Prevent Credit Card Number Submissions [#2486411]

I had been hunting for a way to prevent users from entering credit card numbers in submissions, but couldn't find anything robust.

I wrote a custom validation using this great module (and included clientside validation support) that removes all non-numbers, and then Luhn checks every 15 and 16 digit sequence in a number, textfield, or textarea component and rejects any component containing a sequence that passes.

My code is here: https://www.drupal.org/sandbox/jannis/2486167

Comment	File	Size	Author
#18	prevent_credit_card-2486411-18.patch	8.13 KB	karolinam
#18	7.x-1.x: PHP 7.3 & MySQL 5.7, D7.69 3 pass PHP 5.6 & MySQL 5.5, D7.69 3 pass PHP 7.2 & MySQL 5.5, D7.69 3 pass PHP 7.3 & PostgreSQL 9.5, D7.69 3 pass PHP 7.4 & MySQL 5.5, D7 3 pass PHP 8.2 & MySQL 8, D7 3 pass
#17	prevent_credit_card-2486411-17.patch	7.28 KB	mvc
#17	7.x-1.x: PHP 7.2 & MySQL 5.5, D7.67 3 pass
#15	prevent_credit_card-2486411-15.patch	5.96 KB	dhruveshdtripathi
#15	7.x-1.x: PHP 5.3 & MySQL 5.5, D7 2 pass PHP 7 & MySQL 5.5, D7 2 pass
#13	prevent_credit_card-2486411-13.patch	12.34 KB	dhruveshdtripathi
#13	7.x-1.x: PHP 5.3 & MySQL 5.5, D7 Patch Failed to Apply
#11	prevent_credit_card-2486411-11.patch.patch	12.34 KB	dhruveshdtripathi
#11	7.x-1.x: PHP 5.3 & MySQL 5.5, D7 Patch Failed to Apply
#6	webform_validation-no_ccs-2486411-6.patch	16.86 KB	jannis
#6	7.x-1.x: PHP 5.3 & MySQL 5.5, D7 2 pass
#5	webform_validation-no_ccs-2486411-4.patch	0 bytes	jannis
#5	7.x-1.x: PHP 5.3 & MySQL 5.5, D7 Patch Failed to Apply
#4	webform_entity-search_api_support-2650410-2.patch	8.49 KB	jannis
#4	7.x-1.x: PHP 5.3 & MySQL 5.5, D7 Patch Failed to Apply

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

Liam Morland

English

Ontario, CA 🇨🇦

CreditAttribution: Liam Morland at University of Waterloo commented 13 January 2016 at 17:53

Thanks. Can you write this as a patch to webform_validation?

Comment #2

jannis CreditAttribution: jannis commented 14 January 2016 at 18:17

I've done a lot of work on the 'no_ccs' module, and one important feature is that is uses clientside validation to do a javascript check which completely prevents transmission of potential credit card numbers.

Knowing that my module is best used with clientside validation and requires js, should I just add a patch that includes the entire module and js as a sub-module? Or would you want just the standard server-side validation code ?

Comment #3

Liam Morland

English

Ontario, CA 🇨🇦

CreditAttribution: Liam Morland at University of Waterloo commented 14 January 2016 at 20:17

This is perhaps a less-common use case, so perhaps it is best for it to be a sub-module.

Comment #4

jannis CreditAttribution: jannis commented 15 January 2016 at 00:27

File	Size
webform_entity-search_api_support-2650410-2.patch	8.49 KB
7.x-1.x: PHP 5.3 & MySQL 5.5, D7 Patch Failed to Apply

Comment #5

jannis CreditAttribution: jannis commented 15 January 2016 at 00:29

File	Size
webform_validation-no_ccs-2486411-4.patch	0 bytes
7.x-1.x: PHP 5.3 & MySQL 5.5, D7 Patch Failed to Apply

Wrong patch there here's the right one

Comment #6

jannis CreditAttribution: jannis commented 15 January 2016 at 00:31

File	Size
webform_validation-no_ccs-2486411-6.patch	16.86 KB
7.x-1.x: PHP 5.3 & MySQL 5.5, D7 2 pass

Having all kinds of trouble getting the patch to upload. Here it is one more time.

