php - Will my `post` data passed via SSL with CURL be safe enough? -

-

i developing api , want secure. please consider function code

public function send_ok($tdata, $mdata) {     $url = str_replace('http://', '', $mdata['api_transaction_return_url']);     $url = str_replace('http://', '', $url);     $url = 'https://'.$url;     $process = curl_init($url);     curl_setopt($process, curlopt_ssl_verifypeer, false);     curl_setopt($process, curlopt_ssl_verifyhost, false);      curl_setopt($process, curlopt_post, 1);     curl_setopt($process, curlopt_postfields, $tdata);      curl_setopt($process, curlopt_returntransfer, 1);      $return = curl_exec($process); }

this function sending response remote server payment confirm. so, pass data via ssl safe enough , other methods can use make data secure?

ssl provides encryption of data in transit, it's safe prying eyes (let's skip whole bunch of caveats broken cipher suites , on). makes ssl connections secure such.

however, can sure who you're sending data to? maybe attacker has compromised network insofar you're connecting him instead of payment server think you're connecting to, , you're sending payment information right attacker.
well, ssl has solution problem well: identification through certificates, validated authority through public key infrastructure. if certificate checks out valid domain, can reasonably sure you're talking right server (let's skip whole bunch of caveats how may break in practice if not done absolutely right here).

unfortunately, you're foregoing features:

curl_setopt($process, curlopt_ssl_verifypeer, false); curl_setopt($process, curlopt_ssl_verifyhost, false);

if want sure you're talking right server, 2 options need on.

if fix that, it's reasonably secure. reasonable regular security practice dictates. stand determined attacker right resources? maybe, maybe not. there various ways in ssl connection can theoretically or practically attacked, , of these attacks can mitigated , others may need support party you're connecting to.
however, it's more other part of server, of php code, has gaping security hole attacker exploit before bothering break technology has proven reasonably secure on time.


Comments

Post a Comment

Popular posts from this blog

google api - Incomplete response from Gmail API threads.list -

-
i plot number of emails in inbox on time using gmail api , i'm seeing lot of drop-outs, whatever reason i'm getting incomplete count of messages @ single time points. my plots here: https://plot.ly/~tdsmith/2 -- "drop-outs" i'm complaining trace shoots downwards , recovers previous level @ next timepoint. the code i'm using count emails here: https://github.com/tdsmith/gmail-plotly/blob/master/gmail-plotly.py#l47-l64 what can diagnose these faults?
Read more

Installing Android SQLite Asset Helper -

-
i need use ready made database. search solution on internet did not work until decided use mentioned library found here . however, found hard use library in installation procedures shallow beginners. i appreciate step step procedure on how use android studio. in struggle tried copying sources main/libs , adding line gradle did not work. use api 19 if helps. update here build.gradle // top-level build file can add configuration options common sub-projects/modules. buildscript { repositories { mavencentral() } dependencies { classpath 'com.android.tools.build:gradle:0.11.+' compile 'com.readystatesoftware.sqliteasset:sqliteassethelper:+' // note: not place application dependencies here; belong // in individual module build.gradle files } } allprojects { repositories { mavencentral() } } trying compile project error error:(9, 0) no signature of method: org.gradle.api.internal.artifacts
Read more

Qt Creator - Searching files with Locator including folder -

-
one quick question qtcreator : know possible use locator open files using "ctrl-k" shortcut. however, possible search files including locations? for example, let's want locate file named "main.cpp" in folder named "myfolder" , have lots of other main.cpp files. what should type locator in order open ? just type myfolder/main.cpp in locator
Read more