database. No matter what, I think this is good. If a person breaks into the MS SQL Server and starts nosing around and finds my data table, he will find only encrypted credit card numbers.

* My next goal is to work with my client to set up -- as you describe above -- a way to pull the card number from the database, decrypt it, pass it to the credit card processor electronically and then charge the card. I will work on this later. I need to talk to the client and assess her current situation and what she is willing to do to simply (and secure) credit card processing.

So, right now, I just need me View Registrations screen to show the decrypted credit card number. I used your suggestion:

<cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber, request.encryptionKey)>

My query is named viewRegistration. The database column that contains the encrypted credit card information is called, simply, CreditCardNumber.

But, now, ColdFusion gives an error:

Error Occurred While Processing Request
Element CREDITCARDNUMBER is undefined in VIEWREGISTRATION.
 
The error occurred in D:\websites\ascassociation.org\meetings\medicare2009\Medicare2009_view_registration.cfm: line 1

1 : <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber, request.encryptionKey)>
2 :
3 : <cfinclude template="/SiteHeader.cfm" />

So, I have to define CreditCardNumber . I am also not sure how, at this point, the encryptionKey fits in. Do I even need encryptionKey right now?

Thanks again for your help.

Eric
>  Element CREDITCARDNUMBER is undefined in VIEWREGISTRATION

This error is very simple.  It just means that CREDITCARDNUMBER  does not exist in anything called VIEWREGISTRATION.  

So, either VIEWREGISTRATION is not the name of the query

or CREDITCARDNUMBER  is not a column selected in that query.

Or perhaps you are attempting to use that variable before calling the query.

In short, that variable does not exist...

This has nothing to do with encryption, its just a variable that doesn't exist.
@myselfrandhawa,

Could you please explain why you are taking the account number and converting it to base 64 before encrypting it?

The encryption can handle any string, it is not necessary to convert it to another base.   It certainly not adding any security to it, anyone can convert a value between bases quite easily.   So I am not seeing the point to do the extra processing and confuse the code (and coder).
@ gdmeria:

Anything can be broken. I am just trying to make it bit harder for breaking. If Eric really wanna Store the Info of Credit Card. I am Just trying to make it bit harder to crack.

Anything else. Here i can use coldfusion encypted undocumentated features to make it more secure but that in future may or may not work.

I say that my Idea is Not perfect but it is better to make things harder.

Regards

Author

Commented:
>>>So, either VIEWREGISTRATION is not the name of the query

or CREDITCARDNUMBER  is not a column selected in that query.

I got it. Be right back....

Author

Commented:
myselfrandhawa and gdemaria,

I really appreciate the input from both of you, and I am learning a lot from this conversation.

Eric

You are correct that this could be more secure, but if you wanted to make it more secure, then the best way would be to change the encryption algorithm, encoding and iterations as discussed here...

http://livedocs.adobe.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=00000457.htm


It is said that it takes 100 computers 10 years to crack 128 bit encryption, adding a switch to base64 would take 10 years plus 2 seconds.  :)





 

Author

Commented:
It's going to be much more secure than it was before. =) If anybody gains unauthorized access to this database, they will find encrypted credit card numbers.

>>>CREDITCARDNUMBER  does not exist in anything called VIEWREGISTRATION.  

>>> So, either VIEWREGISTRATION is not the name of the query

>>> or CREDITCARDNUMBER  is not a column selected in that query.

I agree with you in theory and this makes sense. However, my query "viewRegistration" does select column CreditCardNumber. I attach below the full page that gives me the error: Element CREDITCARDNUMBER is undefined in VIEWREGISTRATION.

What am I missing? I've been staring at this for a while now.

Eric
ViewRegistration.cfm:
 
<cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber, request.encryptionKey)>
 
<cfinclude template="/SiteHeader.cfm" />
 
<p class="align-center">[ Sort By: <a href="/meetings/Medicare2009_view_registration.cfm?sort=RegistrationID">Registration ID</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=DateCreated">Date Submitted</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=Lastname">Last Name</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=Organization">Organization</a> ]</p>
 
 
 <h1 class="align-center">Medicare 2009 Webinar Registrations</h1>
 
 
 
 <!--- This query displays data from table Medicare2009Reg in database ascassociation --->
<cfquery datasource="ascassociation" dbname="ascassociation" name="viewRegistration">
	SELECT RegistrationID,
        	Greeting,
		FirstName,
		LastName,
                Credential,
		Organization,
		Address1,
		Address2,
		City,
		State,
		Zip,
		Phone,
		Fax,
		Email,
                SubtotalFinalRule,
                SubtotalConditionsCoverage,
 		TotalEnclosed,
		CheckEnclosed,
		CheckNumber,
		AuthorizeCharge,
		CreditCard,
		CreditCardNumber,
                accountDisplay,
		ExpirationDate,
		PrintedCardHolderName,
		CreditCardZIPCode,
		CVV,
		DateCreated
		
FROM Medicare2009Reg
ORDER BY RegistrationID
 
</cfquery>
 
 
<cfoutput query="viewRegistration">
 
	  <cfif CurrentRow MOD 2 IS 1>
<cfset bgcolor="##ffffff">
<cfelse>
<cfset bgcolor="##ebebeb">
</cfif>
 
<p style="background-color:#bgcolor#;padding:10px;margin:20px 0;">
 
<strong>RegistrationID:</strong> #RegistrationID# [<a href="/meetings/medicare2009/delete_Medicare2009.cfm?RegistrationID=#RegistrationID#" onclick="return confirm('Are you sure you want to delete this Registration Entry?')">Delete</a>]
 
<br />
<strong>Greeting:</strong> #Greeting#<br />
<strong>First Name:</strong> #FirstName#<br />
<strong>Last Name:</strong> #LastName#<br />
<strong>Credential:</strong> #Credential#<br />
<CFIF Organization IS NOT ""><strong>Organization:</strong> #Organization#<br /></CFIF>
<strong>Address Line 1:</strong> #Address1#<br />
<CFIF Address2 IS NOT ""><strong>Address Line 2:</strong> #Address2#<br /></CFIF>
<strong>City:</strong> #City#<br />
<strong>State:</strong> #State#<br />
<strong>Zip:</strong> #Zip#<br />
<strong>Phone:</strong> #Phone#<br />
<CFIF Fax IS NOT ""><strong>Fax:</strong> #Fax#<br /></CFIF>
<strong>Email:</strong> #Email#<br />
<CFIF SubtotalFinalRule IS NOT ""><strong>Subtotal, Final Rule Webinar:</strong> $#SubtotalFinalRule#<br /></CFIF>
<CFIF SubtotalConditionsCoverage IS NOT ""><strong>Subtotal, Conditions for Coverage Webinar:</strong> $#SubtotalConditionsCoverage#<br /></CFIF>
<CFIF TotalEnclosed IS NOT ""><strong>Total Enclosed:</strong> $#TotalEnclosed#<br /></CFIF>
<CFIF CheckEnclosed IS NOT ""><strong>Check Enclosed:</strong> #CheckEnclosed# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
<CFIF CheckNumber IS NOT ""><strong>Check Number:</strong> #CheckNumber#<br /></CFIF>
<CFIF AuthorizeCharge IS NOT ""><strong>Authorize Charge:</strong> #AuthorizeCharge# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
<CFIF CreditCard IS NOT ""><strong>Credit Card:</strong> #CreditCard#<br /></CFIF>
<CFIF CreditCardNumber IS NOT ""><strong>Credit Card Number:</strong> #CreditCardNumber#<br /></CFIF>
<CFIF ExpirationDate IS NOT ""><strong>Expiration Date:</strong> #ExpirationDate#<br /></CFIF>
<CFIF PrintedCardHolderName IS NOT ""><strong>Printed Card Holder Name:</strong> #PrintedCardHolderName#<br /></CFIF>
<CFIF CreditCardZIPCode IS NOT ""><strong>Credit Card ZIP Code:</strong> #CreditCardZIPCode#<br /></CFIF>
<CFIF CVV IS NOT ""><strong>CVV:</strong> #CVV#<br /></CFIF>
<strong>Date Submitted:</strong> #DateCreated#
 
  </p>
</cfoutput>
  
 
 
 
<cfinclude template="/SiteFooter.cfm" />

Open in new window

Define this :



<cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber, request.encryptionKey)>
 
underneath the cfoutput and then see what happens. I think this is troubling you

Open in new window

Author

Commented:
myselfrandhawa I'll give it a shot right now. Thank you! Eric

Author

Commented:
I think we are making progress. I added:

<cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber, request.encryptionKey)>

after the </cfoutput>. Now I get this error:

 Element ENCRYPTIONKEY is undefined in REQUEST.
 
The error occurred in D:\websites\ascassociation.org\meetings\medicare2009\Medicare2009_view_registration.cfm: line 90

88 : </cfoutput>
89 :  
90 : <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber, request.encryptionKey)>


OK, as I was thinking might happen, since I did not define the element encryptionKey, ColdFusion objects to it. Dang.

I took away "request.encryptionKey" but that caused a syntax error.

I think I am going to need to define element encryptionKey somehow. I am thinking about a way to do that. I am obviously missing something.

Thanks again for your help!

Eric
Hey! If You are using Application.cfc

  • You can define the request.encryptionKey in the OnRequestStart Method
If You are using Application.cfm, then define as:

<cfset request.encryptionKey = "Whatever_key_you_would_like_to_put_into">

anywhere in the application.cfm file.

This will not generate error:

The error you were getting beacsuse Coldfusion was unable to find you encryptionKey in the request Scope.

