is an include call to ssl server secured?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
phpNewb22
Forum Newbie
Posts: 2
Joined: Thu Feb 16, 2006 1:02 pm

is an include call to ssl server secured?

Post by phpNewb22 »

Note: When I use the word "key" below, I simply mean a text string used by my scripts, not an encryption key.

I (actually my client -- not me) have an unencrypted server with the mySQL database, etc. Then I have another server with ssl provided by the hosting company. The only script on the ssl server is the one for taking payment info. I want to send a unique key to the ssl server with each customer, and I'd like it to be over the secure line. So instead of sending the key to the customers browser (over the unsecured line) as part of the link to the secure server, if I send the key directly to the secure server via an include call then redirect the clients browser with a header statement, would that connection (the include for sending the key) be secured?

In other words, does the unsecured server get the same protection when communicating with a secured server via a php include call, as a web browser does when communicating with the secured server? Thanks in advance.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If the secure server can access the same database as the unsecured, I'd use that as the actual transport mechanism. A reference id of some fashion could then be given to the secured server to tell it where to look in the database.
phpNewb22
Forum Newbie
Posts: 2
Joined: Thu Feb 16, 2006 1:02 pm

would that connection be secured also?

Post by phpNewb22 »

would that connection be secured?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

including a secure script on an insecure page isn't secure. This route can be more so, if you use the proper protocols. The problem is any secure data touching anything insecure is by virtue insecure. It would be best to have the secure server on the insecure server that way no external communications are required making their communications far more secure.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I think there is some confusion over using include() and server-to-server protocols. When you include a file on the same server it is secure because it is a file read and no data is available outside the server. If you include a PHP page on another server you will get the output of the PHP page -- not the code for parsing.

If you want to have a back channel between the servers there are several ways to do this, but you may just want to use CURL to communicate with the checkout server using HTTPS. That is how many payment processors work.
(#10850)
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

google ssh tunnel. Might help you
Post Reply