From owner-freebsd-questions@FreeBSD.ORG Tue Sep 7 13:19:01 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92D8416A4CE for ; Tue, 7 Sep 2004 13:19:01 +0000 (GMT) Received: from lorna.circlesquared.com (host217-45-219-85.in-addr.btopenworld.com [217.45.219.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id D62D943D5D for ; Tue, 7 Sep 2004 13:18:47 +0000 (GMT) (envelope-from peter@circlesquared.com) Received: from circlesquared.com (localhost.circlesquared.com [127.0.0.1]) i87DIJ9v052418; Tue, 7 Sep 2004 14:18:22 +0100 (BST) (envelope-from peter@circlesquared.com) Message-ID: <413DB51B.6020804@circlesquared.com> Date: Tue, 07 Sep 2004 14:18:19 +0100 From: Peter Risdon User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040611 X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD Mail Lists References: <32b19d296fd997fbb8e7d362d85321ef@untoldfaith.com> <20040906233205.H1926@skutsje.san.webweaving.org> In-Reply-To: <20040906233205.H1926@skutsje.san.webweaving.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Questions Subject: Re: Update Databases from Webserver X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 13:19:01 -0000 > On Mon, 6 Sep 2004, FreeBSD Mail Lists wrote: > > >>I would like to see how other people are updating backend databases >>(postgresql on FreeBSD, internal network) from a webserver (apache,php >>on FreeBSD, dmz network) through a firewall. Pretty much what I am >>trying to learn is how to take private information (credit card numbers, >>etc.) and write it to a backend database without leaving any huge holes >>for hacking. Should this be done or am I barking up the wrong tree, I'm afraid the awful truth is that if you need to ask this question here, you shouldn't be storing other people's credit card details on your server. You don't say why you'd want to do this. If you want to allow customers of an e-commerce site to avoid repeating their details whenever they want to buy, perhaps consider basing the payment backend around PayPal. The need for users to authenticate in order to make a payment hasn't brought e-Bay to its knees. If you want to use the numbers to confirm identity or something, you could store an encrypted version of the number and use that for comparison. But to start storing plaintext CC details on your system without being deeply expert in all the security issues raised would be very dangerous. And the high degree of monitoring needed for such a system would make it uneconomical without commensurately high volumes of business. Peter.