See what happens

regards

Author

Commented:
Hi, myselfrandhawa,

Thanks for this. It's an interesting idea and I will try it. I don't use either application.cfc or application.cfm -- but I can set up a basic application.cfc file and define request.encryptionKey in the OnRequestStart method. I will try that out and get back to you. Hope your day is going well.

Eric
> I don't use either application.cfc or application.cfm

That's really curious.   You would use this file to define global variables, turn on session management and check to see if someone is logged in, define session and application variables, etc.

Does your application really not do any of this?


request.encryptionKey   is a global variable, do you have other global variables?   The most common would be a variable holding the name of your data source.   If you have that, you can add this one to the same file... whatever that is..

Author

Commented:
Hey there.

>>>Does your application really not do any of this?

Actually no, and I feel suddenly inadequate. =) So far I have not had any need for session management or to define session and application variables. I've been trying to keep my application as simple as possible. But I can see that the application.cfc will be useful to resolve the present problem with the encryption key. I'm going to work on this and get back to you in a little while.

Thanks for your help.... more in a little while.

Author

Commented:
I'll amend my last post. I do have an application.cfc. It manages user login sessions when I use the basic content management system that gdemaria helped me to build way back in 2007. This application.cfc exists in the root folder (/).
You did mention that the user will have to login to see the credit card information, that will require session management.

Also, the most common variable is the datasource global variable.   Hard coding the datasource name can be a real pain when the data source changes.

 <cfquery name="myQuery" datasource="theSQLdatabase">

should be...

 <cfquery name="myQuery" datasource="#application.datasource#">
You can add the variable in one of two ways..

onRequestStart

 <cfset request.encryptionKey = "xxxxx">


onApplicationStart

 <cfset application.encryptionKey = "xxxxx">


The application scope is a global scope available to all users' sessions.  (Create 1 instance, used by all)
The request scope is only available to each users session (Create 1 instance for every session)

Author

Commented:
OK, in application.cfc, I added a new cfset var under the onRequestStart method:

      <!--- METHOD: onRequestStart --->
     
 <cffunction name="onRequestStart" returntype="boolean">
      <!--- Set up request variables here. --->
      <cfset var secureDirectories = "admin">
      <cfset var loginRequired = false>
      <cfset var encryptionKey = "yourSecretPassword">

However ... error persists:

 Element ENCRYPTIONKEY is undefined in REQUEST.
 
The error occurred in D:\websites\ascassociation.org\meetings\medicare2009\Medicare2009_view_registration.cfm: line 90

88 : </cfoutput>
89 :  
90 : <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber, request.encryptionKey)>

Am I using the correct syntax?

<cfset var encryptionKey = "yourSecretPassword">

I tried variations of this:

<cfset var request.encryptionKey = "yourSecretPassword">
<cfset var request.encryptionKey = yourSecretPassword>

Author

Commented:
gdemaria -- I see now. OK, working on this.

Author

Commented:
gdemaria -- that syntax worked. =) Sweet. We got rid of the problem with request.encryptionKey being undefined. But now I get a new error: Decryption has failed:


 Decryption has failed.
The length of the passed string is 0 bytes.
 
The error occurred in D:\websites\ascassociation.org\meetings\medicare2009\Medicare2009_view_registration.cfm: line 90

88 : </cfoutput>
89 :  
90 : <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber, request.encryptionKey)>

Author

Commented:
Wait, I think I see what is going on. brb
> The length of the passed string is 0 bytes.

Eric, think about what the error message says and then test to see why it's giving that error.  

A string has 0 bytes, that means the string is empty.

Which string is it?  There are two choices..

decrypt(viewRegistration.CreditCardNumber, request.encryptionKey)


This one: viewRegistration.CreditCardNumber
Or this one: request.encryptionKey


Check each variable to see if it's empty, if it is, find out why.


If you're trying to decrypt a credit card number that hasn't been entered (the database is empty for that column)  It won't work, so use a CFIF statement to make sure the  card number exists before calling the decrypt function.   If it's empy just set creditCardNumber to empty, if it's not empty decrypt it..

Author

Commented:
Yes! brb

Author

Commented:
In my action page I added a CFIF statement for both encryption and decryption. See below.

I also added to my "View Registration" page a CFIF statement to handle an empty string in the CreditCardNumber column.

Testing these....

OK. I think I got my CFIF syntax wrong. Here's what happens:

In the Form, when I enter in a string of numbers in the CreditCardNumber field, I get an error:
An error occurred while trying to encrypt or decrypt your input string: The input and output encodings are not same..
 
The error occurred in D:\websites\ascassociation.org\medicare2009reg\Medicare2009_data_insert.cfm: line 19

17 : <!--- check to see if variable CreditCardNumber isDefined for decrypt function  --->
18 : <cfif isDefined('FORM.CreditCardNumber')>
19 : <cfset CreditCardNumber = decrypt(form.CreditCardNumber,request.encryptionKey)>
20 : <cfelse>
21 : <cfset CreditCardNumber = 0>


BUT ... if I leave the CreditCardNumber field blank, I still get the 0 string error:

 Encryption has failed.
The length of the passed string is 0 bytes.
 
The error occurred in D:\websites\ascassociation.org\medicare2009reg\Medicare2009_data_insert.cfm: line 8

6 :
7 : <!--- encrypt variable CreditCardNumber --->
8 : <cfset CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>

I do understand why that is happening ... I did: <cfset CreditCardNumber = 0> to tell ColdFusion what to do if the user leaves the CreditCardNumber field empty. I think that is wrong ... I think 0 is not the correct operator. Am I right? I am using the wrong syntax to tell CF to leave the field empty and do NOT encrypt or decrypt.

I am reading again, in my Forta book, about IF statements and Conditional Processing to see what other operators I could use to indicate "empty".

Also I am not quite sure how to tell ColdFusion to forego encrypt and decrypt if the CreditCardNumber field is blank.

But I am making progress.
action page:
 
<!--- set accountDisplay to Trim all last four digits of CreditCardNumber --->
<cfset accountDisplay = right(trim(form.CreditCardNumber),4)>
 
<!--- set encryptionKey, will complicate this encryptionKey later, in production --->
<cfset request.encryptionKey = "yourSecretPassword">
 
<!--- encrypt variable CreditCardNumber --->
<cfset CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
 
<!--- check to see if variable CreditCardNumber isDefined for encrypt function  --->
<cfif isDefined('FORM.CreditCardNumber')>
<cfset CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
<cfset CreditCardNumber = 0>
</cfif>
 
<!--- check to see if variable CreditCardNumber isDefined for decrypt function  --->
<cfif isDefined('FORM.CreditCardNumber')>
<cfset CreditCardNumber = decrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
<cfset CreditCardNumber = 0>
</cfif>
 
 
View Registration page:
 
<!--- check to see if variable CreditCardNumber isDefined for decrypt function  --->
<cfif isDefined('FORM.CreditCardNumber')>
<cfset CreditCardNumber = decrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
<cfset CreditCardNumber = 0>
</cfif>

Open in new window


action page:
 
 Good - you are getting the last 4 digits...
<cfset accountDisplay = right(trim(form.CreditCardNumber),4)>
 
 This is now in your application.cfc file, there is no need to have it here as well..
<cfset request.encryptionKey = "yourSecretPassword">
 
 You are encrypting the card number BEFORE you are checking it to see if it was entered...
<cfset CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
 
 Now you are checking to see if it exists, the form variable WILL exist, form fields
 always exist, you want to check to see if it is EMPTY, not if it exists...
<cfif isDefined('FORM.CreditCardNumber')>
<cfset CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
 Do Not make it ZERO, zero is a value and will be confusing.  It needs to be EMPTY
<cfset CreditCardNumber = 0>
</cfif>
 
 This should not be in your action page, why are you decrypting it here?
 Or is this just for testing/playing? 
<cfif isDefined('FORM.CreditCardNumber')>
<cfset CreditCardNumber = decrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
<cfset CreditCardNumber = 0>
</cfif>
 
 
View Registration page:
 
 Why is the scope of this variable FORM?  Isn't it coming from the datbase?
 Also, same comment as above, you are testing to see exists, you should test
 to see if it's EMPTY
<cfif isDefined('FORM.CreditCardNumber')>
<cfset CreditCardNumber = decrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse> 
This should be EMPTY not zero
<cfset CreditCardNumber = 0>
</cfif>
 
-----------------------------------
See the revised versions below...
-----------------------------------
 
action page:
 
<cfset accountDisplay = right(trim(form.CreditCardNumber),4)>
 
<cfif len(FORM.CreditCardNumber)>
   <cfset CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
   <cfset CreditCardNumber = "">
</cfif>
Now save to the database...
 
 
 
 
View Registration page:
 
<cfif len(viewRegistration.CreditCardNumber)>
   <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>
<cfelse> 
   <cfset CreditCardNumber = "">
</cfif>

Open in new window

For extra whitespace removal use TRIM function as:


-----------------------------------
See the revised versions below...
-----------------------------------
 
action page:
 
<cfset accountDisplay = right(trim(form.CreditCardNumber),4)>
 
<cfif len(FORM.CreditCardNumber)>
   <cfset CreditCardNumber = encrypt(trim(form.CreditCardNumber,request.encryptionKey))>
<cfelse>
   <cfset CreditCardNumber = "">
</cfif>
Now save to the database...
 
 
 
 
View Registration page:
 
<cfif len(viewRegistration.CreditCardNumber)>
   <cfset CreditCardNumber = decrypt(trim(viewRegistration.CreditCardNumber,request.encryptionKey))>
<cfelse> 
   <cfset CreditCardNumber = "">
</cfif>

Open in new window

OK please Check in your application.cfc that have u defined the encyption key as not empty value


ok do the <cfdump var="#request#"> to actually see that your encyption key is passing or not

Author

Commented:
You guys rule. I am learning a ton.

