SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Sep 2011
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Smile Secure Form Data / SSL Certificate with PHP script?

    Hi,

    I need to build a form collecting sensitive information that needs to be transferred securely. The site owner has purchased an SSL Certificate and there are form mailer scripts using php available for use.

    The question is: I don't think sending info through email via a script is really secure. My understanding is that the form data is secured during the user session on the site - but then what?

    How do I get the data from the form on the website to the website owner in a secure fashion?

    I have built many forms, but this is a first foray into security of data other than a shopping cart where the data was handled by cc processing through the processing/cc validation through the bank and the shopping cart software.

    Can someone walk me through this or offer pointers? The hosting company and a Google search is not helping me much. Maybe I am asking the wrong question.

    Thanks for any help!

  2. #2
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    user submits form > data sent encrypted to the server > data stored on the server encrypted > owner accesses site's control panel > data from the user is displayed in the control panel while using an SSL connection.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  3. #3
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,011
    Mentioned
    56 Post(s)
    Tagged
    0 Thread(s)
    You'll have to make a login for them and some sort of viewer. You could email them a notification that new data had been collected without compromising security - though your intuition is right - email is not a secure data transfer method.

  4. #4
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    SSL prevents the data from being intercepted between the browser and the server, but does nothing to improve security in other areas.
    So you're right you can't just email it. (I don't know much about encrypted email—it does exist though).

    You also have to consider the whole security of your server. For example if you login to cPanel over non-SSL on a shared network and someone intercepted that password, they could also access your server and find the data that way.

    This is why most websites don't store credit card details on their server. Even if it's transferred by SSL it could still be stolen by other means.

  5. #5
    SitePoint Member
    Join Date
    Sep 2011
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you everyone for your help!

    I have been doing further research and it seems that most solutions involve a hosted solution with all the security and cPanel in place. It actually is rather difficult to find straight forward info on this topic and most of the hosted solution sites are not even bothering to respond to email or phone inquiry.

    Apparently there are "appliances" both virtual and hardware (very expensive) that can also serve the purpose. I believe I need a security specialist for this task because of the requirements to meet HIPAA. I am a designer and I know when I am not qualified. I'm not qualified.

    Thanks again everyone!


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •