Search the Community

I'm trying to create a secure inlog script in php/mysql. I'm faced with many subjects I absolutely know nothing about so I was looking for some help. I'm want to understand the route of a password from the browser to the database. One thing that is very hazy to me is the difference between SSL and encryption. My idea is that I could use javascript SHA 256 encryption at the client side. But other sources online recommend SSL. I was thinking, would it be possible to both use SSL as well as SHA encryption. Now, I asked questions before here moslty solving script issues, but now, I look for an advice about what the possibilities are. I have no script yet, because first I want to determine in which way the chances for security leaks are minimized. is there anyone who can give more clarity about it?

In my current website project, I would like to design a secure area for members. I have built basic login systems before, but I want to build something more secure this time. One of the things I would like to do it route requests using the HTTPS protocol. In my research on how to do this, I have been starting to learn about SSL certificates. As I understand it, in order to create an SSL encrypted connection that users can be confident in, I must purchase a certificate from a certificate authority (CA). I am questioning whether I really need to do this, though. Neither money nor information that is extremely sensitive would be handled in the secure area. The purpose of the website is of a nature that membership would be restricted to those personally acquainted with me, so it's not like they would be using a website with some vague "entity" operating it. They could trust me. Would that make it safe for me to use a self-signed SSL certificate? My only suspicion is that a hijacker could potentially inject a new SSL certificate (not sure if this is possible...) and trick users since neither his nor mine would be signed by a trusted CA. I could just get a cheap certificate, but I would like to avoid spending money on this if I don't have to. Maybe a free certificate would be okay? I'm not sure. What do you think is the best course of action for my situation?