Ok, I'm building a website for a person who wants to let his customers shop online (Yes there is an https site, so that is taken care of), but the twist is he doesn't want the customer to be charged when they order it online like most systems, he wants the credit card and info of the person to be emailed to him, so he can check to make sure he has it in stock. He is selling mostly old CDs, LPs and such, and doesn't have everything in stock all the time. Now with the https site, getting the information from the user is no problem, but sending it to his email is what I need help with. Can anyone point me in a direction of how to encrypt it securely on the server to send to his email?

And if anyone knows of a good place on building a shopping cart system that would be helpful too (I know perl and C, and although learning another language wouldn't be too bad, I would like to avoid it).

If you're using https, why not just type the CC in ala amazon? Adding secure email just complicates the issue...

Well, i've told him several other options, but he wants it to his email, so I've got to do it his way.

I'm not trying to force the issue here, but does he insist that

a) the customer HAS to email it
OR
b) he wants to RECEIVE it via email

The latter is doable, because the customer can type it in like every other site out there, then you take the info and secure email it to him.
To get the customer to secure email to you, he's going to need a secure email client eg PGP enabled and know how to use it. Almost nobody will/does...(!)
eg i'm fairly paranoid re security, but i don't use encrypted email (i don't email that kind of data :) )
In fact all customers are going to need the same encryption client for you to be able handle it.
Frankly, i think option b) is not possible unless you own the customer base ie this is an internal system....
I'm happy to be corrected btw ;)

Let me know what happens....
:)

...
Actually, having read the orig qn again, it looks like option a) is what you wanted.. sorry. Anyway, look into gpg (GNU ver of pgp). As an example, pg 6 of the GPG handbook gives an example:
gpg --output doc.gpg --encrypt --recipient blake@cyb.org input_doc

You should be able to call this from perl no prob. Just need to create input_doc with customer details inc CC num. Need to remove unencrypted file asap for security. Best to keep one encrypted copy on server in case email fails/gets trashed?

no, option b is what he wants. He really doesn't care how it gets to him, he just wants it in the email. I figured that since he paid for a secure site, I could just have the forms set up so the customer just types it in like every other website, and then use a cgi on the website to mail it to him. I almost got it figured out, right now Im playing with a perl script that uses RSA, just I don't know quite enought perl to do what i want, so I have to read up a little.

One other problem though, for some reason I can't get perl scripts on the server to write to a file (I would be done if I could), they can read fine, but if I try and write I just get a server error. I think I'm going to have to call the hosting company about that one though.

Still taking any suggestions though.

Ok,
in that case my last suggestion re gpg will work. As you say, if you can't write files, its prob a perms thing and you'll need to check with the hosting co.
Let us know how it goes; may come in useful for us sometime. I can see other people wanting that functionality.

Well, the hosting company he's using sucks. Apparently they don't have dc installed either, because the code that works on my computer simply does nothing on the server. If someone else wants to try it go ahead. It should work on a system thats setup right.

I know that its possible to call perl from C, but when you do that is it compiled statically in the program, or would I still need perl and everything else installed on the computer? And if everything is compiled in statically, how do I do it?


#the code to encrypt using RSA
#!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)

#######################

#!/usr/bin/perl

$recip = 'whoever@domain.com';
#public keys are k and n
$cipher = `echo Text to be encrypted | ./rsa -k=3a62a64b -n=40463113`;

open(MAIL, "| /usr/sbin/sendmail -t");
print MAIL "To: $recip\n";
print MAIL "Reply-to:\n";
print MAIL "Subject: Whatever\n\n";
print MAIL "$cipher";
close(MAIL);

i'll bite, whats 'dc' when its at home? ;)
Are you saying they (hosting co) don't have perl available? That would be fairly unusual.... or is it just not in your $PATH?

Here is what I would do:

When a customer places an order, send him an email saying something like:

"You have recieved an order for part number XX-XXXX-XXX ...yada yada yada... Billing Information is due at https://www.youronlinestore.com/admin_portal.php"

(notice I preferred using PHP :D )

Then he clicks on the link, logs into a secure portal, and has a list of his orders. Then put a button next to each order called "Bill this Order" or something, so he just has to click and it bills the CC. This way, he recieves an email of all of the pieces in the order, so he can check his shelves right away to make sure he has the items in stock. Then he just logs into the portal, and with one click bills the customer.

That solution is simple, and secure.

P.S. I know you think you have to do it his way, because the customer is always right. But that rule doesn't always work with web development because the customer often times does not understand the possibilities/limitations of the technology.

Well, I gave up on perl for now and am just using C to do it all. Took me a while to get it all to work, but its coming together now. I just ended up having to implement the algorithm on my own instead of trying to use existing libraries or programs.