I'm using "file_get_contents" in the following way:
(the script below is posted on, for example https://siteA.com/checkifvalid.php ...notice the URL is httpS)
<?php
//there is a login form on this URL and the entries put in the form are used to set the username & password variables below.
$username = "someusername";
$password = "somepassword";
$secretkey = "slkd89087235";
$yesorno = file_get_contents("httpS://siteB.com/checkdatabase.php?username=$username&password=$password&secretkey=$secretkey");
if ($yesorno == 'yes') {
//details are valid, so something
} else {
//details aren't valid, display they aren't valid
}
?>
The "checkdatabase.php" script gets the username & password using _GET and grabs the variables from the URL and then cross references those login details to see if they are valid or not. If they are, it echos "yes" if not, it echos "no".
The checkdatabase.php script is set to only run if both the username, password & secret key parameters have been passed, and then only if the secret key value that has been passed matches the secret key stored within that php script.
There will also be a limit to the number of times "http://siteA.com/checkifvalid.php" can be entered in a given span of time to prevent a type of "brute force" attack guessing user/pass combos.
My question is, how secure is the above method seeing as both URLs are using httpS?
Should I encrypt the values sent? Or is what is above secure already?