Ortho Vargas Posted January 11, 2012 Share Posted January 11, 2012 I am implementing some communications back and forth between LSL and PHP. reading various forum threads has taught me a few things that make it "more" secure. My question is this. Is passing data from LSL -> PHP any more "secure" using POST than just putting the variables in the url (using GET) ? Maybe the use of https (or the lack thereof) influences the answer to my question.thanks in advance. Link to comment Share on other sites More sharing options...
Alicia Sautereau Posted January 11, 2012 Share Posted January 11, 2012 I just stick to post and use this on the lsl comm pages: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');if ( ! function_exists('gethostbyaddr_timeout')){ function gethostbyaddr_timeout($ip,$timeout=2) { $host=`host -W $timeout $ip`; if(preg_match('`in-addr.arpa domain name pointer (.*)\.\n$`i',$host,$matches)) { $host=$matches[1]; } else { $host=$ip; } return $host; }}if ( ! function_exists('secondlife_access')){ function secondlife_access($baseURL) { $dom = gethostbyaddr_timeout($baseURL); $ip = gethostbyname($dom); if(!preg_match('`^.*\.lindenlab\.com$`',$dom) || $ip!=$_SERVER['REMOTE_ADDR']) { print '<center>No outworld access allowed</center>'; exit(); } }} Then call the function in the script: public function __construct() { parent::__construct(); secondlife_access($_SERVER['REMOTE_ADDR']); }} Ofcourse comment the line out while testing as i also say the url in chat so i can debug it faster Link to comment Share on other sites More sharing options...
PeterCanessa Oh Posted January 11, 2012 Share Posted January 11, 2012 GET is like a postcard; the data's there for anyone to read (in the url-line) POST is like a letter, the information is sealed in the (body) envelope but it's not hard to open HTTPS encrypts things so it's like delivery by armoured-car Link to comment Share on other sites More sharing options...
Alicia Sautereau Posted January 11, 2012 Share Posted January 11, 2012 and ontop of https, encrypt the sent data to compare to a fault Link to comment Share on other sites More sharing options...
Ortho Vargas Posted January 13, 2012 Author Share Posted January 13, 2012 right. ty.. good information. Is there more to https than just putting 'https" in the url instead if "http" ? must be, because I its not working for me, whereas the same simple php will respond just fine if its located in a non-secure location. Link to comment Share on other sites More sharing options...
Darkie Minotaur Posted January 13, 2012 Share Posted January 13, 2012 Do you have a certificate? Link to comment Share on other sites More sharing options...
Ortho Vargas Posted January 13, 2012 Author Share Posted January 13, 2012 yes. the site has a https working now. a php that lives there doesn't work. if I put it on a non-https site, it behaves as expected. Link to comment Share on other sites More sharing options...
Ortho Vargas Posted January 14, 2012 Author Share Posted January 14, 2012 so the question is.... is there anything more to do in the lsl script other than use https://www. instead of http://www ? ... ok upon further testing... [HTTP_VERIFY_CERT, FALSE] allows it to work. that probably means the shared hosting site I'm using for testing (their cert not mine) isn't quite good enough for HTTP_VERIFY_CERT to be happy. Link to comment Share on other sites More sharing options...
Darkie Minotaur Posted January 14, 2012 Share Posted January 14, 2012 If you open a page from the https enabled directory in a browser, do you get a warning or does the browser trust the cert authority? Link to comment Share on other sites More sharing options...
Ortho Vargas Posted January 14, 2012 Author Share Posted January 14, 2012 the browser (firefox) likes it. no problem. Link to comment Share on other sites More sharing options...
Recommended Posts
Please take a moment to consider if this thread is worth bumping.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now