Web Hosting Talk






PDA

View Full Version : Client Side Credit Card Validation

saghir69
11-24-2008, 03:13 PM
Client Side Credit Card Validation

I am just writing a form validation code for a credit card processing form. The form will be submitted to Paypal and obviously the numbers will be checked by paypal and rejected if incorrect details are sent.
However I have come across client side CC number validation scripts.
Do you lot use this validation? Is there a negative side to using such validation?
Does anyone have a script for this they can recommend?
This the one I am currently thinking of using.
PHP Code:



function Mod10(ccNumb) {テつ*// v2.0
var valid = "0123456789"テつ*テつ*// Valid digits in a credit card number
var len = ccNumb.length;テつ*テつ*// The length of the submitted cc number
var iCCN = parseInt(ccNumb);テつ*テつ*// integer of ccNumb
var sCCN = ccNumb.toString();テつ*テつ*// string of ccNumb
sCCN = sCCN.replace (/^s+|s+$/g,'');テつ*テつ*// strip spaces
var iTotal = 0;テつ*テつ*// integer total set at zero
var bNum = true;テつ*テつ*// by default assume it is a number
var bResult = false;テつ*テつ*// by default assume it is NOT a valid cc
var temp;テつ*テつ*// temp variable for parsing string
var calc;テつ*テつ*// used for calculation of each digit
// Determine if the ccNumb is in fact all numbers
for (var j=0; j<len; j++) {
テつ*テつ*temp = "" + sCCN.substring(j, j+1);
テつ*テつ*if (valid.indexOf(temp) == "-1"){bNum = false;}
}
// if it is NOT a number, you can either alert to the fact, or just pass a failure
if(!bNum){
テつ*テつ*/*alert("Not a Number");*/bResult = false;
}
// Determine if it is the proper length
if((len == 0)
} else{テつ*テつ*// ccNumb is a number and the proper length - let's see if it is a valid card number
テつ*テつ*if(len >= 15){テつ*テつ*// 15 or 16 for Amex or V/MC
テつ*テつ*テつ*テつ*for(var i=len;i>0;i--){テつ*テつ*// LOOP throught the digits of the card
テつ*テつ*テつ*テつ*テつ*テつ*calc = parseInt(iCCN) % 10;テつ*テつ*// right most digit
テつ*テつ*テつ*テつ*テつ*テつ*calc = parseInt(calc);テつ*テつ*// assure it is an integer
テつ*テつ*テつ*テつ*テつ*テつ*iTotal += calc;テつ*テつ*// running total of the card number as we loop - Do Nothing to first digit
テつ*テつ*テつ*テつ*テつ*テつ*i--;テつ*テつ*// decrement the count - move to the next digit in the card
テつ*テつ*テつ*テつ*テつ*テつ*iCCN = iCCN / 10;テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*// subtracts right most digit from ccNumb
テつ*テつ*テつ*テつ*テつ*テつ*calc = parseInt(iCCN) % 10 ;テつ*テつ*テつ*テつ*// NEXT right most digit
テつ*テつ*テつ*テつ*テつ*テつ*calc = calc *2;テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*// multiply the digit by two
テつ*テつ*テつ*テつ*テつ*テつ*// Instead of some screwy method of converting 16 to a string and then parsing 1 and 6 and then adding them to make 7,
テつ*テつ*テつ*テつ*テつ*テつ*// I use a simple switch statement to change the value of calc2 to 7 if 16 is the multiple.
テつ*テつ*テつ*テつ*テつ*テつ*switch(calc){
テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*case 10: calc = 1; break;テつ*テつ*テつ*テつ*テつ*テつ*テつ*//5*2=10 break;テつ*テつ*テつ*テつ*テつ*テつ*テつ*//6*2=12 break;テつ*テつ*テつ*テつ*テつ*テつ*テつ*//7*2=14 break;テつ*テつ*テつ*テつ*テつ*テつ*テつ*//8*2=16 break;テつ*テつ*テつ*テつ*テつ*テつ*テつ*//9*2=18 テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*テつ*//4*2= 8 テつ*テつ*// subtracts right most digit from ccNum
テつ*テつ*テつ*テつ*iTotal += calc;テつ*テつ*// running total of the card number as we loop
テつ*テつ*}テつ*テつ*// END OF LOOP
テつ*テつ*if ((iTotal%10)==0){テつ*テつ*// check to see if the sum Mod 10 is zero
テつ*テつ*テつ*テつ*bResult = true;テつ*テつ*// This IS (or could be) a valid credit card number.
テつ*テつ*} else {
テつ*テつ*テつ*テつ*bResult = false;テつ*テつ*// This could NOT be a valid credit card number
テつ*テつ*テつ*テつ*}
テつ*テつ*}
}
// change alert to on-page display or other indication as needed.
if(bResult) {
テつ*テつ*alert("This IS a valid Credit Card Number!");
}
if(!bResult){
テつ*テつ*alert("This is NOT a valid Credit Card Number!");
document.forms[0].cc_field.focus();
}
テつ*テつ*return bResult; // Return the results
}
// -->
zendzipr
11-24-2008, 03:24 PM
I personally do as little client side validation as possible. You have no control over the client side, have no idea if the script is running or running correctly. Since you mentioned paypal is managing payment, probably better to just leave credit card validation to them.





