Posted by Richard Lynch on 01/06/05 19:58
> Thinking of going from http to https on the server. My question is: Would
> there be any differences in my php-code from now?
You might want to use PHP to detect that you *ARE* on a secure connection.
You also migth want to isolate your *need* for SSL to a specific set of
scripts or a directory.
SSL is slower, so increases load on your server.
Maybe you have so little traffic that doesn't matter.
But the PHP code itself is not needed to be any different.
Though, of course, having SSL means little if your PHP code has inherent
security holes. :-)
It's all very well to use SSL to keep the data safe in transit from the
browser to your web-server, but if you PHP scripts aren't handling the
data securely after it arrives, what's the point?
SSL is an armored car from the browser to your server. If you're not
treating your server like a bank, with a detailed analysis of the
processes and handling of the data, and where it goes, and how it gets
there, and who has access, then it would be like a branch bank with no
vault, no security guard, no alarms, no locks, ... The money's okay in
that armored truck, but...
So, in some sense, your PHP code may have to under-go *MAJOR* changes.
More importantly, your entire business process, coding process,
development process, data-handling processes, and skill-sets might need a
You may be already doing everything perfectly securely.
Certainly worth thinking about, though, eh?
There will be no TECHNICAL reason to change a single line of PHP.
There could easily be a MAJOR business perspective overhaul required, or
SSL is pointless.
Hope that helps, though I suspect it only raised a much larger set of
issues than what you had hoped for when you asked. :-) Sorry you asked?
:-) :-) :-)
[Reply to this message]