November 4th, 2003, 05:35 PM
making mail() secure??
I am planning to setup an online store where customers can order cds. On the order page, it asks for their credit card number (which we do NOT store in our database). I will be sending this credit card number through the PHP mail() function to a faxing service (to fax the order to the warehouse).
I know that I will need SSL to support the security of the form processing.
*However, I am not sure what security measures I need to take to make sure the e-mail is sent securely.
Thanks in advance
November 5th, 2003, 04:57 PM
This means that the server administrators will be able to intercept the credit card numbers sent via mail() if they so wish. The fax containing the credit card details can also be intercepted by the faxing service or a phone eavesdropper.
This will ensure encryption between client and server; however, you need to ensure that the email is encrypted until it arrives at its destination.
You should do something like this: Have the browser submit a form over SSL to the web server containing the card details. The PHP script that you post to will need to open a pipe to gpg or a similar program to encrypt the data with a public key held on the server. This encrypted data can then be emailed to the warehouse, where it can be decrypted with the private key.