2

I have a single PHP file which handles credit card processing. It starts as a form to input the credit card number, then becomes a "confirm" screen (showing the credit card number) then once more to process and display the results. All three loads will be done with PHP submits (I realize the confirm might be better as Javascript, but I didn't write it). It is the only file in the directory which handles credit cards, and therefore it is the only one which needs httpS connection.

I tried enforcing this with the $_SERVER array, looking up the protocol used to connect from the prefix of the SCRIPT_URI (or other entry), but none had the prefix.

Is there a simple way to do this with the .htaccess file in the same directory? How do I enforce it for ONLY that one file? If there's any other simple way, how would I do it?

Sorry for the questions, but my searches thus far here haven't uncovered a working solution, and I'm afraid I don't know what the best practice is.

Thanks!

Bing
  • 3,071
  • 6
  • 42
  • 81
  • If you want this to be of any use, make sure your links to that page are correct. See http://stackoverflow.com/a/9105894/372643 – Bruno Feb 12 '12 at 16:15

3 Answers3

9

At the beginning of the PHP page that does all your credit card processing, you can add this:

It will redirect back to itself, except using https if it was first loaded over http. Of course you still need an SSL certificate installed for your domain.

if (!isset($_SERVER['HTTPS']) || !$_SERVER['HTTPS']) { // if request is not secure, redirect to secure url
    $url = 'https://' . $_SERVER['HTTP_HOST']
                      . $_SERVER['REQUEST_URI'];

    header('Location: ' . $url);
    exit;
}

I use this same logic in PHP to secure my entire domain by putting that in file that is always called at the beginning of every request for my site.

drew010
  • 68,777
  • 11
  • 134
  • 162
2

Place the following code in a .htacces file in your folder:

RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule (.*) https://www.example.com/require-secure/ [R]

It fires if the port is NOT 443 (443 is for HTTPS) and redirects to https://www.example.com/require-secure/.

Note: mod_rewrite is needed but mostly available

topscoder
  • 79
  • 1
  • 5
  • The O/P asked for a _single_ file so the rule pattern would be something like `RewriteRule ^secure-file$ https://www.example.com/secure-file [R=301]` Also it is more conventional to base the condition on %{HTTPS} :-) – TerryE Feb 11 '12 at 19:22
2

First off, why would you want to purposefully make all of your site use an unsecured protocol? Do you really have such a tight performance budget that you can't stomach the overhead of TLS? Premature optimization is the bane of mankind.

Also, saying that the credit-card-processing script is the only one which needs HTTPS implies that your user login system is sending passwords in the clear. That's not just performance-greedy, it's downright poor design.

That aside, the right solution is to use mod_rewrite to force a redirect to HTTPS for that link. An alternate solution if you don't have the ability to manipulate the server config at all (even via .htaccess) is to have your PHP script check the protocol first thing, and if it's not HTTPS issue a redirect and terminate.

Borealid
  • 95,191
  • 9
  • 106
  • 122
  • 1
    As I said, I'm aware there are a lot of things that should be done differently, but I don't have control to change everything that needs to be done. Just trying to make things work the best from here on, and encourage back-change when appropriate. Is the "mod_rewrite" a solution you put into the local directory's .htaccess file? What is the syntax for a single file? Otherwise, how can I have the PHP check the protocol? I'd prefer do it the right way of course, but as I said: I don't have full control here. Thanks! – Bing Feb 11 '12 at 19:21