Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
I am the chief technical officer at InVision App, Inc - a prototyping and collaboration platform for designers, built by designers. I also rock out in JavaScript and ColdFusion 24x7.
Meanwhile on Twitter
Loading latest tweet...
Ben Nadel at RIA Unleashed (Nov. 2010) with:

Bulleting Credit Card Numbers With Regular Expressions

Posted by Ben Nadel
Tags: ColdFusion

Yesterday, I was working on a little eCommerce site that output the credit card number as part of the user's invoice. Naturally, for security reasons, we are not outputting the entire credit card number in the invoice, but rather a number of bullets (asterisk) and then the last 5 digits. So, for example, the credit card number:

0123456789123456

... would be output as such in the invoice sent to the user:

***********23456

Normally, I would perform this operation with the use of ColdFusion's RepeatString() function married with a little Right() action:

  • <!---
  • Set up the credit card number. This number might
  • be 14 numbers, it might be 16 numbers, I don't know
  • actually know what the difference is among the
  • different card types.
  • --->
  • <cfset strNumber = "0123456789123456" />
  •  
  • <!---
  • Using traditional approach to block out credit card
  • numbers using RepeatString and Right().
  • --->
  • <cfset WriteOutput(
  • RepeatString( "*", (Len( strNumber ) - 5) ) &
  • Right( strNumber, 5 )
  • ) />

This repeats the asterisk character N-5 times and then appends the last 5 digits of the number. This works, but it just always felt a bit ganky to me. I always felt like there should be a regular expression way to do this. Then, yesterday, out of nowhere, it dawned on me: the positive look-ahead.

In regular expressions, a positive look-ahead defines a pattern as matching if and only if the pattern is also followed by the given look-ahead pattern. The look-ahead pattern is, itself, not captured in the matched pattern. Using this, we can replace every character that also has 5 characters ahead of it:

  • <!---
  • Set up the credit card number. This number might
  • be 14 numbers, it might be 16 numbers, I don't know
  • actually know what the difference is among the
  • different card types.
  • --->
  • <cfset strNumber = "0123456789123456" />
  •  
  • <!---
  • Use a single expression to block out credit card
  • numbers us regular expressions.
  • --->
  • #REReplace(
  • strNumber,
  • ".(?=.{5})",
  • "*",
  • "all"
  • )#

This outputs the bulleted credit card number properly.

As far as speed goes, I don't think it really matters on such a small task (and I don't have time to run tests); I find the regular expression to be a bit more elegant if for no other reason, the number of digits to leave at the tail end is defined in only one place as opposed to two places in the old school method. Plus, the code just looks much more simple.



Reader Comments

This is great, I added something to just in case the number has the dashes are in the string
<cfset strNumber = "0123-4567-8912-3456" />
<cfset strCC = REReplace(strNumber,"[0-9](?=.*.{4})", "*", "all")>
<cfoutput>
#strCC#
</cfoutput>

Now what I would like to do is if the dashes are not in the string add them which I could do by counting characters but I would like to figure out a way to add the dashes using regEx.

Reply to this Comment

Ben,
This is a pretty cool technique, but I still prefer your original code. Why? Because I feel that code ought to mirror the business logic that it's representing. While the regular expression is possibly faster and more elegant, it doesn't communicate the business logic as well as your first example. And, it's harder to understand for someone who doesn't understand RE that well (such as yours truly).

The only change I'd make is adding a static variable to store the number of digits to show. That way if you decide to change it to 4 later on, you don't need to change every line.

Reply to this Comment

Regex is great because it's so powerful and yet so succinct, and RepeatString is a cool function.

However, I'm not sure this problem requires even regex:

<cfset strNumber = "0123456789123456" />
<cfset strCC = "***********#Right(strNumber,5)#">

(Does it really matter if the asterisks match the exact number of credit card digits? No. =)

You could use regex if you needed to get rid of dashes..

<cfset strNumber = "0123-4567-8912-3456" />
<cfset strCC = "***********#Right(REReplace(strNumber,"\D","","all"),5)#">

But if you're getting the credit card number from the database, you probably would have already stripped the dashes before you stored it in the database.

Btw, you usually wouldn't save the full credit card number to the database anyway (do you want that liability?), only the last 4-5 digits (which makes the function moot =).

- If you did need to save the full credit card number to the database, you would encrypt it, so the function above would need a decrypt element to it, as well.

But like I say, you would rarely need to store the full CC number in the database, even if you're doing recurring billing, because Gateways often allow you to debit the credit card without the full credit card number if you've already given them the full number previously.

Reply to this Comment

@Toby,

I agree with you there. The REReplace() is not exactly "clear" code. I was happy because I always *thought* there was a regular expression way to do this, but could never figure it out. It was more a mental breakthrough than a better approach.

@Adam,

Good point on both whether or not the *'s need to line up with the number of digits AND with the fact that we should only be storing the last few numbers anyway. Most excellent feedback.

Reply to this Comment

Post A Comment

?
You — Get Out Of My Dreams, Get Into My Comments
Live in the Now
Oops!
Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.