I want to get an information from one website into a php script on another website via https. I read at www.php.net on the page of the fopen() function that this function supports HTTPS protocol.
But is it really secure SSL transmission? Is GET variable "private" value is visible on the network or not? Do I get $contents value securely?
$filename = 'https://www.somesite.com/page.php?private=45456762154';
$handle = fopen($filename , 'r');
$contents = stream_get_contents($handle);
fclose($handle);
You can check by using a tool such as Wireshark. This tool will intercept the network traffic and tell you which protocol it is travelling as, and allow you to inspect the packet contents. If it's unintelligible, it's SSL :-)
As an aside, if you're using a browser (which you're not), a similar tool is Fiddler to inspect the HTTP traffic your browser is seeing.
check out this answer, https URL with token parameter : how secure is it?
In short, it is bad idea to have secure params as GET variables because the URLs get logged at servers and gets passed around in Referer headers.
Related
If I start a session like below for a server and a localhost client try to request the server via HTTP, does it response with the session cookie?
or must it go through HTTPS?
I read the doc and it did say only through HTTPS, but I wonder if localhost is an exception.
session_start([
'cookie_secure' => true
]);
Yes, it does:
If you try this in a browser, you'll also see a warning saying that the cookie was rejected.
This makes sense because PHP has no control on the entire communication channel and it's possible that the end-user is connecting to a secure proxy that redirects internally to a non-encrypted HTTP server.
I am trying to download an external file using guzzle. This is the code that I use:
$url = 'https://testurl.net/dl/test.mp4?mime=true';
$path = storage_path('app/remote-uploads/test.mp4');
$client = new Client();
$client->get($url, ['sink' => $path]);
The code works and downloads from localhost just fine but when I push it to production I receive this error:
Client error: `GET https://testurl.net/dl/test.mp4?mime=true` resulted in a `403 Forbidden` response:
{"status":403,"msg":"download ISP is different to request ISP. request: AS20115 download: AS30083"}
I am not quite sure how to go about this and would really appreciate any help!
Seems that you are using https://openload.co/api#download-getlink to get a download link and download it then.
In this this I can assume that you hosting provider uses different IP for each outgoing HTTP request, and these IPs are even from different ASs (you think about them as "namespaces", check AS20115 and AS30083). And this particular site (openload.co) treats the situation like a security problem and prevents downloading (the second request).
There is nothing you can do on the application level. You have to talk to you ISP about it's routing rules. Maybe ask about (buy) a static IP address.
You can try to play around HTTP 1.1 keep-alive connections to send all requests through the same connection, but it depends on a server, and openload.co might not support this feature.
P.S. Please, include more details in questions in the future. Others are not wizards to read context from your mind :)
if you using vpn. please disable it
Suppose, I have two website first.com and second.com.
I am making a curl request from first.com by the curl. Is it, possible to know that it,s https request or http request on server second.com?
Check for $_SERVER["SERVER_PORT"] if its 80, then its a simple request, if 443 or secure protocol's port then its https.
And maybe UseCanonicalPhysicalPort = On has to set on Apache2.
http://php.net/manual/en/reserved.variables.server.php
From the manual, it seems that $_SERVER contains an indication whether this is HTTP or not.
PHP Manual
'HTTPS'
Set to a non-empty value if the script was queried through the HTTPS protocol.
Note: Note that when using ISAPI with IIS, the value will be off if the request was not made through the HTTPS protocol.
So checking $_SERVER["HTTPS"] should be okay, i dont have any idea whether this can be trusted or not.
Chauhan,
it's possible via PHP Global variable. you have uses $_SERVER['HTTP_REFERER'] variable in second.com.
it will return http request url.
Learn more for php global variable visit http://php.net/manual/en/reserved.variables.server.php
While most of the time I'd just use file_get_contents and CURL, I can't get it to work with a port in the URL. How can I read this file?
http://174.120.124.178:7800/7.html (It's a shoutcast statistics file)
Ultimately, I just want the text after the last comma.
It has nothing to do with the port. They're blocking you because you're not using a browser user agent. curl does let you fake the user agent, but that may be a violation of the site's terms of service.
According to this post it's not about blocking scripts, but just distinguishing between Shoutcast clients and everything else. So the code is:
curl_setopt($curl_handle, CURLOPT_USERAGENT, "Mozilla");
I tried to download your file with Curl on the command line and got a 404 error; it does load with Firefox and Lynx. This page says that you need to change the User-Agent string for it to download.
CURLOPT_PORT Needs to be set to the appropriate port perhaps~
I would like to use a secure SSL login on my website! I have not used SSL before, so I am looking for some good reading. Can anyone tell me where I can find some sample code of SSL snippets or page code. (Not too technical)
I do have a static IP
My host is set-up to handle SSL Pages.
Interested in: Basic page code. / Tree structure. / Other
Paul
My first thought would be to simply call a function to redirect to the https: version of the current page when you need to be secure.
Some code like this:
if($requireSSL && $_SERVER['SERVER_PORT'] != 443)
{
header("HTTP/1.1 301 Moved Permanently");
header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
exit();
}
Reference
If you've an SSL enabled host, writing a login is not different to writing one without SSL - all the encryption happens at a lower layer of the protocol stack, so by the time your PHP sees the request, it's already decrypted. Similarly, your script outputs are encrypted by the HTTP server before onward transmission back to the user.
SSL happens before the request ever reaches PHP. The only impact on your PHP would be in the self-facing links you're publishing, which you'd want to switch from http://... to https://... There's a $_SERVER['HTTPS'] variable you could use to trigger this change if you'll be accepting both SSL and non-SSL connections. But if you're moving everything to SSL, you'll want to move all your links once rather than having it check on each request.