Comment #7

Liam Morland

English

Ontario, CA 🇨🇦

CreditAttribution: Liam Morland at University of Waterloo commented 10 August 2017 at 15:08

Status:

Active

» Needs review

Comment #8

10 August 2017 at 15:10

The last submitted patch, 4: webform_entity-search_api_support-2650410-2.patch, failed testing. View results

Comment #9

10 August 2017 at 15:10

The last submitted patch, 5: webform_validation-no_ccs-2486411-4.patch, failed testing. View results

Comment #10

Liam Morland

English

Ontario, CA 🇨🇦

CreditAttribution: Liam Morland at University of Waterloo commented 10 August 2017 at 17:29

Status:

Needs review

» Needs work

The patch contains a patch file.

Comment #11

dhruveshdtripathi CreditAttribution: dhruveshdtripathi at DevsAdda commented 11 August 2017 at 06:17

Status:

Needs work

» Needs review

File	Size
prevent_credit_card-2486411-11.patch.patch	12.34 KB
7.x-1.x: PHP 5.3 & MySQL 5.5, D7 Patch Failed to Apply

Comment #12

11 August 2017 at 13:01

Status:

Needs review

» Needs work

The last submitted patch, 11: prevent_credit_card-2486411-11.patch.patch, failed testing. View results

Comment #13

dhruveshdtripathi CreditAttribution: dhruveshdtripathi at DevsAdda commented 11 August 2017 at 13:50

Status:

Needs work

» Needs review

File	Size
prevent_credit_card-2486411-13.patch	12.34 KB
7.x-1.x: PHP 5.3 & MySQL 5.5, D7 Patch Failed to Apply

Comment #14

11 August 2017 at 13:51

Status:

Needs review

» Needs work

The last submitted patch, 13: prevent_credit_card-2486411-13.patch, failed testing. View results

Comment #15

dhruveshdtripathi CreditAttribution: dhruveshdtripathi at DevsAdda commented 11 August 2017 at 14:01

Status:

Needs work

» Needs review

File	Size
prevent_credit_card-2486411-15.patch	5.96 KB
7.x-1.x: PHP 5.3 & MySQL 5.5, D7 2 pass PHP 7 & MySQL 5.5, D7 2 pass

Comment #16

Liam Morland

English

Ontario, CA 🇨🇦

CreditAttribution: Liam Morland at University of Waterloo commented 26 September 2019 at 21:18

Status:

Needs review

» Needs work

Thanks. Please run a coding standards check on your patch. Every file should end in a newline. There should not be more than two newlines in a row. Please provide full doxygen comments for each function. Please indent with two spaces. Please ensure every function name starts with _?webform_validation_.

Comment #17

mvc

they

English

Montréal, CA

CreditAttribution: mvc at McGill University commented 11 October 2019 at 19:39

File	Size
prevent_credit_card-2486411-17.patch	7.28 KB
7.x-1.x: PHP 7.2 & MySQL 5.5, D7.67 3 pass

I believe the regex in the previous patch will strip non-numeric characters before testing, meaning that the string "my favourite numbers are 41111111 and 11111111" will be flagged as a false positive. This also assumes all credit cards are either 15 or 16 digits, which is usually but not always the case in the US and is not true globally. I also swapped out the Luhn algorithm check with one from Symfony (the license permits this with attribution).

I've rewritten the PHP test but we don't use clientside validation with JS here so I am leaving that as an exercise for someone else.

@Liam Morland: I installed phpcs just to check this patch before submitting it, as per your request :)

Comment #18

karolinam CreditAttribution: karolinam at McGill University commented 13 January 2020 at 16:54

File	Size
prevent_credit_card-2486411-18.patch	8.13 KB
7.x-1.x: PHP 7.3 & MySQL 5.7, D7.69 3 pass PHP 5.6 & MySQL 5.5, D7.69 3 pass PHP 7.2 & MySQL 5.5, D7.69 3 pass PHP 7.3 & PostgreSQL 9.5, D7.69 3 pass PHP 7.4 & MySQL 5.5, D7 3 pass PHP 8.2 & MySQL 8, D7 3 pass

I made a few changes to patch from comment #17 (prevent_credit_card-2486411-17.patch), more precisely to _webform_validation_no_ccs_check_for_valid_luhn() function:

- added word boundaries in regex and min and max optional parameters to be able to check for numbers of specific length (e.g. check for credit card number with only 15-16 digits )
- return detected number for better reporting (e.g. highlight the number in block of text)