Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Payment Information not secured #9

Open
Fxdpt opened this issue Dec 11, 2019 · 0 comments
Open

Payment Information not secured #9

Fxdpt opened this issue Dec 11, 2019 · 0 comments

Comments

@Fxdpt
Copy link

Fxdpt commented Dec 11, 2019

It seems the payments informations are not secured when writted in database:

$paymode=$_POST['paymod'];
$bankname=$_POST['bank'];
$cardname=$_POST['cardname'];
$cardno=$_POST['cno'];
$cvv=$_POST['cvv'];
$expiry=$_POST['expdate'];
$sql_users = "INSERT INTO payment(paymode,bankname,cardname,cardno,cvv,expiry) VALUES ('$paymode','$bankname','$cardname','$cardno','$cvv','$expiry')";

you pass all the POST input in raw in your sql query. That means :
1- I can easily do an SQL Injection in your code
2- According to 1 I can get all the creditcard number & related informations of your user.

What you can easily do to correct this is: using prepare() execute() if you using PDO, or, create a little function

function clearInput(string $value) : string
{
    trim($value);
    htmlspecialchars($value);
    
    return $value;
}

then:

$cardname= clearInput($_POST['cardname']);
$cardno= clearInput($_POST['cno']);
$cvv= clearInput($_POST['cvv']);
$expiry=clearIntpu($_POST['expdate']);

Then you should check if the payment information don't exist before writing them in db, also that means you can add x times the same credit card in database at each user payment.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Fxdpt