I had to step away to work on another task. I'm still at that task, but will get back to this task in a couple of hours.

Thanks again. Hope your day is going well.

Eric

Author

Commented:
gdemaria and myselfrandhawa,

Thanks for your notes. I've been working with these two files, the action page and the View Registration page. I am getting errors on both pages. I've been looking at them for a while.

I'll start with the View Registration page. That might be simplest. When I view the registrations I get this error:

Element CREDITCARDNUMBER is undefined in VIEWREGISTRATION.
 
The error occurred in D:\websites\ascassociation.org\meetings\medicare2009\Medicare2009_view_registration.cfm: line 1

1 : <cfif len(viewRegistration.CreditCardNumber)>
2 :    <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>
3 : <cfelse>


Now, I am pretty sure that element "CreditCardNumber" is included in query name "viewRegistration" in my View Registration page. See below. I'm wondering why ColdFusion still says element CreditCardNumber is undefined?
View Registration page:
 
<cfif len(viewRegistration.CreditCardNumber)>
   <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>
<cfelse> 
   <cfset CreditCardNumber = "">
</cfif>
 
<cfinclude template="/SiteHeader.cfm" />
 
<p class="align-center">[ Sort By: <a href="/meetings/Medicare2009_view_registration.cfm?sort=RegistrationID">Registration ID</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=DateCreated">Date Submitted</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=Lastname">Last Name</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=Organization">Organization</a> ]</p>
 
 
 <h1 class="align-center">Medicare 2009 Webinar Registrations</h1>
 
 <!--- This query displays data from table Medicare2009Reg in database ascassociation --->
<cfquery datasource="ascassociation" dbname="ascassociation" name="viewRegistration">
	SELECT RegistrationID,
    	Greeting,
		FirstName,
		LastName,
                Credential,
		Organization,
		Address1,
		Address2,
		City,
		State,
		Zip,
		Phone,
		Fax,
		Email,
                SubtotalFinalRule,
                SubtotalConditionsCoverage,
		TotalEnclosed,
		CheckEnclosed,
		CheckNumber,
		AuthorizeCharge,
		CreditCard,
		CreditCardNumber,
                accountDisplay,
		ExpirationDate,
		PrintedCardHolderName,
		CreditCardZIPCode,
		CVV,
		DateCreated
		
FROM Medicare2009Reg
ORDER BY RegistrationID
 
</cfquery>
 
 
<cfoutput query="viewRegistration">
<cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber, request.encryptionKey)> 
 
	  <cfif CurrentRow MOD 2 IS 1>
<cfset bgcolor="##ffffff">
<cfelse>
<cfset bgcolor="##ebebeb">
</cfif>
 
<p style="background-color:#bgcolor#;padding:10px;margin:20px 0;">
 
<strong>RegistrationID:</strong> #RegistrationID# [<a href="/meetings/medicare2009/delete_Medicare2009.cfm?RegistrationID=#RegistrationID#" onclick="return confirm('Are you sure you want to delete this Registration Entry?')">Delete</a>]
 
<br />
<strong>Greeting:</strong> #Greeting#<br />
<strong>First Name:</strong> #FirstName#<br />
<strong>Last Name:</strong> #LastName#<br />
<strong>Credential:</strong> #Credential#<br />
<CFIF Organization IS NOT ""><strong>Organization:</strong> #Organization#<br /></CFIF>
<strong>Address Line 1:</strong> #Address1#<br />
<CFIF Address2 IS NOT ""><strong>Address Line 2:</strong> #Address2#<br /></CFIF>
<strong>City:</strong> #City#<br />
<strong>State:</strong> #State#<br />
<strong>Zip:</strong> #Zip#<br />
<strong>Phone:</strong> #Phone#<br />
<CFIF Fax IS NOT ""><strong>Fax:</strong> #Fax#<br /></CFIF>
<strong>Email:</strong> #Email#<br />
<CFIF SubtotalFinalRule IS NOT ""><strong>Subtotal, Final Rule Webinar:</strong> $#SubtotalFinalRule#<br /></CFIF>
<CFIF SubtotalConditionsCoverage IS NOT ""><strong>Subtotal, Conditions for Coverage Webinar:</strong> $#SubtotalConditionsCoverage#<br /></CFIF>
<CFIF TotalEnclosed IS NOT ""><strong>Total Enclosed:</strong> $#TotalEnclosed#<br /></CFIF>
<CFIF CheckEnclosed IS NOT ""><strong>Check Enclosed:</strong> #CheckEnclosed# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
<CFIF CheckNumber IS NOT ""><strong>Check Number:</strong> #CheckNumber#<br /></CFIF>
<CFIF AuthorizeCharge IS NOT ""><strong>Authorize Charge:</strong> #AuthorizeCharge# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
<CFIF CreditCard IS NOT ""><strong>Credit Card:</strong> #CreditCard#<br /></CFIF>
<CFIF CreditCardNumber IS NOT ""><strong>Credit Card Number:</strong> #CreditCardNumber#<br /></CFIF>
<CFIF ExpirationDate IS NOT ""><strong>Expiration Date:</strong> #ExpirationDate#<br /></CFIF>
<CFIF PrintedCardHolderName IS NOT ""><strong>Printed Card Holder Name:</strong> #PrintedCardHolderName#<br /></CFIF>
<CFIF CreditCardZIPCode IS NOT ""><strong>Credit Card ZIP Code:</strong> #CreditCardZIPCode#<br /></CFIF>
<CFIF CVV IS NOT ""><strong>CVV:</strong> #CVV#<br /></CFIF>
<strong>Date Submitted:</strong> #DateCreated#
 
  </p>
</cfoutput>
  
 
 
 
 
<cfinclude template="/SiteFooter.cfm" />

Open in new window

Eric,

 Just walk through your code..

 Using the code block in your last post, look at line 3.   You are referring to the variable:  viewRegistration.CreditCardNumber.      But does line 1 or 2 contain a declaration of the viewRegistration query?  No... therefore the variable does not exist.

 On line 17, you create the viewRegistration query.   Anytime AFTER that you can use the variable.   The code is processed in order, it cannot look ahead to see that you are ABOUT to create the query..

 
 On line 53 you repeat the decrypt code from the top...  this is where it should be.  Within the query.
 You should delete that redundant code at the top (line 3, etc)

Author

Commented:
gdemaria,

I've made more progress. I walked through the code carefully and I understand better now. I don't create the query until line 17 -- thus I cannot use the variable CreditCardNumber until after that. Got it.

I moved this down to line 53 and took out the redundancy that I saw there:

<cfif len(viewRegistration.CreditCardNumber)>
   <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>
<cfelse>
   <cfset CreditCardNumber = "">
</cfif>

Here you are saying, if CreditCardNumber has length (exists), then decrypt it. Got it.

In my action page I was getting an error: "Variable accountDisplay undefined in FORM." So, in my action page, I did:

<cfset form.accountDisplay = right(trim(form.CreditCardNumber),4)>
 
And that fixed that problem.

I think we've almost got it. The only problem I have left is, in my View Registration page, I still see only the encrypted test credit card numbers. I don't think the decryption works. I am reviewing the discussions we have had to see if I can fix this myself.

I really appreciate your help and patience. Hope you are well.

Eric

Author

Commented:
>>>>The only problem I have left is, in my View Registration page, I still see only the encrypted test credit card numbers.

I am making progress on this. I'll show you my results tomorrow.

Friends thanks again for your help. Have a great evening.

Eric

Author

Commented:
OK, I have been looking for a while at my View Registration page. It's still showing only encrypted credit card numbers.

Just after the CFOUTPUT for my query ViewRegistration begins, I've put in the code that should decrypt:

<cfoutput query="viewRegistration">

<cfif len(viewRegistration.CreditCardNumber)>
   <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>
<cfelse>
   <cfset CreditCardNumber = "">
</cfif>

But the View Registration page displays only the encrypted credit card number. I've stared at this till my face is blue. What am I missing?

Thanks again.

Eric
View Registration page:
 
<cfinclude template="/SiteHeader.cfm" />
 
<p class="align-center">[ Sort By: <a href="/meetings/Medicare2009_view_registration.cfm?sort=RegistrationID">Registration ID</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=DateCreated">Date Submitted</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=Lastname">Last Name</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=Organization">Organization</a> ]</p>
 
 
 <h1 class="align-center">Medicare 2009 Webinar Registrations</h1>
 
 <!--- This query displays data from table Medicare2009Reg in database ascassociation --->
<cfquery datasource="ascassociation" dbname="ascassociation" name="viewRegistration">
	SELECT RegistrationID,
    	Greeting,
		FirstName,
		LastName,
        Credential,
		Organization,
		Address1,
		Address2,
		City,
		State,
		Zip,
		Phone,
		Fax,
		Email,
        SubtotalFinalRule,
        SubtotalConditionsCoverage,
		TotalEnclosed,
		CheckEnclosed,
		CheckNumber,
		AuthorizeCharge,
		CreditCard,
		CreditCardNumber,
        accountDisplay,
		ExpirationDate,
		PrintedCardHolderName,
		CreditCardZIPCode,
		CVV,
		DateCreated
		
FROM Medicare2009Reg
ORDER BY RegistrationID
 
</cfquery>
 
 
<cfoutput query="viewRegistration">
 
<cfif len(viewRegistration.CreditCardNumber)>
   <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>
<cfelse> 
   <cfset CreditCardNumber = "">
</cfif>
 
 
	  <cfif CurrentRow MOD 2 IS 1>
<cfset bgcolor="##ffffff">
<cfelse>
<cfset bgcolor="##ebebeb">
</cfif>
 
