[FX.php List] [ OFF ] Getting to PCI compliance

Andrew Denman adenman at tmea.org
Thu May 19 14:22:21 MDT 2011 

If all you want to do is remove certain characters from the submitted data, this (untested) function should do it:
function removeXThan_array($x){
   if (is_array($x)) {return array_map('removeXThan _array', $x);}
   return str_replace(array("<",">"), "", $x);
}
$postData = removeXThan_array($_POST);
(You can also use an array for the second parameter of str_replace to replace characters with unique text. [e.g., > to &gt;, < to &lt;])

You could also run everything through htmlentities to prevent users from submitting html code that could be echoed back and executed:
function htmlentities_array($x){
   if (is_array($x)) {return array_map('htmlentities _array', $x);}
   return htmlentities($x);
}
$postData = htmlentities_array($_POST);
(See http://us3.php.net/manual/en/function.htmlentities.php for options.)


Andrew Denman

From: fx.php_list-bounces at mail.iviking.org [mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Bob Patin
Sent: Thursday, May 19, 2011 1:50 PM
To: FX.php Discussion List
Subject: Re: [FX.php List] [ OFF ] Getting to PCI compliance

John,

Yes, I saw that as well; some of it involved updating PHP to a newer version of PHP 5, and there was something about the cert that they have, but those will be someone else's to deal with. What I think I have to do is add a regex expression that will filter certain characters from form inputs; since I'm not storing card info, that's a non-issue for us.

My client's accounting person got freaked by the $50K warning for each infraction, so of course they dumped the report in my lap to sort out...


Bob Patin
Longterm Solutions
bob at longtermsolutions.com<mailto:bob at longtermsolutions.com>
615-333-6858
http://www.longtermsolutions.com<http://www.longtermsolutions.com/>
iChat: bobpatin
FileMaker 9, 10 & 11 Certified Developer
Member of FileMaker Business Alliance and FileMaker TechNet
--
Expert FileMaker Consulting
FileMaker Hosting for all versions of FileMaker
PHP * Full email services * Free DNS hosting * Colocation * Consulting
:


On May 19, 2011, at 1:13 PM, John May wrote:


One thing to note too that there is a difference between what is *required* and what the PCI company would *like* you to do.  Very often a very large difference.  Only the required stuff is what is required to obtain certification, in my experience.

They're very much like the HR person trying to hire a tech person that only knows the catch-phrase certifications to look for - they don't necessarily understand what they're talking about.

            - John


On 5/18/11 11:06 AM, Gareth Evans wrote:

The report will tell you what needs to be addressed. From my experience
most of the stuff that needs to be done is on the server side of things
like patching apache/php, installing firewalls/antivirus, blocking
unused ports etc. From an application standpoint the usual security
guidelines apply like forcing ssl on login/order entry forms, enforcing
strong passwords, filtering data, disabling autocomplete on certain form
fields etc. If you're storing card data then there are requirements for
how it is stored in your systems and how employees can access that data.
There is also an admin portion which requires drafting a security policy
if you do not have one already.

The following link will have some general info about it, although if you
don't manage the servers there may not be too much for to do depending
on how you've written the app.
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

Cheers,
Gareth

On 2011-05-18, at 9:52 AM, Bob Patin wrote:

One of my clients has received a PCI compliance letter, and now I'm
being asked to pull their cart into compliance.

>From what little I've read about it so far, it appears that I need to
block the submission of certain characters -- the < , > , and some
other symbols -- but is there more than that to be done to get to
compliance?

>From what I can tell from the report they received, the client's web
server needs a PHP update, but that's not my department... if anyone's
already trod down this road, I'd appreciate any wisdom.

Thanks,


Bob Patin
Longterm Solutions


--

-------------------------------------------------------------------
John May : President                   http://www.pointinspace.com/
Point In Space Internet Solutions             jmay at pointinspace.com<mailto:jmay at pointinspace.com>

            Twitter: http://twitter.com/pointinspace/
          Facebook: http://www.facebook.com/PointInSpace/

       Professional FileMaker Pro, MySQL, PHP & Lasso Hosting
         on shared, virtual and hardware dedicated servers

_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org<mailto:FX.php_List at mail.iviking.org>
http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20110519/157954c4/attachment-0001.html

More information about the FX.php_List mailing list