3

I'm planning to store gift card codes on my website that people can buy at certain store and then be able to use these to buy stuff on my website, now i'm planning on doing the following process to make these codes harder to decrypt:

1st I'll first use str_rot13 to shift every letter by 13 places 2nd i'll use str_replace to turn every 2 into 1 and every 1 into 2. 3rd i'll encrypt it using mycript or whatever encryption method i want and lastly i will shift every letter of the encryption by 13 or whatever i want.

I'm not very advance when it comes to security in php so that's why i'm asking for your opinion if this might be a good way to store data or if there are any alternative way to look into.

I'm also aware that there is no foolproof plan or tactic on how to keep hackers from decrypting any information i store into my database, but i at least want to make as hard possible for them not to easily decode it.

Note: the method i use above is just an example on what i might do.

Jonattan Davelaar
  • 83
  • 1
  • 8

2 Answers2

1

I would advise you to use hashing for this purpose (along with salting), in the same way you would for a password.

You can hash the gift code in the database using a salt, and store both the salt and the hash in the database.

Later, when the user uses a gift code, simply rehash it with the same method and check to see if such a hash exists in your database. If it does, this means that the gift code is correct, and you simply, award the user accordingly.

Hashing is safer than Encryption, in my opinion. If you are, however, inclined towards using encryption for this purpose, you can use the PHP class from the answer to this question: Two-way encryption: I need to store passwords that can be retrieved

Community
  • 1
  • 1
Stoic
  • 10,536
  • 6
  • 41
  • 60
0

If you are using a Database you do not need to actually provide any sensitive information to the user.

A possible flow of Gift Cards:

  1. Each card has a unique number (possibly randomly generated in a way that is hard to guess) which is written on the card, paper, etc...

  2. On Checkout the clerk either uses a service you provide to 'register' the value of the card. Or it is predetermined, in which case the cards could be in groups. (e.g. 10$, 20$, etc.) But still should be activated in some way to combat fraud.

  3. This Card is then handed to the customer and the code can then be used on your checkout to receive the value that is associated with the unique number.

The safety and privacy of these cards would then be in the hands of the stores you hand out. You would need a way to know which store has which etc. in case of theft or other serious issues.

This way the user cannot guess the number(easily) as it would have be 1. purchased and 2. not be used already.

While Hashing and Encrypting can be safe if done correctly, it would make no real sense to give the user potential information about the internals. Even if they are harder to get.

Neikos
  • 1,840
  • 1
  • 22
  • 35