<p style="background-color:#bgcolor#;padding:10px;margin:20px 0;">
 
<strong>RegistrationID:</strong> #RegistrationID# [<a href="/meetings/medicare2009/delete_Medicare2009.cfm?RegistrationID=#RegistrationID#" onclick="return confirm('Are you sure you want to delete this Registration Entry?')">Delete</a>]
 
<br />
<strong>Greeting:</strong> #Greeting#<br />
<strong>First Name:</strong> #FirstName#<br />
<strong>Last Name:</strong> #LastName#<br />
<strong>Credential:</strong> #Credential#<br />
<CFIF Organization IS NOT ""><strong>Organization:</strong> #Organization#<br /></CFIF>
<strong>Address Line 1:</strong> #Address1#<br />
<CFIF Address2 IS NOT ""><strong>Address Line 2:</strong> #Address2#<br /></CFIF>
<strong>City:</strong> #City#<br />
<strong>State:</strong> #State#<br />
<strong>Zip:</strong> #Zip#<br />
<strong>Phone:</strong> #Phone#<br />
<CFIF Fax IS NOT ""><strong>Fax:</strong> #Fax#<br /></CFIF>
<strong>Email:</strong> #Email#<br />
<CFIF SubtotalFinalRule IS NOT ""><strong>Subtotal, Final Rule Webinar:</strong> $#SubtotalFinalRule#<br /></CFIF>
<CFIF SubtotalConditionsCoverage IS NOT ""><strong>Subtotal, Conditions for Coverage Webinar:</strong> $#SubtotalConditionsCoverage#<br /></CFIF>
<CFIF TotalEnclosed IS NOT ""><strong>Total Enclosed:</strong> $#TotalEnclosed#<br /></CFIF>
<CFIF CheckEnclosed IS NOT ""><strong>Check Enclosed:</strong> #CheckEnclosed# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
<CFIF CheckNumber IS NOT ""><strong>Check Number:</strong> #CheckNumber#<br /></CFIF>
<CFIF AuthorizeCharge IS NOT ""><strong>Authorize Charge:</strong> #AuthorizeCharge# (<em>1</em> = Yes; <em>0</em> = No)<br /></CFIF>
<CFIF CreditCard IS NOT ""><strong>Credit Card:</strong> #CreditCard#<br /></CFIF>
<CFIF CreditCardNumber IS NOT ""><strong>Credit Card Number:</strong> #CreditCardNumber#<br /></CFIF>
<CFIF ExpirationDate IS NOT ""><strong>Expiration Date:</strong> #ExpirationDate#<br /></CFIF>
<CFIF PrintedCardHolderName IS NOT ""><strong>Printed Card Holder Name:</strong> #PrintedCardHolderName#<br /></CFIF>
<CFIF CreditCardZIPCode IS NOT ""><strong>Credit Card ZIP Code:</strong> #CreditCardZIPCode#<br /></CFIF>
<CFIF CVV IS NOT ""><strong>CVV:</strong> #CVV#<br /></CFIF>
<strong>Date Submitted:</strong> #DateCreated#
 
  </p>
</cfoutput>
  
 
 
 
 
<cfinclude template="/SiteFooter.cfm" />
 
 
 
 
application.cfc:
<cfcomponent name="Application" displayname="Application Component for Login Security">
 
	<cfset this.name = "loginSecurity">
	<cfset this.applicationTimeout = CreateTimeSpan(0,0,120,0)>
	<cfset this.sessionManagement = "true">
	<cfset this.sessionTimeout = CreateTimeSpan(0,0,120,0)>
	<cfset this.clientManagement = "false">
		
	<!--- METHOD: onApplicationStart --->
	<cffunction name="onApplicationStart" returntype="boolean" output="true">
		<!--- Set up Application variables. Locking the Application scope is not necessary in this method. --->
		<cfset Application.configured = 1>
		<cfset Application.datetimeConfigured = TimeFormat(Now(), "hh:mm tt") & "  " & DateFormat(Now(), "mm.dd.yyyy")>
		<cfset Application.currentSessions = 0>
		
		
		<!--- set the datasource --->
<cfset request.datasource = "asc">
 
 
<!--- note: use request.datasource throughout applications to set the datasource --->
		
		<cfreturn true>
	</cffunction>
	<!--- END METHOD: onApplicationStart --->
 
	
	<!--- METHOD: onSessionStart --->
	 <cffunction name="onSessionStart" returntype="void">
      
      <!--- define all session variables, so they will always exist ---->
      <cfset session.user.loggedIn  = false>
	  <cfset session.user.UserID  = "">
      <cfset session.user.UserRoleID  = "">
      <cfset session.user.Username    = "">
      <cfset session.user.FirstName   = "">
      <cfset session.user.LastName    = "">
      <cfset session.user.LastLogin   = "">
      <cfset session.user.LoginMessage = "">
 
	  
 </cffunction>
 <!--- END METHOD: onSessionStart --->
      
 
	<!--- METHOD: onRequestStart --->
      
 <cffunction name="onRequestStart" returntype="boolean">
      <!--- Set up request variables here. --->
      <cfset var secureDirectories = "admin">
      <cfset var loginRequired = false>
      <cfset request.encryptionKey = "yourSecretPassword">
      
      <!--- later I will complicate yourSecretPassword --->
   
	  
      		<!--- set the datasource --->
<cfset request.datasource = "asc">
 
	  
      <!--- if user/pass is passed, then authenticate the user --->
      <cfif isDefined("FORM.Username") AND isDefined("FORM.Password") and len(form.username)>
	  
        <cfinclude template="authenticate.cfm">
		
		<!--- verify username/password, define session variables --->
        <!--- check box to remember username was checked, so make a cookie for it --->
		
        <cfif isDefined("form.SaveUsername") and form.SaveUsername is "Yes">
          <cfcookie name="SaveUsername" value="#form.Username#" expires="7">
        </cfif>
      </cfif>
      
      <!--- copy the session scope (created in session start) to the Global REQUEST scope for easy access --->
      <cflock scope="SESSION" throwontimeout="Yes" timeout="30" type="READ">
        <cfset request.user = structCopy(session.user)>
      </cflock>
      
      <cfloop index="kk" list="#secureDirectories#">
        <cfif cgi.script_name contains "/#kk#/">
          <cfset loginRequired = true>
          <cfbreak>
        </cfif>
      </cfloop>
      
      <cfif loginRequired and NOT request.user.loggedIn>
        <cfinclude template="/login.cfm">
        <cfabort>
      </cfif>      
          
      <cfreturn true>
</cffunction>
<!--- METHOD: onRequestStart --->
 
 
 
	<!--- METHOD: onSessionEnd --->
	<cffunction name="onSessionEnd" returntype="void">
		<cfargument name="SessionScope" required="true">
		<cfargument name="ApplicationScope" required="true">
		
		<cflock name="lck_currentSessions" throwontimeout="Yes" timeout="7" type="EXCLUSIVE">
			<!---
				If the user's session ID is still hanging around (the user is getting automatically logged out due to timeout)
				delete the session data from the Application scope and decrement the current sessions value.
			--->
			<cfset sessionPosition = ListFind(ArrayToList(arguments.ApplicationScope.sessionData), arguments.SessionScope.sessionid)>
			<cfif sessionPosition neq 0>
				<cfset ArrayDeleteAt(arguments.ApplicationScope.sessionData, sessionPosition)>
				<cfset arguments.ApplicationScope.currentSessions = arguments.ApplicationScope.currentSessions - 1>
			</cfif>
		</cflock>
		<!--- <cflog file="#this.name#" type="information" text="Session ended. Number of active sessions now: #arguments.ApplicationScope.currentSessions#"> --->
	</cffunction>
	<!--- END METHOD: onSessionEnd --->
	
	
	<!--- METHOD: onRequestEnd --->
	<cffunction name="onRequestEnd" returntype="void">
		<!--- Write any code that needs to run when the page request ends. --->
	</cffunction>
	<!--- END METHOD: onRequestEnd --->
	
	
</cfcomponent>

Open in new window


You're saying this line:

<CFIF CreditCardNumber IS NOT ""><strong>Credit Card Number:</strong> #CreditCardNumber#<br /></CFIF>

Shows encrypted card number?

Hmmm...

We have to look at the encryption part then...  can you post the encyrption code with the insert into the database...   Don't use any of that base64 convertion stuff..

Author

Commented:
>>>>><CFIF CreditCardNumber IS NOT ""><strong>Credit Card Number:</strong> #CreditCardNumber#<br /></CFIF>

Shows encrypted card number?

Correct. Hmmm is right. OK, here's the code for the Form Page and the Action Page, appended.

(As an aside: For now I am probably going to omit the accountDisplay from the Form and Action pages. I think it will confuse the client. It will be a useful column when the client and I figure out a better plan for credit card processing.)

The Action page starts with:

<cfset form.accountDisplay = right(trim(form.CreditCardNumber),4)>
 
<cfif len(FORM.CreditCardNumber)>
   <cfset CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
   <cfset CreditCardNumber = "">
</cfif>


And, if I understand the comments above, this should properly encrypt any string entered in field CreditCardNumber.

