hotdog1983 Posted October 28, 2010 Share Posted October 28, 2010 Hi, this is a bit complicated (for me at least). I'm noob in security. I'm making a reseller website and on my website there are user Signup and Login links which will redirect the user to my wholesaler's form pages. I can also place the forms on my own website and send the form values over to the wholesaler's php. So basically, I will be just putting up a website and won't be collecting any user information on my database. The issue is, the signup and login forms on the wholesaler's website are not secured. No SSL and no encryption. Is it possible to put my own secure form pages with SSL or encryptions? I want to make my site more trustworthy and I think it's my responsibility to protect customers credentials as well. But my feeling says that if I use SSL or encryptions on my form pages, the values must be decoded before they are sent to the wholesalers php, aren't they? So do I need to set up a server on my hosting to receive the encrypted data, decode them, and transfer them to the wholesaler's website? Is there any way that I can protect my customers from things like eavesdropping when they sign up for my website and I redirect the data to the wholesaler's part without having need to set up my own database? Or is it gonna make no difference because the wholesaler's form pages are not secured? I'm completely lost here. Geniuses please enlighten me. Quote Link to comment https://forums.phpfreaks.com/topic/217075-security-problem/ Share on other sites More sharing options...
JonnoTheDev Posted October 28, 2010 Share Posted October 28, 2010 Simple. Process the form data on your own server and once validated send it over to the 3rd party script using cURL. i.e 1. User lands on https://www.foobar.com/signup.php 2. User completes form and clicks submit 3. Form data is sent to https://www.foobar.com/signup.php 4. Form data is validated 5. If form data validates send POST request to http://www.3rdparty.com/xyz.php containing form data using cURL SSL encrypts data sent from the client web browser to the server receiving the request. Sending data via a request from server A to server B does not use SSL. Quote Link to comment https://forums.phpfreaks.com/topic/217075-security-problem/#findComment-1127523 Share on other sites More sharing options...
hotdog1983 Posted October 29, 2010 Author Share Posted October 29, 2010 Thanks a lot for your help. I've been posting this question around on quite a few websites and you are the only one who replied. I really appreciate it. I'm just starting to learn php by the way. Just a few more questions if you don't mind. My understanding is that after my clients signup from my website. Form data (SSL) -> My server -> Validate -> cURL (Unencrypted) -> www.3rdparty.com/signup.php And the clients will stay on my website. Is this correct? - How about the Login process? I want my clients to login from my website (SSL enabled) and also have them land on www.3rdparty.com/interface as well. Can I also use cURL in this case? - I shouldn't worry about cURL travelling without encryption from my server to the 3rdparty's server, or should I? Thanks again. Quote Link to comment https://forums.phpfreaks.com/topic/217075-security-problem/#findComment-1127954 Share on other sites More sharing options...
AMcHarg Posted October 29, 2010 Share Posted October 29, 2010 You can't send encrypted data to the wholesalers forms and expect their forms to handle the data properly. Decrypting the data would ultimately defeat the purpose of encrypting it in the first place. Linking to the wholesaler's login forms would be much better for you, rather than trying to make it look like they are logging into the wholesaler on your own site. If your wholesalers are not protecting your customers information then you should decide if you want to use those wholesalers in the first place; do you even trust them? Quote Link to comment https://forums.phpfreaks.com/topic/217075-security-problem/#findComment-1127971 Share on other sites More sharing options...
JonnoTheDev Posted October 29, 2010 Share Posted October 29, 2010 Form data (SSL) -> My server -> Validate -> cURL (Unencrypted) -> www.3rdparty.com/signup.php And the clients will stay on my website. Is this correct? Correct, unless you redirect the user off your website after sending the data to the 3rd party. I want my clients to login from my website (SSL enabled) and also have them land on www.3rdparty.com/interface as well. Can I also use cURL in this case? cURL is use to make HTTP GET or POST requests, not for user redirection. You would use PHP headers to do this. I shouldn't worry about cURL travelling without encryption from my server to the 3rdparty's server, or should I? Not really. If the target URL is not https then this is not your concern. Quote Link to comment https://forums.phpfreaks.com/topic/217075-security-problem/#findComment-1127977 Share on other sites More sharing options...
mentalist Posted October 29, 2010 Share Posted October 29, 2010 Basically you will need to buy a / some SSL certificates. Quote Link to comment https://forums.phpfreaks.com/topic/217075-security-problem/#findComment-1127985 Share on other sites More sharing options...
Pikachu2000 Posted October 29, 2010 Share Posted October 29, 2010 Duplicate topics have been merged into this thread. Quote Link to comment https://forums.phpfreaks.com/topic/217075-security-problem/#findComment-1128005 Share on other sites More sharing options...
hotdog1983 Posted October 30, 2010 Author Share Posted October 30, 2010 Thanks a lot for your help!! Quote Link to comment https://forums.phpfreaks.com/topic/217075-security-problem/#findComment-1128338 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.