My PHP form page has in it a FLEX (flash movie) form to collect user input. The FLEX actionscript sends the user input through $_POST to a second PHP/FLEX page to process and insert into the database. The user does not leave the form PHP/FLEX page, just the users info does.
I am going to make the form PHP/FLEX page into an ssl by giving it the https address and certificate.
But what about the second PHP/FLEX page that does the processing and inputs into the database. Must that page also have an https address and certificate even though the users web browser does not actually go there?
I am concerned an attacker could bypass the form PHP/FLEX page to get to the second PHP/FLEX page.
Also, should that second PHP/FLEX page be included in the session. So if a user $_SESSION variable is not set, send an error back to the form PHP/FLEX page to redirect the user else where? Thanks.