Um, also, if you have better things to do with your Sunday, please don't bother with this today. =) I am about to run out to visit my sister and her kids, and bring home milk for my girlfriend's coffee tomorrow. =)

Peace.
The Action page:
<cfset form.accountDisplay = right(trim(form.CreditCardNumber),4)>
 
<cfif len(FORM.CreditCardNumber)>
   <cfset CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
   <cfset CreditCardNumber = "">
</cfif>
 
<cfif isDefined('FORM.CheckEnclosed')>
<!--- checkbox has been checked and is present in post data --->
<cfset CheckEnclosed = 1>
<cfelse>
<cfset CheckEnclosed = 0>
<!--- checkbox not checked and not present --->
</cfif>
 
 
<cfif isDefined('FORM.AuthorizeCharge')>
<!--- checkbox has been checked and is present in post data --->
<cfset AuthorizeCharge = 1>
<cfelse>
<cfset AuthorizeCharge = 0>
<!--- checkbox not checked and not present --->
</cfif>
 
 
<!--- Insert values into database columns --->
<cfquery datasource="ascassociation" dbname="ascassociation" name="createRegistration">
	INSERT INTO Medicare2009Reg (
    	Greeting,
		FirstName,
		LastName,
        Credential,
		Organization,
		Address1,
		Address2,
		City,
		State,
		Zip,
		Phone,
		Fax,
		Email,
        SubtotalFinalRule,
        SubtotalConditionsCoverage,
		TotalEnclosed,
		CheckEnclosed,
		CheckNumber,
		AuthorizeCharge,
		CreditCard,
		CreditCardNumber,
        accountDisplay,
		ExpirationDate,
		PrintedCardHolderName,
		CreditCardZIPCode,
		CVV,
		DateCreated)
	VALUES(
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Greeting#">,
    	<cfqueryparam cfsqltype="cf_sql_varchar" value="#FirstName#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#LastName#">,
   		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Credential#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Organization#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Address1#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Address2#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#City#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#State#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Zip#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Phone#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Fax#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Email#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#SubtotalFinalRule#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#SubtotalConditionsCoverage#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#TotalEnclosed#">,
		<cfqueryparam cfsqltype="cf_sql_bit" value="#CheckEnclosed#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CheckNumber#">,
		<cfqueryparam cfsqltype="cf_sql_bit" value="#AuthorizeCharge#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCard#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCardNumber#">,
  		<cfqueryparam cfsqltype="cf_sql_varchar" value="#accountDisplay#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#ExpirationDate#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#PrintedCardHolderName#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCardZIPCode#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CVV#">,
		<cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">);
	SELECT scope_identity() AS ident
</cfquery>
		  
<!--- pass info back to previous page --->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 
<html>
<head>
	<title>Registration Submitted</title>
</head>
 
<body onLoad="document.form.submit();">
 
 <cfoutput>
 
 
<form name="form" method="post" action="/medicare2009reg/index.cfm">
 
<!--- set value from newly created RegistrationID --->
<input type="hidden" name="RegistrationID" value="#createRegistration.ident#">
<!--- set remaining values from submitted form --->
<input type="hidden" name="Greeting" value="#FORM.Greeting#">
<input type="hidden" name="FirstName" value="#FORM.FirstName#">
<input type="hidden" name="LastName" value="#FORM.LastName#">
<input type="hidden" name="Credential" value="#FORM.Credential#">
<input type="hidden" name="Organization" value="#FORM.Organization#">
<input type="hidden" name="Address1" value="#FORM.Address1#">
<input type="hidden" name="Address2" value="#FORM.Address2#">
<input type="hidden" name="City" value="#FORM.City#">
<input type="hidden" name="State" value="#FORM.State#">
<input type="hidden" name="Zip" value="#FORM.Zip#">
<input type="hidden" name="Phone" value="#FORM.Phone#">
<input type="hidden" name="Fax" value="#FORM.Fax#">
<input type="hidden" name="Email" value="#FORM.Email#">
<input type="hidden" name="SubtotalFinalRule" value="#FORM.SubtotalFinalRule#">
<input type="hidden" name="SubtotalConditionsCoverage" value="#FORM.SubtotalConditionsCoverage#">
<input type="hidden" name="TotalEnclosed" value="#FORM.TotalEnclosed#">
 
 
<cfif isdefined("form.CheckEnclosed")>
<input type="hidden" name="CheckEnclosed" value="#FORM.CheckEnclosed#">
<cfelse>
<input type="hidden" name="CheckEnclosed" value="0">
</cfif>
 
 
<input type="hidden" name="CheckNumber" value="#FORM.CheckNumber#">
 
<cfif isdefined("form.AuthorizeCharge")>
<input type="hidden" name="AuthorizeCharge" value="#FORM.AuthorizeCharge#">
<cfelse>
<input type="hidden" name="AuthorizeCharge" value="0">
</cfif>
 
 
<input type="hidden" name="CreditCard" value="#FORM.CreditCard#">
<input type="hidden" name="CreditCardNumber" value="#FORM.CreditCardNumber#">
<input type="hidden" name="accountDisplay" value="#FORM.accountDisplay#">
<input type="hidden" name="ExpirationDate" value="#FORM.ExpirationDate#">
<input type="hidden" name="PrintedCardHolderName" value="#FORM.PrintedCardHolderName#">
<input type="hidden" name="CreditCardZIPCode" value="#FORM.CreditCardZIPCode#">
<input type="hidden" name="CVV" value="#FORM.CVV#">
<input type="hidden" name="DateCreated" value="#DateFormat(now(), "mm/dd/yyyy")#">
 
</form>
 </cfoutput>
</body>
</html>
 
 
The Form Page -- this might be unnecessary to show you, since none of the encryption happens on the Form page; it's all done in the Action page, but here it is, anyway:
 
<cfif CGI.https is "Off">
<cflocation url="https://#cgi.server_name##cgi.script_name#?#cgi.query_string#" addtoken="no" />
</cfif>
 
<cfinclude template="/coding_header.cfm" />
 
<!--- When the user submits the Form, she sees the information that she sent --->
<cfif IsDefined('RegistrationID')>
 
   <!--- Display "success" message to user --->
 
 
 <!--- begin #wide0 --->
<div id="wide0">
 
<!--- begin wide0content --->
<div class="wide0content">
 
  <h1>How Will My ASC Be Impacted by Medicare's 2009 Changes?</h1>
<!--- end wide0content --->
</div>
  
 
 
<!--- end #wide0 --->
</div>
 
 
 
<!--- begin #wide1 --->
<div id="wide1">
 
 
<!--- begin wide1content --->
<div class="wide1content">
 
<div class="align-center">
 
 
 
 
<h2>Two Special Members-Only Webinars</h2>
 
 
 
 
<h3>Featuring Kathy Bryant, ASC Association President</h3>
 
</div>
    
    
  
<p>Thank you for submitting information to register for the Ambulatory Surgery Foundation's Webinars.</p>
 
 
 
  <p>Upon receipt of registration, the Foundation will send a
confirmation via email with the toll-free dial-in number
for the audio portion of the program and a web site link
for you to access prior to the program. You will receive a separate confirmation for each webinar.  Your
registration is valid for one telephone access line.
Contact the Foundation at 703.836.5904 with any
questions. Registration fees are non-refundable.</p>
 
  <p>Here is the information you sent:</p>
  
  <!--- set default values --->
  <cfparam name="RegistrationID" default="">
  <cfparam name="Greeting" default="">
  <cfparam name="FirstName" default="">
  <cfparam name="LastName" default="">
  <cfparam name="Credential" default="">
  <cfparam name="Organization" default="">
  <cfparam name="Address1" default="">
  <cfparam name="Address2" default="">
  <cfparam name="City" default="">
  <cfparam name="State" default="">
  <cfparam name="Zip" default="">
  <cfparam name="Phone" default="">
  <cfparam name="Fax" default="">
  <cfparam name="Email" default="">
  <cfparam name="SubtotalFinalRule" default="">
  <cfparam name="SubtotalConditionsCoverage" default="">
  <cfparam name="TotalEnclosed" default="">
  <cfparam name="FORM.CheckEnclosed" default="">
  <cfparam name="CheckNumber" default="">
  <cfparam name="FORM.AuthorizeCharge" default="">
  <cfparam name="CreditCard" default="">
  <cfparam name="CreditCardNumber" default="">
  <cfparam name="accountDisplay" default="">
  <cfparam name="ExpirationDate" default="">
  <cfparam name="PrintedCardHolderName" default="">
  <cfparam name="CreditCardZIPCode" default="">
  <cfparam name="CVV" default="">
  <cfparam name="DateCreated" default="">
 
 
<cfoutput>
<p><strong>RegistrationID:</strong> #RegistrationID#</p>
<CFIF Greeting IS NOT ""><p><strong>Greeting:</strong> #Greeting#</p></CFIF>
<CFIF FirstName IS NOT ""><p><strong>First Name:</strong> #FirstName#</p></CFIF>
<CFIF LastName IS NOT ""><p><strong>Last Name:</strong> #LastName#</p></CFIF>
<CFIF Credential IS NOT ""><p><strong>Credential:</strong> #Credential#</p></CFIF>
<CFIF Organization IS NOT ""><p><strong>Facility / Company:</strong> #Organization#</p></CFIF>
<p><strong>Address Line 1:</strong> #Address1#</p>
<CFIF Address2 IS NOT ""><p><strong>Address Line 2:</strong> #Address2#</p></CFIF>
<p><strong>City:</strong> #City#</p>
<p><strong>State:</strong> #State#</p>
<p><strong>Zip:</strong> #Zip#</p>
<p><strong>Phone:</strong> #Phone#</p>
<CFIF Fax IS NOT ""><p><strong>Fax:</strong> #Fax#</p></CFIF>
<p><strong>Email:</strong> #Email#</p>
 
 
<CFIF SubtotalFinalRule IS NOT ""><p><strong>Subtotal, Final Rule Webinar:</strong> $#SubtotalFinalRule#</p></CFIF>
<CFIF SubtotalConditionsCoverage IS NOT ""><p><strong>Subtotal, Medicare ASC Conditions for Coverage Changes Webinar:</strong> $#SubtotalConditionsCoverage#</p></CFIF>
 
