GnuPG PHP website - credit card encryption

Hello

After moving servers I was having trouble with GnuPG so I generated a new set of keys in my own name. They work in the command line:

gpg --encrypt -ao encrypteddata -r rhiannon@viva.org.uk data

But not in my PHP code.

This is the bit that doesn’t work at all (errors listed below).

-----------------------------------------------------------------------------------------------------------------

//invoke PGP to encrypt file contents
system("/usr/bin/gpg --encrypt -ao $crypted -r 'Rhiannon <rhiannon@viva.org.uk>' $plainTxt");

//open file and read encrypted contents into var
$fd = fopen($crypted, "r");

$encrypted_stuff = fread($fd, filesize($crypted));

fclose($fd);

-----------------------------------------------------------------------------------------------------------------

If I make the fopen “w+” it does create the file, but it is empty at 0 bytes.

As I said, it works beautifully from the command line – my new user is able to encrypt and decrypt.
Daizzy-MaeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andrewbleakleyCommented:
It could be web server permission related, if you run the PHP script form the command line does it work ?
0
Daizzy-MaeAuthor Commented:
Hi, yes, it does work from the command line. It creates the encrypted file perfectly :-)

Does that mean it's permissions?
0
andrewbleakleyCommented:
Yes, check the permissions that your web server runs as and the file system permissions.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Daizzy-MaeAuthor Commented:
In my command line on my website folder I get these results:

whoami     timetogoveggie.com
id -u           186655

I am connecting to my website using the FTP login the hosting company gave me, which has a different username: vivacaa.

Do you think that could be the problem?

The code creates the files in the root of the website which looks to have permissions 'XXX' as I am on shared hosting so don't have access to change the permissions on this folder.

Do you think this is causing the trouble?

Do you know why this would have happened when I changed hosts?

Many Thanks
0
Daizzy-MaeAuthor Commented:
Also, my GnuPG keys I generated are for a user called 'rhiannon <rhiannon@vive.org.uk>'
0
andrewbleakleyCommented:
change the permissions to 777 to test it - change them to something d=safer once you have tested though. If it works after you set the permissions to 777 you have found your issue - then you just need to set the correct permissions so that the data is safe and still runs
0
Daizzy-MaeAuthor Commented:
Unfortunately I am not able to change the permissions on the root folder of my website because I am on shared hosting and don't have access to this folder. Is that the folder you mean?
0
andrewbleakleyCommented:
not the whole folder - just the files
0
Daizzy-MaeAuthor Commented:
Thank you Andrew. I just tried to encrypt a test text file with permissions 777, but got the same error messages as it failed to create the encrypted version of the file:

Warning: fopen(/services/webpages/t/i/timetogoveggie.com/encrypteddata) [function.fopen]: failed to open stream: No such file or directory in /services4/webpages/util/v/i/vivacaa.site.aplus.net/public/vvfshop/processform2.php  on line 137

Warning: filesize() [function.filesize]: stat failed for /services/webpages/t/i/timetogoveggie.com/encrypteddata in /services4/webpages/util/v/i/vivacaa.site.aplus.net/public/vvfshop/processform2.php on line 138

Warning: fread(): supplied argument is not a valid stream resource in /services4/webpages/util/v/i/vivacaa.site.aplus.net/public/vvfshop/processform2.php on line 138

Warning: fclose(): supplied argument is not a valid stream resource in /services4/webpages/util/v/i/vivacaa.site.aplus.net/public/vvfshop/processform2.php on line 139
0
Daizzy-MaeAuthor Commented:
I think you are right - it probably is a permission problem: I will probably need to create a keyring for whichever user owns the php process.

Do you know how to find out which user owns the php process?

Many Thanks
0
andrewbleakleyCommented:
It will run as the same user as apache does. Check your apache.conf for the User  and Group directives
0
Daizzy-MaeAuthor Commented:
Hi Andrew

There don't seem to be any files ending in .conf in my website - do you think I might not have access to it because I am on shared hosting?
0
andrewbleakleyCommented:
Does this file exist /services/webpages/t/i/timetogoveggie.com/encrypteddata
0
Daizzy-MaeAuthor Commented:
Hi :-)

No, it has not made the file.

If I change the line in the code above to "w+" like this:
$fd = fopen($crypted, "w+");
Then it makes the file, but it is empty (0 bytes).

I just ran the command fine from the command line again as a test:
gpg --encrypt -ao testdatapgpdata.txt -r rhiannon@viva.org.uk testdata.txt

And it did create the file fine.
0
andrewbleakleyCommented:
to find out what PHP is running as create a PHP script with

<?php
echo 'Current script owner: ' . get_current_user();
?>

and run it
0
Daizzy-MaeAuthor Commented:
Thank you Andrew

I did try that but the . get_current_user(); is empty - as though there is no user!
0
andrewbleakleyCommented:
If you create the file /services/webpages/t/i/timetogoveggie.com/encrypteddata and give it permissions 777 will it run ?
0
Daizzy-MaeAuthor Commented:
I created the file and gave it permissions 777 and refreshed the php page: It doesn't give as many errors, but it doesn't put the encrypted data into the file still (0 Bytes).

Warning: fread() [function.fread]: Length parameter must be greater than 0 in /services4/webpages/util/v/i/vivacaa.site.aplus.net/public/vvfshop/processform2.php  on line 141

0
andrewbleakleyCommented:
ok, remove the file, and run it see if it errors again
0
Daizzy-MaeAuthor Commented:
If I add some random text to the file it works very well, so I guess the PHP is generally ok, it really is just the following step which is the problem:

1. Encrypting the plain text version of the credit card details and dumping the encrypted data into a file:
system("/usr/bin/gpg --encrypt -ao $crypted -r 'Rhiannon <rhiannon@viva.org.uk>' $plainTxt");

If I make that file for it then it will happily do the other steps in the code above (open the file, read the encrypted contents and send it via email).
0
Daizzy-MaeAuthor Commented:
Hi

Yes, it does indeed error again. Thank you for the suggestion.

So it really is the encryption which is the problem, rather then the code after it.

Now I just need to work out why it won't encrypt from the PHP page, when it will from the command line!
0
andrewbleakleyCommented:
It is undoubtedly permission related. Either permissions to write the data to the file or permissions to execute gpg.

To rule out permissions to execute gpg output the modify /services4/webpages/util/v/i/vivacaa.site.aplus.net/public/vvfshop/processform2.php to output to the browser instead of the filesystem if it works you can be pretty sure the problem lies with the file system
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daizzy-MaeAuthor Commented:
Thank you Andrew

I'm looking into how to output the GnuPG results onto the screen.
0
Daizzy-MaeAuthor Commented:
Hi Andrew

I don't think there is an option to print the encrypted information onto a browser screen - I think GnuPG will only output an encryted text file.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.