|
Posted by shimmyshack on 05/31/07 15:29
On May 25, 9:41 am, "Buzby" <g...@pumpupthe.net> wrote:
> Hi - I'm a PHP noob!
>
> I'm running on a windows swerver with php4.xx and am putting together a
> hotel booking system for a small hotel. I'd like to be able to send out
> encrypted reservation requests that contain the booking details
> [including credit card info] to the hotel.
>
> For other sites using classic asp I've successfully used AspEncrypt -
> is there anything similar hidden within the depths?
>
> TIA!
>
> --
> Buzby
> There's nothing more dangerous than a resourceful idiot
1st, are you using ssl? If so great. next does the hotel have a
keypair so they can use their private key to decrypt the message, if
so great. If not get them to generate one from openssl for instance,
and install it into their email client.
Now do you have sendmail.exe on the php server, great!
For complete security why not run stannel on the server, and use it to
proxy your mails to gmails SSL smtp server, (or the hotels SSL email
smtp server if they have one) and then the hotel should use SSL POP to
collect their mail, preferraly using a POP server on the same net as
the SMTP server, that would all be nice and secure if something went
wrong.
Also remember your keys need renewing every so often, so make a note
in your diary so everyon's happy and you don't get a nasty surprise.
$name = 'customer';
$email = 'customer@theiremail.com';
@file_put_contents('msg.txt',$body);
$public_key = file_get_contents('public_cert.pem');
if(openssl_pkcs7_encrypt(
'msg.txt',
'enc.txt',
$public_key,
array(
'To' => 'bookings <bookings@hotel.com>',
'From' => '{$name} <{$email}>',
'Subject' => 'yipee - a booking')
)
)
{
$sendmail_exe = 'C:/path/to/sendmail.exe -t';
exec($sendmail_exe . ' < "enc.txt"', $result);
unlink('enc.txt');
unlink('msg.txt');
make sure you check the $email and $name and trim off null chars (\r
\n etc), make sure you check that enc.txt and msg.txt are certainly
deleted each time. Use $result as you see fit.
Remember to check that the mail has been successfully encrypted (see
renewing your keys above) so you are warned if something is going
wrong.
You can sign and encrypt, provided you sign first, and encrypt the
smime.p7s (instead of the body), but for that you will need to store
the private key and its passphrase on the server, you might not want
to do that, as if it is pinched, you will have to revoke your keys.
[Back to original message]
|