Главная » Языки программирования

Php как открыть https

Содержание
  1. What do I have to code to use HTTPS?
  2. 4 Answers 4
  3. how to redirect page to https in php?
  4. 4 Answers 4
  5. PHP CURL Requests With HTTPS (Simple Examples)
  6. TLDR – QUICK SLIDES
  7. TABLE OF CONTENTS
  8. HTTPS CURL
  9. WHAT & WHY HTTPS
  10. EXAMPLE 1) CURL REQUEST TO HTTPS
  11. EXAMPLE 2) CURL IGNORE SSL
  12. DOWNLOAD & NOTES
  13. SUPPORT
  14. EXAMPLE CODE DOWNLOAD
  15. EXTRA BITS & LINKS
  16. LINKS & REFERENCES
  17. INFOGRAPHIC CHEAT SHEET
  18. THE END
  19. Leave a Comment Cancel Reply
  20. Search
  21. Breakthrough Javascript
  22. Socials
  23. About Me

What do I have to code to use HTTPS?

Within a standard «brochure» site I have a subsystem where private data is passed back and forth in a series of pages. The site is done and working now without HTTPS. Can someone point me to a list of steps that I need to do, to implement HTTPS on the secure part of the site?

4 Answers 4

The only thing you as a programmer need to do is checking that the user in fact uses HTTPS:

if($_SERVER['SERVER_PORT'] !== 443 && (empty($_SERVER['HTTPS']) || $_SERVER['HTTPS'] === 'off')) < header('Location: https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); exit; >

Then (have your sysadmin) order and install a SSL certificate on the web server.

The web site must be configured itself, this is not related to php itself at this point.

On your local PC I think you use Apache as web server. So for Apache you need install a certificate, Apache need to listen https port (443 by default).

Also, in all sections of the web site you need use https protocol in url, not http. E.g. https://example.com

There is no PHP code change involved. HTTPS means the data that the communication between the browser and the webserver will be encrypted. The browser is already setup for HTTPS, all you have to do is to configure your web server. Most probably you can do the whole change from your hosting control panel itself.

Читайте также:  Free html coding for web pages

If you want to force HTTPS, you can use a one line mod_rewrite code

window.location = "https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '";'; > ?>

This question is in a collective: a subcommunity defined by tags with relevant content and experts.

Источник

how to redirect page to https in php?

i would like the login.php page to redirect to using https . i don’t want to send the user to https://. /login.php because they might change the link. but i want to do a redirect on the server side before i parse the login form data and log the user in. i found and example:

but i don’t have $_SERVER[«HTTPS»] if i var_dump($_SERVER); i do have $_SERVER[‘SERVER_PORT’] witch is 80. any ideas? Thanks

«i don’t want to send the user. » «i want to do a redirect» The two are mutually incompatible. Do you want to force the user to use SSL? If so, you need to redirect (send) the user to the HTTPS version of the login form.

but i don’t have of course you will not have it when you connect with regular HTTP . And port 80 tells the same. $_SERVER[«HTTPS»] = ‘on’; when you are connected through the HTTPS and your port in that case would be 443 . You script is doing the right thing, it check whether the current connection is HTTP and if it is not — it redirects to the HTTPS version.

i could, but there is a possibility for the user to change the link to HTTP. I need to make a check on the login.php page for HTTPS

Then you need to employ the redirect in the login.php script. If the user changes the link to use the HTTP version, your script will simply redirect him again to the HTTPS version.

4 Answers 4

If you allow them to post to /login.php over plain HTTP and then redirect to HTTPS, you defeat the purpose of using HTTPS because the login information has already been sent in plain text over the internet.

What you could do to prevent the user from changing the URL, is make it so the login page rejects the login if it is not over HTTPS.

What I use to check for the use of HTTPS is the following:

if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) < // request is not using SSL, redirect to https, or fail >

If you are running your secure server on the default port of 443, then you can also check to see if that is the port, but PHP sets the $_SERVER[‘HTTPS’] value to non-empty if SSL is used so I would check for the presence of that for best practice.

If the user is so included to manually change the https to http and want to send their information over plain text, there isn’t anything you can do to stop them, but if you disallow login over HTTP, so even the correct information will not log them in, you can force them to use https by making it the only thing that works.

Yes, add that check to login.php near the beginning of the script. You could do several things, from just denying the login with an error saying https is required, or using a 301 header to redirect to https.

Whatever page you use to display your login form should already be using https:// before the form is filled out, and then it should be submitted to another https:// address. Otherwise, you’ll leave the form open to attack.

You could look into mod_rewrite to automatically redirect any request using http:// to https:// , at least for your login page.

As long as the form is posted to https, it does not matter if the form itself is on a non-https page.

True the landing page’s html could be modified by a man-in-the-middle, but the data will still be encrypted if it is posted to an HTTPS page. For best practice, I usually force the whole site to use SSL and not just specific pages. Following that guide, you should make your login form on https as well.

if($requireSSL && $_SERVER['SERVER_PORT'] != 443) < header("HTTP/1.1 301 Moved Permanently"); header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); exit(); >

Assuming that your page with the login form is generated by index.php , you need to put the example code for HTTP to HTTPS redirection in index.php . This will ensure that when the user fills up the form and submits it, it is submitted to /login.php via HTTPS and not HTTP.

