Your SSL conversation between Java and PHP will protect it your data while it’s in transit. Should you properly protect the private key with a strong password (10+ symbols) and make sure your algorithms strong no one will be able to break it by snooping on the conversation.

You won’t get any extra protection by encrypting the data before sending it over the SSL conversation. And you actually might be weakening your security because in order for you to encrypt data you’ll have to share some key should you choose symmetric encryption. And, by trading secret keys you’re undoing much of the protection SSL gives you because the huge benefit of SSL is the fact we can encrypt data without agreeing on a secret key. If I were trying to get at your encrypted text I’d attack your client because it’s easier to find your symmetric encryption key than it is to break SSL. And while you could use asymmetric encryption you’ll be basically re-inventing SSL.

I would focus on making sure your SSL conversation is strong. Using only the strongest symmetric encryption: TripleDES, IDEA, AES if your server supports it. Take out the weaker algorithms so conversations can’t use the weaker encryption. Generate 1024+ public/private key pairs. That might not always be easy on your shared server, but your Java application could only choose to use TripleDES, IDEA, and AES.

Make sure you validate the server’s certificate on the client side so you ensure you aren’t talking to a false service. That basically means taking the server’s certificate and adding it to the keystore used on the client. If that’s Java you can use keytool to import a certificate and use that keystore as your TrustManager/KeyManager in your SSL conversation.

If you want to encrypt the data after it’s gone over the SSL conversation then you can encrypt/decrypt on the server only. But, you still have a key management problem. If you encrypt/decrypt how do you plan on securing the secret key on the server? That’s always the ugly problem that doesn’t have a simple answer.