Bulleting Credit Card Numbers With Regular Expressions
Posted December 6, 2007 at 4:45 PM by Ben Nadel
Yesterday, I was working on a little eCommerce site that output the credit card number as part of the user's invoice. Naturally, for security reasons, we are not outputting the entire credit card number in the invoice, but rather a number of bullets (asterisk) and then the last 5 digits. So, for example, the credit card number:
0123456789123456
... would be output as such in the invoice sent to the user:
***********23456
Normally, I would perform this operation with the use of ColdFusion's RepeatString() function married with a little Right() action:
- <!---
- Set up the credit card number. This number might
- be 14 numbers, it might be 16 numbers, I don't know
- actually know what the difference is among the
- different card types.
- --->
- <cfset strNumber = "0123456789123456" />
-
- <!---
- Using traditional approach to block out credit card
- numbers using RepeatString and Right().
- --->
- <cfset WriteOutput(
- RepeatString( "*", (Len( strNumber ) - 5) ) &
- Right( strNumber, 5 )
- ) />
This repeats the asterisk character N-5 times and then appends the last 5 digits of the number. This works, but it just always felt a bit ganky to me. I always felt like there should be a regular expression way to do this. Then, yesterday, out of nowhere, it dawned on me: the positive look-ahead.
In regular expressions, a positive look-ahead defines a pattern as matching if and only if the pattern is also followed by the given look-ahead pattern. The look-ahead pattern is, itself, not captured in the matched pattern. Using this, we can replace every character that also has 5 characters ahead of it:
- <!---
- Set up the credit card number. This number might
- be 14 numbers, it might be 16 numbers, I don't know
- actually know what the difference is among the
- different card types.
- --->
- <cfset strNumber = "0123456789123456" />
-
- <!---
- Use a single expression to block out credit card
- numbers us regular expressions.
- --->
- #REReplace(
- strNumber,
- ".(?=.{5})",
- "*",
- "all"
- )#
This outputs the bulleted credit card number properly.
As far as speed goes, I don't think it really matters on such a small task (and I don't have time to run tests); I find the regular expression to be a bit more elegant if for no other reason, the number of digits to leave at the tail end is defined in only one place as opposed to two places in the old school method. Plus, the code just looks much more simple.
Reader Comments
This is great, I added something to just in case the number has the dashes are in the string
<cfset strNumber = "0123-4567-8912-3456" />
<cfset strCC = REReplace(strNumber,"[0-9](?=.*.{4})", "*", "all")>
<cfoutput>
#strCC#
</cfoutput>
Now what I would like to do is if the dashes are not in the string add them which I could do by counting characters but I would like to figure out a way to add the dashes using regEx.
Ben,
This is a pretty cool technique, but I still prefer your original code. Why? Because I feel that code ought to mirror the business logic that it's representing. While the regular expression is possibly faster and more elegant, it doesn't communicate the business logic as well as your first example. And, it's harder to understand for someone who doesn't understand RE that well (such as yours truly).
The only change I'd make is adding a static variable to store the number of digits to show. That way if you decide to change it to 4 later on, you don't need to change every line.
Regex is great because it's so powerful and yet so succinct, and RepeatString is a cool function.
However, I'm not sure this problem requires even regex:
<cfset strNumber = "0123456789123456" />
<cfset strCC = "***********#Right(strNumber,5)#">
(Does it really matter if the asterisks match the exact number of credit card digits? No. =)
You could use regex if you needed to get rid of dashes..
<cfset strNumber = "0123-4567-8912-3456" />
<cfset strCC = "***********#Right(REReplace(strNumber,"\D","","all"),5)#">
But if you're getting the credit card number from the database, you probably would have already stripped the dashes before you stored it in the database.
Btw, you usually wouldn't save the full credit card number to the database anyway (do you want that liability?), only the last 4-5 digits (which makes the function moot =).
- If you did need to save the full credit card number to the database, you would encrypt it, so the function above would need a decrypt element to it, as well.
But like I say, you would rarely need to store the full CC number in the database, even if you're doing recurring billing, because Gateways often allow you to debit the credit card without the full credit card number if you've already given them the full number previously.
@Toby,
I agree with you there. The REReplace() is not exactly "clear" code. I was happy because I always *thought* there was a regular expression way to do this, but could never figure it out. It was more a mental breakthrough than a better approach.
@Adam,
Good point on both whether or not the *'s need to line up with the number of digits AND with the fact that we should only be storing the last few numbers anyway. Most excellent feedback.
Süper Güet!
This is GREAT, information on credit cards is often ignored but it is extremely needed such as http://tips-money-managememt.blogspot.com/2011/01/credit-cards.html