Putting this check inside login.php is futile because by the time login.php gets the request and tries to redirect to the corresponding HTTPS URL, well, the credentials have already been submitted to it as plaintext which is what you should want to avoid.

The observation that you see $_SERVER[‘SERVER_PORT’] to be 80 and $_SERVER[«HTTPS»] to be not set when you put the check inside login.php is a further proof of the fact that login credentials are being submitted to it via HTTP and thus the login credentials are reaching your server from the client unencrypted. This has to be avoided by following what I said in the first paragraph of this response.

BTW, I wouldn’t use PHP to do this sort of redirection. Such redirections are very conveniently handled by mod_rewrite in Apache HTTPD.

An example, assuming that your login page is available at the URL, http://example.com/foo/:

RewriteEngine On RewriteCond % off RewriteRule ^foo/$ https://%% [R,L]

Источник

PHP CURL Requests With HTTPS (Simple Examples)

Welcome to a tutorial on how to make CURL requests to HTTPS in PHP. Need to access a secure URL with PHP CURL? Well, we need to specify a couple of extra settings in CURL to do that.

  • $ch = curl_init();
  • curl_setopt($ch, CURLOPT_URL, «https://site.com»);
  • curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
  • curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
  • curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  • $result = curl_exec($ch);
  • curl_close($ch);

That covers the quick basics, but read on for more examples and details!

TLDR – QUICK SLIDES

PHP HTTPS CURL Calls

TABLE OF CONTENTS

HTTPS CURL

All right, let us now get into the examples and more details on doing a CURL call to an HTTPS URL.

WHAT & WHY HTTPS

  • HTTPS stands for “HTTP Secure”.
  • When we access a website via http:// , the data exchange is in cleartext. This is vulnerable to “man in the middle” (MITM) attacks, anyone can hijack and read the data.
  • With https:// , the data exchange is encrypted. People can still hijack the data, but cannot read the data easily.

That covers the basics, but things are not that simple. Any website can use HTTPS technology, but that does not mean they are safe. For example, a fake phishing website can also use HTTPS, but that does not mean it is a legit and safe website.

So apart from encryption, the other part of HTTPS is verification. Not going into the confusing mechanics, but there are third parties known as “certificate authority” (CA). They do the verifications and issue digital certificates; In a single HTTPS session, we are actually encrypting data and checking with various CA for authentication.

EXAMPLE 1) CURL REQUEST TO HTTPS

// (A) CURL INIT $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://code-boxx.com"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // RETURN SERVER RESPONSE curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); // VERIFY SSL CERTIFICATE curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); // VERIFY HOST NAME // (B) CURL FETCH $result = curl_exec($ch); if (curl_errno($ch)) < echo curl_error($ch); >else < echo $result; >curl_close($ch);

All right, this is pretty much the same as the introduction snippet. But as you already know, HTTPS does 2 things – Encryption and verification. Thus, the 2 CURL settings CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST .

P.S. Ever since PHP 7.1 (if I remember correctly), these verification settings are set to “true” by default. Yes, even if you omit these 2 settings, CURL will still automatically do the SSL verification.

EXAMPLE 2) CURL IGNORE SSL

Simply disable the verification if you have to work with an unverified host (or expired certificate) for some reason… But don’t do this unless it is for the sole purpose of testing. The verification is there to prevent MITM attacks.

DOWNLOAD & NOTES

Here is the download link to the example code, so you don’t have to copy-paste everything.

SUPPORT

600+ free tutorials & projects on Code Boxx and still growing. I insist on not turning Code Boxx into a «paid scripts and courses» business, so every little bit of support helps.

EXAMPLE CODE DOWNLOAD

Click here for the source code on GitHub gist, just click on “download zip” or do a git clone. I have released it under the MIT license, so feel free to build on top of it or use it in your own project.

That’s all for the tutorial, and here is a small section on some extras and links that may be useful to you.

INFOGRAPHIC CHEAT SHEET

THE END

Thank you for reading, and we have come to the end. I hope that it has helped you to better understand, and if you want to share anything with this guide, please feel free to comment below. Good luck and happy coding!

Leave a Comment Cancel Reply

Breakthrough Javascript

Take pictures with the webcam, voice commands, video calls, GPS, NFC. Yes, all possible with Javascript — Check out Breakthrough Javascript!

Socials

About Me

W.S. Toh is a senior web developer and SEO practitioner with over 20 years of experience. Graduated from the University of London. When not secretly being an evil tech ninja, he enjoys photography and working on DIY projects.

Code Boxx participates in the eBay Partner Network, an affiliate program designed for sites to earn commission fees by linking to ebay.com. We also participate in affiliate programs with Bluehost, ShareASale, Clickbank, and other sites. We are compensated for referring traffic.

Источник

Оцените статью
© 2024 Программирование