Hello,

I am in a situation in which a friends website was being developed in Drupal when the developer decided that they were unable to assist any further. I have since been asked to pick this up and finish everything although I have no experience with Drupal or PHP.

What I am trying to do is create a registration form which takes the persons information as well as their credit card information. I have been able to create the basic form which captures all of the information however, I am now stuck with a couple of issues both relating to the credit card information.

1. Is it possible to have the email sent securely? And if so, I would like it to send the email with only showing the last 4 digits of the credit card and expiry date.

2. How do I go about ensuring that the information that is captured via drupal is securely stored in the database? I have reviewed the secure pages module however I do not know if this is enough security or if further encryption is required. Also I am not familiar with Apache so I do not know how to set up the webserver to allow https connections correctly to test this correctly.

Any help that someone is able to provide is greatly appreciated. Thank you in advance!
Shaun

Comments

WillHall’s picture

Check out webform_pay... A pretty nice early module for collecting payment from webforms.

You should not be storing plaintext credit card numbers in the database.

There are a couple of security suites available, but nothing that is integrated with webform currently, though we desperately need it.

http://drupal.org/project/encrypt

is pretty awesome, but you have to write your own encryption loop as hooks.

d_l’s picture

I have an interest in submitting form data securely so I've looked again at the webform module (on drupal-7.0).

I started by creating a free test account at hushmail.com.

Then go to hushmail secure form.

Although I have not yet got round to trying this with webform is seems that the webform form code can be changed to include this code from hushmail ..

<form method="post" enctype="multipart/form-data"
action="https://forms.hush.com/timmy">

I'm not quite sure yet exactly where/how to edit webform to include the above but the function webform_client_form around line 1552 in webform.module seems a likely candidate.

If you view source the webform html code is typically ..

<div class="content clearfix">
<form class="webform-client-form" enctype="multipart/form-data" action="/drupal-7.0/?q=node/1" method="post" id="webform-client-form-1" accept-charset="UTF-8">

and I'm not sure if this just has to be modified as below to post webform data securely to hushmail server ..

<div class="content clearfix">
<form class="webform-client-form" enctype="multipart/form-data" action="https://forms.hush.com/timmy" method="post" id="webform-client-form-1" accept-charset="UTF-8">

Would this work?

WillHall’s picture

You can actually use the extended processing to do it.

http://ccideas.com/howto/cdfinance-net-a-reflection-on-drupal-and-salesf...

Your issue is that webform still submits to itself, which means your data will be in your database.

d_l’s picture

Can you expand on where to look for the "extended processing" in webform - drupal-7?

I've installed drupal-7 webform. I've looked under Advanced Settings but don't see where to introduce php.

I've read this old thread .. http://drupal.org/node/398118 . post #2

enter the following php code in "additional validation" under "webform advanced settings" fieldset

......

Another option I might try is to run secure xforms via drupal iframe on another (tomcat) server .. orbeon.com.
Actually I've had drupal-7.0 running on tomcat as a localhost experiment so xforms could be tightly integrated .. but that is another story.

WillHall’s picture

ah, forgot that he removed it.

Looks like you will have to use hook_form_alter in a custom module.

http://www.drupalcoder.com/blog/additional-processing-in-drupals-webform...

schlonkey’s picture

Thanks for the information. I will look into this right away. With this in mind, is there any way to make it so that the email gets sent via SSL?

no_idea_yet’s picture

With all due respect, given your self proclaimed level of knowledge as stated in your first post IMHO I'd be rethinking what you are intending to do.

Messing around with peoples credit card details is not a good idea when you don't have the knowledge to secure the site nor I suspect the server.

schlonkey’s picture

I thank you for your concerns however this is a request of the clientele. All risks have been advised to them and once that has been done it is their decision on how they would like to proceed. And if they choose to still proceed it is my job to now learn on their behalf.

So at this point i am asking people if they know or not if this is possible and if so how it can be done. This post isnt to be about my knowledge of Drupal or lack there of. It is intended to be to help provide guidance to those without the knowledge.

Thank you,
Shaun

WillHall’s picture

I wouldn't send any personal information in an email, there are just too many security risks that are beyond your control.

d_l’s picture

I suggested earlier in thread above that instead of using webform module you try embedding a hushmail secure form in an iframe. I use the iframe module to make it easier to embed.

schlonkey’s picture

Thank you d_l. I apologize as I mis-understood what you were meaning in the original post. I will investigate this further to see if this will work!

Thank you for your assistance. I will let you know.

WebmistressM’s picture

...simply because I have a client who insists on having one form of payment for his products be the "e-check". Simply put, right now the customer has to call our company and give out check information (ABA, Bank Name, Routing #, etc...) and then he enters it into a desktop program called Q-check.

Since there was no Q-check implementation and Ubercart's check method (in the Payment pack) does not cover this situation, a secure form would be the only way that I could think to get the info from the customer without them having to necessarily call us on the phone.