__________________
PCI, HIPAA, Managed Hosting Specialists. ZZ Servers
Affordable PCI compliant hosting solutions.
Mike - Limestone
11-24-2008, 06:23 PM
I agree with zendzipr. You could consider doing a server-side check (PHP or Perl?) prior to passing on the data, but I would avoid a client-side validation. With client-side checks, too many things can go wrong, and it is typically not worth the risk of the order process not working for some users due to browser variation.
-mike





__________________Limestone Networks - Dedicated Server Hosting
Premium Network - 24/7/365 Support - Dual Intel Xeon Servers Now Available
Dallas Datacenter - Fully Routed Backend Networkhttp://www.limestonenetworks.com 1-877-586-0555
saghir69
11-24-2008, 08:18 PM
Ok I understand that and probably will use PHP.
But how about Credit Card number validation using the above or similar script. The script is meant to check if the card number entered could possibaly be a valid number.
Obviously it doesn't check if a card number is a actually issued valid card, but it checks if the format is valid.
Mike - Limestone
11-25-2008, 05:20 PM
I think the other poster argued that the check (whether client or server side) may not even be necessary if you're sending the client to Paypal to pay, as Paypal can do the validation.
Are you not directly sending the client to some resource off of paypal.com? Is your server transmitting the client billing info, receiving the Paypal response, and going from there...?
-mike





__________________Limestone Networks - Dedicated Server Hosting
Premium Network - 24/7/365 Support - Dual Intel Xeon Servers Now Available
Dallas Datacenter - Fully Routed Backend Networkhttp://www.limestonenetworks.com 1-877-586-0555
saghir69
11-25-2008, 06:09 PM
Quote:



Originally Posted by Mike - Limestone


I think the other poster argued that the check (whether client or server side) may not even be necessary if you're sending the client to Paypal to pay, as Paypal can do the validation.
Are you not directly sending the client to some resource off of paypal.com? Is your server transmitting the client billing info, receiving the Paypal response, and going from there...?
-mike


I am using PayPal Pro and I will be sending payment details to PayPal and get a responcse from them .
I am just think if it would be better to do some sort of a check on the card numbers before I submit them for payment processing.
Corey Bryant
11-26-2008, 03:20 PM
The good side about checking the number before submitting it to an electronic payment would be the savings of the transaction fee.
As long as you are using PHP, I don't see a reason why it might fail on the client's side (I have seen some carts using JavaScript to check against the Lunh's method). Any step that you can do before submitting it to the gateway would be good - it might help protect you frome some users that are testing credit card numbers.





__________________
CoreyMicrosoft Expression Web BlogMy Merchant Account Blog
dreamcodedesign
12-02-2008, 08:50 PM
I'm sure PayPal does the same validation even though it done via API. I would say, just leave the validation to PayPal.
All the best,





__________________
Axigy - Shared Linux Web Hosting Solutionsテ「ツ鳴* http://www.axigy.com
180 Servers - Self-Managed Dedicated, Done Right!テ「ツ鳴* http://www.180servers.com