This question already has an answer here:
I'm creating a bitcoin site which automatically pays out bitcoin under certain circumstances. My plan is to have a PHP page which accepts data via POST and if the received data is correct it will pay out bitcoins.
I am wondering whether this is safe? The data sent over POST contains all the information required to send bitcoins. Is it possible for some '1337 haxor' to sniff out POST data?
If so, what about if the page that sends data via POST — and the page that receives data via POST — are both hidden behind a logon. I.e. the entire contents of both pages are hidden within a if($login->isUserLoggedIn() == true) statement — is this enough? Or is it trivial to get around this too?
</div>
Whether your user is logged in or not, the information sent from your server is fair game to anyone who sniffs the traffic.
Best practice for ensuring that sensitive data is viewable by the intended recipient only is via encryption. Using HTTPS (SSL), you can ensure to a reasonable degree that the information sent will be safe from prying eyes.
HTTP requests, including POST are sent in plain text, therefore yes they could be, theoretically until put to practice, eavesdropped on.
HTTP requests over SSL, (HTTPS) are encrypted, so even if eavesdropped on, they would need to be decrypted first.
In your scenario, of a request sent by a logged in user, a session could be hijacked and actions on account of that user carried on.
I know it's a bit vague, "could be", "in theory", apologies.