php - Will my `post` data passed via SSL with CURL be safe enough? -


i developing api , want secure. please consider function code

public function send_ok($tdata, $mdata) {     $url = str_replace('http://', '', $mdata['api_transaction_return_url']);     $url = str_replace('http://', '', $url);     $url = 'https://'.$url;     $process = curl_init($url);     curl_setopt($process, curlopt_ssl_verifypeer, false);     curl_setopt($process, curlopt_ssl_verifyhost, false);      curl_setopt($process, curlopt_post, 1);     curl_setopt($process, curlopt_postfields, $tdata);      curl_setopt($process, curlopt_returntransfer, 1);      $return = curl_exec($process); } 

this function sending response remote server payment confirm. so, pass data via ssl safe enough , other methods can use make data secure?

ssl provides encryption of data in transit, it's safe prying eyes (let's skip whole bunch of caveats broken cipher suites , on). makes ssl connections secure such.

however, can sure who you're sending data to? maybe attacker has compromised network insofar you're connecting him instead of payment server think you're connecting to, , you're sending payment information right attacker.
well, ssl has solution problem well: identification through certificates, validated authority through public key infrastructure. if certificate checks out valid domain, can reasonably sure you're talking right server (let's skip whole bunch of caveats how may break in practice if not done absolutely right here).

unfortunately, you're foregoing features:

curl_setopt($process, curlopt_ssl_verifypeer, false); curl_setopt($process, curlopt_ssl_verifyhost, false); 

if want sure you're talking right server, 2 options need on.

if fix that, it's reasonably secure. reasonable regular security practice dictates. stand determined attacker right resources? maybe, maybe not. there various ways in ssl connection can theoretically or practically attacked, , of these attacks can mitigated , others may need support party you're connecting to.
however, it's more other part of server, of php code, has gaping security hole attacker exploit before bothering break technology has proven reasonably secure on time.


Comments

Popular posts from this blog

google api - Incomplete response from Gmail API threads.list -

Installing Android SQLite Asset Helper -

Qt Creator - Searching files with Locator including folder -