PHP and SSL

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Zeceer
Forum Contributor
Posts: 136
Joined: Fri Aug 02, 2002 5:10 am
Location: Norway

PHP and SSL

Post by Zeceer »

Hi,

in a webshop i've made I'm using a SSL to complete the form handling. The thing I'm wondering about is if this method is actually using the SSL. This is have it is today.

Form (action is https://the handle file.php, then the user is sent over on the SSL) --> The handle file.php (at the end of the handle file there is a header sending the user back to normal HTTP and out of the SSL).

The handle file's mission is to send the form as an e-mail. So I'm wondering if this method is good enough? When the users are sent back to HTTP in the handle file there pop up this security warning saying that you are sent to an unsecured site. I still don't have a valid sertificate sp is this why? I also get a sertificate warning when redirected to the SSL, but I know this is because of not having a valid sertificate.

Sertificate is under process by the way :-). Just Verisign pulls there finger out :D
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

As long as the form that includes the cc-number entry is posted to a https:// location that part of it is secure, usually some people will feel better about it if the form-page itself is represented in SSL mode as well.. I always recommend forcing such pages to be in SSL mode, by checking protocol before outputing the form.. something like

if ($_SERVER['SERVER_PORT'] != 443) // do something to force to SSL enabled site

The warning when leaving SSL mode is common, especially if you post to a script and that redirects with headers to a non-ssl connection, I wouldn't recommend that.. There is really no point leaving ssl-mode at all if the cert is enabled for the whole site, usually when people have checked out they won't browse around much on the site anyway..

Sending the CC-info by email can only be done securely by using non-symetric encryptions, such as you can with GPG, PGP and OpenSSL (S/Mime)... The same pretty much goes for storage on the server/database, unless you have dedicated servers with hardened setup and such you should under no circumstance store in a way so that the number can be decrypted on the server.. Creating your own scrambling or using same-key reversible (symetric) encryption is a big no-no!
Post Reply