SSL expertise, please

nemonoman

I want to use SSL to support encrypted data transmission of credit card data, but in testing my pages they load VERY slowly. My pages are graphics heavy, and that isn't likely to change.

What I want to know is this: WHAT PRECISELY is required to get the POSTed credit card data SSL encrypted?

Page 1: mypaymentform.php

contains a form
<form action=mysendpayment.php>
<input type=text name=creditcard>
</form>

Page 2: mysendpayment.php
<? handlecreditcard($_POST['creditcard])
echo "THANK YOU!"
?>

Currently my flow works like this:
httpS://mydomain/mypaymentform.php

and I change <form action=mysendpayment.php>
to: <form action=httpS://mydomain/mysendpayment.php>

Are BOTH these httpS calls needed for encryption?

Would I still encrypt the cc data thusly:

httP://mydomain/mypaymentform.php
and in mypaymentform.php:
<form action=httpS://mydomain/mysendpayment.php>

Suppose I said in mysendpayment.php
<? handlecreditcard($_POST['creditcard])
header(Location:httP://mydomain/thankyoupage.php);
?>

Would creditcard still be encrypted by SSL?

ZibingsCoder

Alright...another SID for me here, but, let's see if we can't tackle it anyways.

When you're doing CC transactions, you should be doing everything inside a secure connection. The most common way hackers can get the information is if it's not, and they just have to grab the data as its passed back and forth between the server and the client.

You say you're having problems with how it loads, and I feel your pain. Thing is, all of those graphics you have are also encrypted since they are being sent via the secure protocol. One possible workaround (somebody please tell me if this isn't kosher) would be to make your payment form purely text and fields, and have it loaded via a regular page from an iframe. This would allow you to load all the graphics and what not normally, but at the same time keeping the data secure where it's needed.

I've never done this personally, but in theory as far as I can tell, it should work well enough for you. As to your question on how to encode the data for the SSL connection, if a page is viewed on a SSL connection, it is being encrypted already. The encryption is done by a third party program, so just sending data via the SSL port/protocol will cause whatever that data is to be encrypted.

If this doesn't help, give me a bit more of an idea as to what you're trying to do and I'll delve deeper, but I -think- this should get you enough to do what you need. Course...this is me, so who knows. 😉

nemonoman

I got this answer to this same question from a post on webhostingtalk:

The entire HTTP connection travels over SSL (headers and all).

Adding the HTTPS initates the SSL session. You can start the HTTPS session on the "form" element "action" attribute and you'll be fine.

This validates what I believe from my own research, but I don't want to be a total screwup about things. So anyone with additional info???