How to establish a secure page transfer using a form?

Question

I have index.php and I have a login form:

<form method=post action="login.php" id="login">
 <input type="text" size="16" maxlength="30" name="login" id="login_user" />
 <input type="password" name="pass" id="login_pass"/>
 <input name="msubmit" type="submit" value="Login" />
</form>

How can I make sure that the form gets processed through a secure line?

Do I have to add https://?

<form method=post action="https://test.com/login.php" id="login"

Any ideas?

Thanks.

Answer 1

Yes, the best way is to specify https:

<form method="post" action="https://domain.com/login.php" id="login">
    <input type="text" size="16" maxlength="30" name="login" id="login_user" />
    <input type="password" name="pass" id="login_pass" />
    <input name="msubmit" type="submit" value="Login" />
</form>

Even if index.php was served through a secure channel, it is good practice to explicitly specify https on the post action because this is the request which sends sensitive data over the wire. But it is also recommended to have index.php served through https only.

Answer 2

Use https protocol. Also treat all the parameters as tainted - and get the PHP script to process them in a responsible fashion.

*I.e. parse (regular expressions) them and escape them if necessary when using a database/command line *