2

I have access to two distinct servers. I would like one's PHP script to call a URL on the other's server (and pass a secret variable). However, I want to make sure nobody else can spoof this call.

What is the best way to do this, short of SSL? I was thinking about hashing but anyone can read the POST request's hash and spoof it.

Thanks!

Improve this question
2
  • Out of curiosity, why is SSL not an option? Commented Jul 21, 2010 at 6:38
  • Dunno. Don't have any good certificates? Commented Jul 22, 2010 at 23:40

5 Answers 5

Reset to default
3

Maybe you need SSH. You call the other script through ssh, which means no one else can see what's going on. See this blog

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

There are many ways to do this

  • If your servers have static ip's, you could check the IP address. (If you are on shared hosting other people on the server will have the same IP)

  • You can encrypt the data with AES and decrypt it on the other end. Of course you'd have to encode this (using base64_encode, for example) before POST'ing it.

Improve this answer

Comments

0

What about using cURL and a SSL connection?

Improve this answer

1 Comment

The OP asked what was the best way to do this, short of using SSL.
0

Your best bet is to employ some kind of encryption to encrypt the variable. RSA is a secure, common one that has examples ready to copy/paste in php. It might be a bit hard to wrap your head around, but once you get it working, it is extremely secure.

Honestly your easiest way is SSL encryption.

Improve this answer

4 Comments

RSA is not only broken but also very inefficient. Why use asymmetric encryption when you can use symmetric?
@NullUserException: I agree that in this case, symmetric encryption is a good option. However, I'm curious about RSA being broken - are you referring the to University of Michigan exploit which introduces voltage fluctutations into the CPU of the server holding the private key?
@Mike "Textbook" RSA has been proven insecure for a while now. Regardless, RSA's recommended key size is 2048bits vs AES' 256-bit. Not only you have a much bigger key, but it takes a lot more time to compute.
@NullUserException: I'm not disputing that asymmetric crptography is slower than symmetric crptography - that's why RSA is usually only used to encrypt keys for use in symmetric crptography. I was just curious about the details of the RSA exploit.
-1

I'm not sure that is possible at all. If the PHP-Script of ServerA calls the script on ServerB, that script will be interpreted by ServerB, it generates an output HTML/Whatever and gives that output to the script of ServerA.

AFAIK it's not possible to access a PHP-Script before it is interpreted, as long as you don't have direct FTP-Access on it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.