Forum Moderators: coopster
I have created a contact form located on contact.html. I am using contact.php to "process" it.
Can contact.html reside on the regular http: server and be linked from all of the other webpages, while contact.php be the only one linked to with a https: prefix, from within the form?
Or
Does contact.html also have to be used with the https: prefix and all links pointing to it, be pointing to https: instead of http:?
To help clarify, my host provides a free SSL path located at:
[clientdomainame.clienthostname.com...]
I don't want all the pages on the site to link to:
[clientdomainame.clienthostname.com...]
which is a "foreign" domain, so I figured it might still be secure if only the form reference linked to the https: when hitting submit.
Like this:
[clientdomainame...]
form submits to:
[clientdomainame.clienthostname.com...]
Hope I explained this right!
Thanks!
Name
Number
Additional Info
But in reference to this,
Can contact.html reside on the regular http: server and be linked from all of the other webpages, while contact.php be the only one linked to with a https: prefix, from within the form?
First you need to understand what SSL does.
SSL is a public and private key encryption method. When a page is requested over SSL, it is sent to the browser in an encrypted format. The browser recognizes the SSL signature and has the key to decrypt it, so what you get is what appears to be an ordinary web page - but it was "gobbldey-gook" in transit. The same is true when the browser submits it, it's encrypted by the browser before sending the data, the server has the key to decrypt it.
For example, if contact.html is on a non-ssl page, the data submitted may be posting to a secure location, but until it gets there, it is not encrypted. If the form contains credit card info, the CC info is sent as plain URL encoded data, which is definately not secure.
For the above to work properly, the form must also load over SSL.
If the future, though, if you need to use this shared secure space, and really need something to be secure, I'd be less concerned about the external URL than the data security.
To keep this relevant to PHP, :-) if you want to make sure a form can only be accessed by SSL, there are some things you can do.
Most hosting has the option to contain secure documents only in a secure directory. That is, only secure stuff in /httpsdocs, everything else in /httpdocs. This is a no brainer, but often causes some issues traversing between the two. So one scenario is to not restrict the secure stuff to the secure directory, allowing you to make any link to /httpdocs secure by simply adding the "s."
To prevent secure documents from being accessed via a non-secure link, there are two good methods.
- Method 1: Don't use contact.html. Put your actual form in the contact.php script, with logic like
if (isset($_POST['some-form-variable'])) { process_form(); }
else { output_form_directly_from_script(); }
Now it's dynamic. So at the top of your script,
if (! ($_SERVER{'HTTPS'} == 'on')) {
header("location:https://example.com/this-script.php");
}
will effectively force it to https.
Method 2: do the exact same thing with mod_rewrite in an .htaccess file. This would allow you to continue use of contact.html. Be sure the directive addresses both the contact form and the processor in form action.
Thanks for the reply! I am going to keep it simple and make it all non-SSL, but at least I now understand more about how it works and that my theory was wrong.
As for the PHP stuff at the bottom, I am not a coder and don't understand it, but thanks for that too. I am just using a php form I had that someone else wrote.
Thanks again.
Additionally, you have to be very careful that links from https pages back to the rest of your normal site point back as http and not as https otherwise you'll potentially end up with the entire site indexed as using both types of URL.
