At my current job I was recently assigned the task of creating a shopping cart and auction system to sell furniture and antiques online. After getting most of the legwork done it was decided that customers would have to pay by credit card online. This brings up a load of questions and requirements of course such as SSL certificates, Real Time processings vs. simple verification, which cards do we want to accept from customers etc. etc. After a meeting or two it was decided that customers would enter a credit card number that would be verified with our online shopping cart, but they would be charged locally at a terminal when the item was actually shipped. After all it’s illegal to charge a credit card for something that has not been shipped. I recommend checking out the laws in your state before jumping headfirst into e-commerce.
I began the endless search on the net for a simple credit card verification class written in PHP and found several that were were very helpful and descriptive, but they generally required lots of modification. Generally, a quick Google search turns up exactly what I want, but low and behold there was no such script. I used what I could find on the net and combined them into my own little script.
A little disclaimer: This is not the actual script we ended up using, but it gives you a good head start on being able to verify credit card numbers through an online form. I HIGHLY RECOMMEND using test numbers and not real numbers when testing your scripts out. DO NOT USE THIS SCRIPT unless you are behind an SSL encrypted https connection, or unless you know what you are doing. That being said…….
There are two files needed to make this work. They are linked so you can copy/paste the source:
class.creditcard.phps
creditcard.phps
The first file class.creditcard.phps is the script that needs to be included in your actual verification form script, creditcard.phps. Creditcard.phps is the file that allows for user input (it is verified by a Javascript.)
How this script works
To summarize, the Luhn Algorithm reverses the credit card number and does some tricky math and somehow ends up with no remainder. If there is no remainder on the “tricky math” that the algorithm checks then the card is verified and split into two parts via the SafeNumber custom function from class.creditcard.phps and the nifty PHP substr function. If there is an error on input (depending on what you put in) the Javascript will tell send an alert, or if there is a bad number entered, the PHP script echoes out the according error message. If the card is correct two things happen to the actual card number:
First Part
The first four numbers are displayed on the results page and are stored in the $firstFour variable.
Second Part
The last twelve (or 11 numbers depending on the type of card) are stored in the $lastTwelve variable as documented in the code.
I did not include code for putting the numbers in a database, (as this is VERY INSECURE) and I did not put in code for emailing the $lastTwelve credit card numbers to a secure email.
Why the hell not?
…because someone would use it, somehow manage to get credit card numbers stolen…and somehow it would be traced back to little old me.
In order to get this script working properly you have to save both files as regular .php files first, and then upload them to your server which has a working version of PHP on it. I leave the choice of database up to you. Be sure to upload both of these files to the same directory or else they will not work. If you want to change the directory structure and put the class file in a nice little includes directory be sure to change this line:
include("class.creditcard.php"); //include the validation scriptYou will get an ugly file inclusion error followed by undefined function errors if this path is not correct. After you get both files uploaded call up your creditcard.php page and enter in a test number. (A test number for Visa is 4111 1111 1111 1111) Enter it into the script and watch the magic happen.
Things to keep in mind about this script
- This script DOES NOT charge cards, it just verifies them.
- I have tested this script on a Linux RedHat server with PHP 4.1 and it appears to be working fine, but may work differently depending on your php.ini as well as your server configuration.
- This script should be run only on an encrypted part of your server with an SSL certificate installed.
- This script does not do anything with the numbers, this is something you need to add to it. The documentation in the code tells you where this is needed.
- Feel free to post in the comments if you have any trouble and I’ll do my best to answer any questions that come up.
Additional Links:
- An in-depth tutorial describing how the mod10 algorithm works and how to implement it into your PHP Script
- PHP Class I started with (requires sign up for download)
- Wikipedia.org Luhn Algorithm Entry
- John Gardner’s class that I also used
2 Comments
I have a question. If you have an unvalidated credit card by accident, and you validate it with a true ID, how long will it take to valdate. And what kind of red tape and strings are affected? Please reply. Thank You.
Hard to say, I’m not exactly sure what a true ID is and would recommend not only validating just the number, but also validating the CVV code and address if you can.