<CFIF TotalEnclosed IS NOT ""><p><strong>Total Enclosed:</strong> $#TotalEnclosed#</p></CFIF>
<CFIF CheckEnclosed IS NOT ""><p><strong>Check Enclosed:</strong> #FORM.CheckEnclosed# (<em>On</em> = Yes; <em>Off</em> = No)</p></CFIF>
<CFIF CheckNumber IS NOT ""><p><strong>Check Number:</strong> #CheckNumber#</p></CFIF>
<CFIF AuthorizeCharge IS NOT ""><p><strong>Authorize Charge:</strong> #FORM.AuthorizeCharge# (<em>On</em> = Yes; <em>Off</em> = No)</p></CFIF>
<CFIF CreditCard IS NOT ""><p><strong>Credit Card:</strong> #CreditCard#</p></CFIF>
<CFIF CreditCardNumber IS NOT ""><p><strong>Credit Card Number:</strong> (Obscured for security)</p></CFIF>
<!--- <CFIF accountDisplay IS NOT ""><p><strong>Credit Card Number, Last Four Digits:</strong> #FORM.accountDisplay#</p></CFIF> --->
<CFIF ExpirationDate IS NOT ""><p><strong>Expiration Date:</strong> (Obscured for security)</p></CFIF>
<CFIF PrintedCardHolderName IS NOT ""><p><strong>Printed Card Holder Name:</strong> #PrintedCardHolderName#</p></CFIF>
<CFIF CreditCardZIPCode IS NOT ""><p><strong>Credit Card ZIP Code:</strong> #CreditCardZIPCode#</p></CFIF>
<CFIF CVV IS NOT ""><p><strong>CVV:</strong> #CVV#</p></CFIF>
<p><strong>Date Submitted:</strong> #DateCreated#</p>
 
<!--- end wide1content --->
</div> 
  
</cfoutput>
  
  <!--- Otherwise, display the form to user. ---> 
<cfelse>
 
 
 <!--- This is a form to populate conference registration information in table RegistrationEntries --->
 
<cfform action="Medicare2009_data_insert.cfm" enctype="multipart/form-data">
  
 <!--- begin #wide0 --->
<div id="wide0">
 
<!--- begin wide0content --->
<div class="wide0content">
 
  <h1>How Will My ASC Be Impacted by Medicare's 2009 Changes?</h1>
<!--- end wide0content --->
</div>
  
 
 
<!--- end #wide0 --->
</div>
 
 
 
<!--- begin #wide1 --->
<div id="wide1">
 
 
<!--- begin wide1content --->
<div class="wide1content">
 
<div class="align-center">
 
 
 
 
<h2>Two Special Members-Only Webinars</h2>
 
 
 
 
<h3>Featuring Kathy Bryant, ASC Association President</h3>
 
</div>
    
    
  
    
    <div class="clear-both">
    
    <div class="meetingsboxfloat-left">
      <h2>Medicare ASC 2009 Payment Rates</h2>
      <h3>Presented Thursday, November 20</h3>
    </div>
    
    
    
    
    <div class="meetingsboxfloat-right">
      <h2>Medicare ASC Conditions for Coverage Changes</h2>
      <h3>Presented Monday, November 24</h3>
    </div>
    
           
    </div>
    
<div class="clear-both"></div>
 
    
    <div class="align-center clear-both" style="margin-top:20px;">
 
 
<p>Archive versions are available for a limited time. Submit this form to purchase.</p>
  
 
 
<h3><em>Who should participate?</em></h3>
 
 
<p>All ASC Professionals are invited including Administrators, Directors of Nursing, Medical Directors, Owners, Physicians,
Business Office Managers, Materials Managers, Coders, Billers and Consultants</p>
 
 
</div>
 
 
 <div class="clear-both"></div>
 
  
<h1>REGISTRATION INFORMATION</h1>
 
 
<p><em>Please use the Tab key to move through the fields as you enter your registration.  Hitting Enter may prematurely submit your registration.</em></p>
 
	<table class="uvatable float-left" width="350">
    <tr><td class="uvatable-left"><strong>Greeting:</strong></td>		<td class="uvatable-right"><cfinput TYPE="text" SIZE="30" NAME="Greeting" /></td></tr>
    
	<tr><td class="uvatable-left"><strong>First Name:</strong></td>		<td class="uvatable-right"><cfinput TYPE="text" SIZE="30" NAME="FirstName" /></td></tr>
	<tr><td class="uvatable-left"><strong>Last Name:</strong></td>		<td class="uvatable-right"><cfinput TYPE="text" SIZE="30" NAME="LastName" /></td></tr>
    	<tr><td class="uvatable-left"><strong>Credential:</strong></td>		<td class="uvatable-right"><cfinput TYPE="text" SIZE="30" NAME="credential" /></td></tr>
	<tr><td class="uvatable-left"><strong>Organization:</strong></td> 	<td class="uvatable-right"><cfinput TYPE="text" SIZE="30" NAME="Organization" /></td></tr>
	<tr><td class="uvatable-left"><strong>Address Line 1:</strong></td> 		<td class="uvatable-right"><cfinput TYPE="text" SIZE="30" NAME="Address1" /></td></tr>
		<tr><td class="uvatable-left"><strong>Address Line 2:</strong></td> 		<td class="uvatable-right"><cfinput TYPE="text" SIZE="30" NAME="Address2" /></td></tr>
        </table>
        
        
       	<table class="uvatable float-right" width="350"> 
	<tr><td class="uvatable-left"><strong>City:</strong></td> 		<td class="uvatable-left"><cfinput TYPE="text" SIZE="30" NAME="City" /></td></tr>
	<tr><td class="uvatable-left"><strong>State:</strong></td> 		<td class="uvatable-left"><cfinput TYPE="text" SIZE="5" NAME="State" /></td></tr>	
	<tr><td class="uvatable-left"><strong>ZIP:</strong></td> 		<td class="uvatable-left"><cfinput TYPE="text" SIZE="5" NAME="Zip" /></td></tr>
	<tr><td class="uvatable-left"><strong>Phone:</strong></td>		<td class="uvatable-left"><cfinput TYPE="text" SIZE="20" NAME="Phone" /></td></tr>
	<tr><td class="uvatable-left"><strong>Fax:</strong></td>		<td class="uvatable-left"><cfinput TYPE="text" SIZE="20" NAME="Fax" /></td></tr>
	<tr><td class="uvatable-left"><strong>Email:</strong></td>		<td class="uvatable-left"><cfinput TYPE="text" SIZE="30" NAME="Email" /></td></tr>
 
 
	</table>
	
    
    <hr />
    
    <div class="clear-both"></div>
    
<h1>REGISTRATION FEES</h1>
 
  <h2>ASC Association Members only $35.00 for each Webinar.</h2>
 
 
 
 <p>Not yet a member? For information about ASC Membership please see <a href="http://ascassociation.org/join/">http://ascassociation.org/join/</a> or call 703-836-8808.</p>
 
 
 
  	<table class="uvatable" width="350"> 
	<tr><td class="uvatable-left"><strong>Final Rule on Medicare Payment Rates Webinar, Subtotal:</strong></td> 		<td class="uvatable-left"><cfinput TYPE="text" SIZE="15" NAME="SubtotalFinalRule" /></td></tr>
	<tr><td class="uvatable-left"><strong>Medicare ASC Conditions for Coverage Changes Webinar, Subtotal:</strong></td> 		<td class="uvatable-left"><cfinput TYPE="text" SIZE="15" NAME="SubtotalConditionsCoverage" /></td></tr>	
	<tr><td class="uvatable-left"><strong>Total (add two values, above):</strong></td> 		<td class="uvatable-left"><cfinput TYPE="text" SIZE="15" NAME="TotalEnclosed" /></td></tr>
    </table>
 
 
 
 
 
    <hr />
 
 <h1>PAYMENT INFORMATION</h1>
 
<p>To remit payment, you may print this form and mail it to Ambulatory Surgery Foundation with a check (see information below). Or, submit your credit card information, below. Credit card information is submitted through a secure connection, certified by SecureTrust.</p>
 
<p class="float-left"><cfinput type="Checkbox" name="CheckEnclosed"  class="border0" /> Enclosed is a check, payable to Ambulatory Surgery Foundation.</p> 
 
<p class="float-left" style="margin-left:20px">Check # <cfinput TYPE="text" SIZE="15" NAME="CheckNumber" /></p>
 
<div class="clear-both"></div>
 
<p class="float-left"><cfinput type="Checkbox" name="AuthorizeCharge" class="border0" /> I authorize Ambulatory Surgery Foundation to charge my:</p>
 
<p class="float-left" style="margin-left:20px">
<select name="CreditCard" class="ChicagoSelect red">
<option value="SelectCard">Select a Credit Card</option>
<option value="Visa">Visa</option>
<option value="MasterCard">MasterCard</option>
<option value="AmericanExpress">American Express</option></select></p>
 
 
<div class="clear-both"></div>
 
 
<table class="uvatable">
<tr>
	<td>Credit Card Number:</td>
	<td><cfinput TYPE="text" SIZE="30" NAME="CreditCardNumber" /></td>
	<td>Expiration Date:</td>
	<td><cfinput TYPE="text" SIZE="15" NAME="ExpirationDate" /></td>
</tr>
<tr>
	<td>Printed Cardholder Name:</td>
	<td><cfinput TYPE="text" SIZE="30" NAME="PrintedCardHolderName" /></td>
	<td>Credit Card ZIP Code:</td>
	<td><cfinput TYPE="text" SIZE="15" NAME="CreditCardZIPCode" /></td>
</tr>
<tr>
	<td>Signature (if printing and mailing):</td>
	<td>__________________________</td>
	<td>CVV#/3-digit #:</td>
	<td><cfinput TYPE="text" SIZE="15" NAME="CVV" /></td>
</tr>
</table>
 
