Secure HTTP

[Ortho Vargas]

I am implementing some communications back and forth between LSL and PHP.   reading various forum threads has taught me a few things that make it "more" secure.  My question is this.   Is passing data from LSL -> PHP any more "secure" using POST than just putting the variables in the url (using GET) ?  Maybe the use of https  (or the lack thereof) influences the answer to my question.

thanks in advance.  

[Alicia Sautereau]

I just stick to post and use this on the lsl comm pages:

 

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');if ( ! function_exists('gethostbyaddr_timeout')){    function gethostbyaddr_timeout($ip,$timeout=2)    {    	$host=`host -W $timeout $ip`;	    	if(preg_match('`in-addr.arpa domain name pointer (.*)\.\n$`i',$host,$matches))    	{    		$host=$matches[1];    	} else {    		$host=$ip;    	}    	return $host;    }}if ( ! function_exists('secondlife_access')){    function secondlife_access($baseURL)    {        $dom = gethostbyaddr_timeout($baseURL);        $ip = gethostbyname($dom);        if(!preg_match('`^.*\.lindenlab\.com$`',$dom) || $ip!=$_SERVER['REMOTE_ADDR'])        {        	print '<center>No outworld access allowed</center>';        	exit();        }    }}

 Then call the function in the script:

public function __construct()    {        parent::__construct();        secondlife_access($_SERVER['REMOTE_ADDR']);    }}

 Ofcourse comment the line out while testing as i also say the url in chat so i can debug it faster

[PeterCanessa Oh]

GET is like a postcard; the data's there for anyone to read (in the url-line)

POST is like a letter, the information is sealed in the (body) envelope but it's not hard to open

HTTPS encrypts things so it's like delivery by armoured-car

 

[Alicia Sautereau]

and ontop of https, encrypt the sent data to compare to a fault

[Ortho Vargas]

right.  ty.. good information.  Is there more to https than just putting 'https" in the url instead if "http" ?   must be, because I its not working for me, whereas the same simple php will respond just fine if its located in a non-secure location.

[Darkie Minotaur]

Do you have a certificate? 

[Ortho Vargas]

yes.  the site has a https working now.  a php that lives there doesn't work.  if I put it on a non-https site, it behaves as expected.

[Ortho Vargas]

so the question is....   is there anything more to do in the lsl script other than use https://www.   instead of http://www   ?   ...   ok upon further testing...   [HTTP_VERIFY_CERT, FALSE]   allows it to work.   that probably means the shared hosting site I'm using for testing (their cert not mine)  isn't quite good enough for HTTP_VERIFY_CERT to be happy.

[Darkie Minotaur]

If you open a page from the https enabled directory in a browser, do you get a warning or does the browser trust the cert authority?

[Ortho Vargas]

the browser (firefox) likes it.  no problem.