Page 1 of 1

is an include call to ssl server secured?

Posted: Thu Feb 16, 2006 1:14 pm
by phpNewb22
Note: When I use the word "key" below, I simply mean a text string used by my scripts, not an encryption key.

I (actually my client -- not me) have an unencrypted server with the mySQL database, etc. Then I have another server with ssl provided by the hosting company. The only script on the ssl server is the one for taking payment info. I want to send a unique key to the ssl server with each customer, and I'd like it to be over the secure line. So instead of sending the key to the customers browser (over the unsecured line) as part of the link to the secure server, if I send the key directly to the secure server via an include call then redirect the clients browser with a header statement, would that connection (the include for sending the key) be secured?

In other words, does the unsecured server get the same protection when communicating with a secured server via a php include call, as a web browser does when communicating with the secured server? Thanks in advance.

Posted: Thu Feb 16, 2006 1:30 pm
by feyd
If the secure server can access the same database as the unsecured, I'd use that as the actual transport mechanism. A reference id of some fashion could then be given to the secured server to tell it where to look in the database.

would that connection be secured also?

Posted: Thu Feb 16, 2006 1:44 pm
by phpNewb22
would that connection be secured?

Posted: Thu Feb 16, 2006 2:14 pm
by feyd
including a secure script on an insecure page isn't secure. This route can be more so, if you use the proper protocols. The problem is any secure data touching anything insecure is by virtue insecure. It would be best to have the secure server on the insecure server that way no external communications are required making their communications far more secure.

Posted: Thu Feb 16, 2006 2:45 pm
by Christopher
I think there is some confusion over using include() and server-to-server protocols. When you include a file on the same server it is secure because it is a file read and no data is available outside the server. If you include a PHP page on another server you will get the output of the PHP page -- not the code for parsing.

If you want to have a back channel between the servers there are several ways to do this, but you may just want to use CURL to communicate with the checkout server using HTTPS. That is how many payment processors work.

Posted: Fri Feb 17, 2006 9:00 am
by AGISB
google ssh tunnel. Might help you