 
    <hr />
 
<h1>OTHER WAYS TO REGISTER</h1>
 
 
<h2>PRINT <a href="/medicare2009reg/Medicare2009_registration_form.pdf">THIS FORM</a> AND MAIL OR FAX AS FOLLOWS:</h2>
 
 
 
<p><strong>Mail:</strong> Make checks payable to Ambulatory Surgery Foundation and mail to:
Ambulatory Surgery Foundation, 1012 Cameron St, Alexandria, VA 22314</p>
 
<p><strong>Fax:</strong> Fax registration form with credit card information to 703.836.2090</p>
 
<p><strong>Call:</strong> Call 703.836.5904 to register by phone</p>
 
 
 
<p>Fax <a href="/medicare2009reg/Medicare2009_registration_form.pdf">registration form</a> with credit card information to 703.836.2090.</p>
 
 
<p><strong>Or:</strong> Call 703.836.5904 to register by phone</p>
 
<p><strong>Or:</strong> Print and fax this <a href="/medicare2009reg/Medicare2009_registration_form.pdf">registration form</a> with credit card information to 703.836.2090.</p>
 
 <p>Upon receipt of registration, the Ambulatory Surgery Foundation will send a confirmation via email with the toll-free dial-in number for the audio portion of the program and a web site link for you to access prior to the program. You will receive a separate confirmation for each webinar. Your registration is valid for one telephone access line. Contact the Foundation at 703.836.5904 with any questions.</p>
 
	
<p class="align-center"><cfinput type="submit" name="submit" value="Submit Registration" /></p>
 
 
 
 <div class="padding10">
  <h1>CONTINUING EDUCATION INFORMATION</h1>
  <p><strong>AEUs</strong><br />
    Each program is approved for 1.5 hours of AEU credit by BASC Provider #3272.</p>
  <p><strong>CEUs for Nurses</strong><br />
    Provider approved by the California Board of Registered Nursing, Provider #6949 for 1.5 contact hours.</p>
 
  <p>This information will be used only in conjunction with Ambulatory Surgery Foundation and ASC Association business. We will not share your information with any other organizations.</p>
  <hr />
   
  <p class="float-left-img"><script type='text/javascript' src='https://sealserver.trustwave.com/seal.js?style=normal'></script>
  </p>
  <p>Transactions on this web page are secured by Trustwave. Click the Trustwave logo to the left to verify the security of this page.</p>
 </div>
 
 
 
</cfform>
 
<!--- close CFIF --->
</cfif> 
 
 
 
 
 
 
 
 <!--- end wide1content --->
</div> 
 
 <!--- end #wide1 --->
</div>
 
 
 
<cfinclude template="/coding_footer.cfm" />

Open in new window

Hmmm, this is curious.   Can you query the database and see what the credit card number looks like stored in there?   I want to know if it's encrypted or not.

The only thing that MAY be an issue is this...

<cfif len(FORM.CreditCardNumber)>
   <cfset CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
   <cfset CreditCardNumber = "">
</cfif>

You are taking storing the value in "CreditCardNumber"  with NO scope (meaning variable scope) and you also have the same variable in the form scope "form.CreditCardNumber"

This could be a cause for some confusion.   The same variable name in two different scopes, which one is used? when you just say  #CreditCardNumber#

To make this clear, I would change this variable to a different name..

 <cfset CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>

to...

 <cfset encryptedCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>


That way the processor won't have to pick which one you mean if you're not scoping the variable.

Be sure to change EACH place you use it to the new name...




 
<cfif len(FORM.CreditCardNumber)>
   <cfset encryptedCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
   <cfset encryptedCardNumber = "">
</cfif>
 
 
 
 
....
VALUES(
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Greeting#">,
    	<cfqueryparam cfsqltype="cf_sql_varchar" value="#FirstName#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#LastName#">,
   		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Credential#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Organization#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Address1#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Address2#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#City#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#State#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Zip#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Phone#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Fax#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Email#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#SubtotalFinalRule#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#SubtotalConditionsCoverage#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#TotalEnclosed#">,
		<cfqueryparam cfsqltype="cf_sql_bit" value="#CheckEnclosed#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CheckNumber#">,
		<cfqueryparam cfsqltype="cf_sql_bit" value="#AuthorizeCharge#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCard#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#encryptedCardNumber#">,
  		<cfqueryparam cfsqltype="cf_sql_varchar" value="#accountDisplay#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#ExpirationDate#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#PrintedCardHolderName#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCardZIPCode#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CVV#">,
		<cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">);
	SELECT scope_identity() AS ident

Open in new window

alternatively, you can add the FORM scope to the variable so you're not using the variable scope and the form scope, but only the FORM scope every time...

It's not good to be mixing scopes like that so much...  You're going to get really confused.

FORM.CreditCardNumber   is NOT the same  variable  as   CreditCardNumber

But it CAN be sometimes ...


 confused ?  :)
<cfif len(FORM.CreditCardNumber)>
   <cfset FORM.CreditCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
   <cfset FORM.CreditCardNumber = "">
</cfif>
 
 
 
 
....
VALUES(
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Greeting#">,
    	<cfqueryparam cfsqltype="cf_sql_varchar" value="#FirstName#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#LastName#">,
   		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Credential#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Organization#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Address1#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Address2#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#City#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#State#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Zip#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Phone#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Fax#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Email#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#SubtotalFinalRule#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#SubtotalConditionsCoverage#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#TotalEnclosed#">,
		<cfqueryparam cfsqltype="cf_sql_bit" value="#CheckEnclosed#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CheckNumber#">,
		<cfqueryparam cfsqltype="cf_sql_bit" value="#AuthorizeCharge#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCard#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.CreditCardNumber#">,
  		<cfqueryparam cfsqltype="cf_sql_varchar" value="#accountDisplay#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#ExpirationDate#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#PrintedCardHolderName#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCardZIPCode#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CVV#">,
		<cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">);
	SELECT scope_identity() AS ident

Open in new window

Author

Commented:
I think I get it. I am making ColdFusion choose which scope I mean, and it's not choosing the right scope.

I will add a column to my database: encryptedCardNumber

and I will modify my code as you suggest in your first suggestion above.

I can look directly into the SQL server database. Yes, the string that I enter in the CreditCardNumber field is indeed encrypted, right there in the database.

I'll work on this and get back to you ASAP. Your suggestions makes sense. I look forward to understanding what's going on.

Thanks again for your help. Hope your evening is going well.

eric
> I will add a column to my database: encryptedCardNumber

No!   Just change the variable name, not the database... There is no need to change the database..


> I can look directly into the SQL server database. Yes, the string that I enter in the CreditCardNumber field is indeed encrypted,


Ok, I guess the issue is in the decryption.

However, I have a feeling that maybe you have accidently encrypted the number More than once...

Is there any time that the credit card number is returned to the form (perhaps as a hiddenfield) and then submitted again so it is getting encyrpted, stored to the form and submitted to be encrypted again??



> I am making ColdFusion choose which scope I mean, and it's not choosing the right scope.

Right,  the variable name, not the column name in the database.

However, if you see that the number is encrypted in the database, then this page is working.
So you really don't have to do anything with my suggestion of changing the variable name, up to you.


Look for any place you are writing the encyrpted card number to a form field...
There is really no reason to ever do this.

The only place the credit card should be written to a page is for display by the person processing the credit card.  Every other place, the card number should not be written to the page and it should never be placed into a form field (not counting when it was entered of course)


Let me know if you find any examples of these...


Author

Commented:
> I will add a column to my database: encryptedCardNumber

No!   Just change the variable name, not the database... There is no need to change the database..

OK, hang on. Won't I need a column in my database called encryptedCardNumber, if I have a variable named encryptedCardNumber?

>>>Is there any time that the credit card number is returned to the form (perhaps as a hiddenfield) and then submitted again so it is getting encyrpted, stored to the form and submitted to be encrypted again??

I understand what you are saying -- does the string get encrypted twice? I just reviewed all of my code -- I don't see any place where the encryption would happen twice.

Author

Commented:
>>>>However, if you see that the number is encrypted in the database, then this page is working.
So you really don't have to do anything with my suggestion of changing the variable name, up to you.

The number is definitely encrypted. I entered a string of numbers -- positive integers -- and they are stored in the database thusly:

-49KGU<L)P\KWH GU^0  


which looks pretty encrypted to me. (This is dummy data of course. No real credit cards are involved in this testing.)

So, you are saying:

1. do not edit the column names in the database; leave the database completely alone

2. the form page and the action page work successfully to place an encrypted string in the column CreditCardNumber in the database

3. this means that, in fact, I do not have to change in my code the name of the variable CreditCardNumber .... ? correct?

4. there's something else going on that prevents the DECRYPT function.

I am looking very closely at my code again.
>  OK, hang on. Won't I need a column in my database called encryptedCardNumber, if I have a variable named encryptedCardNumber?

No, you don't.   It is a good practice to name your variable the same as your column, you're right.  But it's not required.  

I don't mean to be sending you down a long path here.   If you add another column, then you will have two  encyrptedCardNumber and  creditCardNumber.   You only need one column.  

The thing is that you have a variable for the card number BEFORE encryption and a variable for the card number AFTER encyrption.   They can be the same variable or different.

But you were using the same NAME for the variable in two different scopes FORM scope and VARIABLE scope.  That is really confusing.  So, that is what I was trying to fix.    

To fix it, take the form variable, encrypt it, and put it into another variable.   Then save that other variable.


TAKE :  form.CreditCardNumber  and encrypt it.
 
Save the encrypted number to "encryptedCardNumber"
 
<cfif len(FORM.CreditCardNumber)>
   <cfset encryptedCardNumber = encrypt(form.CreditCardNumber,request.encryptionKey)>
<cfelse>
   <cfset encryptedCardNumber = "">
</cfif>
 
 
Insert "encryptedCardNumber" into the database table...  Into the field creditCardNumber...
 
Or if you want to chagne the name of this field, but don't add a new field...
 
 
 
....
VALUES(
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Greeting#">,
    	<cfqueryparam cfsqltype="cf_sql_varchar" value="#FirstName#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#LastName#">,
   		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Credential#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Organization#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Address1#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Address2#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#City#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#State#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Zip#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Phone#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Fax#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#Email#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#SubtotalFinalRule#">,
        <cfqueryparam cfsqltype="cf_sql_varchar" value="#SubtotalConditionsCoverage#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#TotalEnclosed#">,
		<cfqueryparam cfsqltype="cf_sql_bit" value="#CheckEnclosed#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CheckNumber#">,
		<cfqueryparam cfsqltype="cf_sql_bit" value="#AuthorizeCharge#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCard#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#encryptedCardNumber#">,
  		<cfqueryparam cfsqltype="cf_sql_varchar" value="#accountDisplay#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#ExpirationDate#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#PrintedCardHolderName#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CreditCardZIPCode#">,
		<cfqueryparam cfsqltype="cf_sql_varchar" value="#CVV#">,
		<cfqueryparam cfsqltype="cf_sql_timestamp" value="#now()#">);
	SELECT scope_identity() AS ident

Open in new window

> The number is definitely encrypted. I entered a string of numbers -- positive integers -- and they are stored in the database thusly:

>  -49KGU<L)P\KWH GU^0  



Good !!

Now, run your pages a few times and watch this number... does it ever change?   It should not change.

If it does change, we need to see where..

Author

Commented:
I believe the number string gets encrypted only one time.

In the form I enter, in field creditCardNumber, the string: 1234567890

In the MS SQL Server 2005 database, in column creditCardNumber, the string looks like: *%Y[LTL8,P<3VHP  

In the View Registration page the string looks like: *%Y[LTL8,P<3VHP

So, the View Registration page reports faithfully the contents of the column creditCardNumber.

I enter string 1234567890 repeatedly and each time it is encrypted as: *%Y[LTL8,P<3VHP

*%Y[LTL8,P<3VHP appears in both database column and ViewRegistration page.

>>>>To fix it, take the form variable, encrypt it, and put it into another variable.   Then save that other variable.

I believe I understand this. I am going to work on this and get back to you shortly.

EB
A Small Snippet. Do everytime make sure you time to time Use the Cfdump tag to make sure what you are passing and this tag will help you a lot in digging your Problem Up.

You can this Cfdump with variables, request, form,url, session,application, structs, cookies and all other scopes. They are very handy and help you in identifying the isue.

Regards

Glad You are near the Solution to your Problem
Ok, so that's good, let's examine the registration page.

Here's a snippet from the Coldfusion documentation.  You have a potential problem because you are using the same variable name both WITH and WITHOUT a scope.  

If you do not specify the scope of the variable, according to the docs, CF will search for it in the following order (this is called the order of precedence):

    * Local variables
    * cfquery
    * CGI
    * File
    * URL
    * Form
    * Cookie
    * Client


Let's play with these lines of code and do as MySelfRandHawa suggests and dump out the value at various spots to see what's happening..

I've also displayed the encryptionKey, if that value does not match the encryptionKey when you encrypted it, there will be a problem.   So please check that as well.

Let us know what this outputs...





 
<cfoutput query="viewRegistration">
  <h3>In the database: #viewRegistration.CreditCardNumber#</h3>
<cfif len(viewRegistration.CreditCardNumber)>
   <h3>Before Decyrption: #viewRegistration.CreditCardNumber#</h3>
   <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>
   <h3>After Decyrption: #CreditCardNumber#</h3>
   <h3>Just the Decyrption: #decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)#</h3>
   <cfset myCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>
   <h3>A different variable: #myCardNumber#</h3>
   <h3>The Secret Key: #request.encryptionKey#</h3>
<cfelse> 
   <h3>Card number is empty</h3>
   <cfset CreditCardNumber = "">
</cfif>

Open in new window

Author

Commented:
Hey there. Thanks for your patience while I stepped away and worked on a couple of other tasks. I've read your notes above carefully. It's really helpful to know this order of precedence of the variable scopes:

  * Local variables
    * cfquery
    * CGI
    * File
    * URL
    * Form
    * Cookie
    * Client

OK, so I took your code and put it in my View Registration page. The full View Registration page is noted below in a code snippet. I understand that we are checking each function that ColdFusion does with the string of numbers in variable CreditCardNumber.

I used the new <cfoutput query="viewRegistration"> that you suggested to check each value outputted by ColdFusion at each step of the code.

Here is the output I get from your new ViewRegistration query, below. Hmmm. It looks like Decryption works fine if we do:

#decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)#

In the database: *%Y[LTL8,P<3VHP
Before Decyrption: *%Y[LTL8,P<3VHP
After Decyrption: *%Y[LTL8,P<3VHP
Just the Decyrption: 1234567890
A different variable: 1234567890
The Secret Key: yourSecretPassword
In the database: *%Y[LTL8,P<3VHP
Before Decyrption: *%Y[LTL8,P<3VHP
After Decyrption: *%Y[LTL8,P<3VHP
Just the Decyrption: 1234567890
A different variable: 1234567890
The Secret Key: yourSecretPassword
In the database: *%Y[LTL8,P<3VHP
Before Decyrption: *%Y[LTL8,P<3VHP
After Decyrption: *%Y[LTL8,P<3VHP
Just the Decyrption: 1234567890
A different variable: 1234567890
The Secret Key: yourSecretPassword

I am looking at the old View Registration again to see why decryption works here, but not there.

Thanks again for your help. I'll report back here soon with more information.

<cfinclude template="/SiteHeader.cfm" />
 
<p class="align-center">[ Sort By: <a href="/meetings/Medicare2009_view_registration.cfm?sort=RegistrationID">Registration ID</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=DateCreated">Date Submitted</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=Lastname">Last Name</a> | <a href="/meetings/Medicare2009_view_registration.cfm?sort=Organization">Organization</a> ]</p>
 
 
 <h1 class="align-center">Medicare 2009 Webinar Registrations</h1>
 
 <!--- This query displays data from table Medicare2009Reg in database ascassociation --->
<cfquery datasource="ascassociation" dbname="ascassociation" name="viewRegistration">
	SELECT RegistrationID,
    	Greeting,
		FirstName,
		LastName,
        Credential,
		Organization,
		Address1,
		Address2,
		City,
		State,
		Zip,
		Phone,
		Fax,
		Email,
        SubtotalFinalRule,
        SubtotalConditionsCoverage,
		TotalEnclosed,
		CheckEnclosed,
		CheckNumber,
		AuthorizeCharge,
		CreditCard,
		CreditCardNumber,
        accountDisplay,
		ExpirationDate,
		PrintedCardHolderName,
		CreditCardZIPCode,
		CVV,
		DateCreated
		
FROM Medicare2009Reg
ORDER BY RegistrationID
 
</cfquery>
 
 
<cfoutput query="viewRegistration">
 
 <h3>In the database: #viewRegistration.CreditCardNumber#</h3>
<cfif len(viewRegistration.CreditCardNumber)>
   <h3>Before Decyrption: #viewRegistration.CreditCardNumber#</h3>
   <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>
   <h3>After Decyrption: #CreditCardNumber#</h3>
   <h3>Just the Decyrption: #decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)#</h3>
   <cfset myCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>
   <h3>A different variable: #myCardNumber#</h3>
   <h3>The Secret Key: #request.encryptionKey#</h3>
<cfelse> 
   <h3>Card number is empty</h3>
   <cfset CreditCardNumber = "">
</cfif>
 
 
</cfoutput>
  
 
 
 
 
<cfinclude template="/SiteFooter.cfm" />

Open in new window

Ok, excellent!

So, that proves my theory that it's the variable scoping that is causing the issue.

Because you are using the same variable name with and without a scope.  

Notice that the line that says "A different variable: " also works... that's the same as your code, but just using a different name for the variable.

So all you have to do is change your variable name so it does not match the column name, OR just add the scope!

EITHER:

 <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>

to:
 <cfset variables.CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>

and change it other places lower on the page..


OR option two


 <cfset CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>

change to...

   <cfset myCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>

and change it other places lower on the page...


Lesson learned - always scope your variables :)

When I code my variables are always written as...


 variables.firstName
 variables.lastName

instead of just..

 firstName
 lastName

Author

Commented:
That worked.

I did

<cfset variables.CreditCardNumber = decrypt(viewRegistration.CreditCardNumber,request.encryptionKey)>

and

<CFIF CreditCardNumber IS NOT ""><strong>Credit Card Number (decrypted):</strong> #variables.CreditCardNumber#<br /></CFIF>

And this tells Coldfusion the correct scope with which to reference variable CreditCardNumber.

This is incredible. Thanks so much, as always.

Author

Commented:
Thanks to gdemaria and myselfrandhawa for helping me not only to solve the problem but to understand what was going wrong. I am extremely grateful to you both for sticking by me while we worked on this problem. You guys have racked up a lot of good karma these past few days. =)

Take care.
Eric
Excellent, glad it worked.

Don't forget to scope every occurrence of the variable including the one in the CFIF which it seems you missed:

<CFIF CreditCardNumber IS NOT ""
       ^^^^^ add scope

Author

Commented:
<CFIF CreditCardNumber IS NOT ""

Got it. =)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial