Grow your CSS skills. Land your dream job.

Last updated on:

Append Login Credentials to URL

The example here is if you had a form on a website that when submitted, needed to use that information to go to a special URL where the login information was all appeneded to the URL. You could have the form post with method GET, but that is limited to the typical ?variable=foo&variable2=bar format.

HTML Form

Typical form with three bits of information that submits to a file called ftp.php

<form action="../processing/ftp.php" method="post">
<p><label for="ftp-company-name">Company</label><input type="text" name="ftp-company-name" id="ftp-company-name" /></p>
<p><label for="ftp-user-name">User Name</label><input type="text" name="ftp-user-name" id="ftp-user-name" /></p>
<p><label for="ftp-password">Password</label><input type="password" name="ftp-password" id="ftp-password" /></p>
<p><input type="submit" id="ftp-submit" class="button" value="submit" /></p>
</form>

PHP file

This file reads in the POST variables (if they are set), builds the URL from them, and redirects to it. You'd probably want to clean up the POST variables for security purposes.

<?php

    if (isset($_POST["ftp-company-name"])) {
    
        $company = $_POST["ftp-company-name"];
        $username = $_POST["ftp-user-name"];
        $password = $_POST["ftp-password"];
        
        $url = "ftp://$username:$password@ftp2.edgeconsult.com/$company";
        
        header( "Location: $url" ) ;
        
    } else {
    
        // do nothing
        
    }

?>

Comments

  1. will
    Permalink to comment#

    Seems a little insecure

    • It is absolutely secure. PHP is a very secure server scripting language. In this a good snippet and you can use it as your FTP login form. It’s work is simple, to just replace the sent username, password and and company name to those variables provided in the url.

    • Permalink to comment#

      @Umar PHP is only secure if you take the proper steps to make it so. It’s not automatic.

  2. em gi
    Permalink to comment#

    Thanks for the tutorial!
    How can you avoid “phishing” or “fraudulent site” warnings in some browsers like Safari when submitting the form?

  3. Allan Nienhuis
    Permalink to comment#

    I have to agree with Will – this is terribly insecure. The redirect will perform a ‘GET’ request with the password right in the URL, which will leave passwords in plain text in server logs, including 3rd party proxy servers. Also, anytime you are sending a password across the wire you should restrict the communication to https. Just because PHP _can_ be secure, doesn’t mean that you don’t need to be aware of basic secure coding practices – the tools won’t protect you from incorrect use.

    • Permalink to comment#

      Yes Mr.Allan I tried the script in my server and checked the server log it do leave the password open .

  4. Permalink to comment#

    Kinda insecure i agree with Allan . I tried this code with my server , this do leave trace in logs :(

  5. Jenny T
    Permalink to comment#

    I’m agree with most comments here, never attach any string that should be encoded right away to URLs, and try to avoid by any cost
    URLs formed by the user input for it’s not so hard for a malicious user to DoS your server.

  6. mr.khan

    Its Simple …..

    we can make Encrypted password by using MD5 Algorithm function

    $uname = mysql_escape_string($_POST[‘uname’]);
    $pass = mysql_escape_string($_POST[‘pass’]);

    $pass = md5($pass);  // MD5 Encryption
    
    • Sim00n
      Permalink to comment#

      It’s actually insecure as well. MD5 is a very fast algorithm meaning that someone can run billions of combinations on a single GPU to brute-force their way in.

  7. This look simple however it is vulnerable for XSS attack. This could lead to a database injection too.

Leave a Comment

Posting Code

Markdown is supported in the comment area, so you can write inline code in backticks like `this` or multiline blocks of code in in triple backtick fences like ```this```. You don't need to escape code in backticks, Markdown does that for you.

Sadly, it's kind of broken. WordPress only accepts a subset of HTML in comments, which makes sense, because certainly some HTML can't be allowed, like <script> tags. But this stripping happens before the comment is processed by Markdown (via Jetpack). It seems to me that would be reversed, because after Markdown processes code in backticks, it's escaped, thus safe. If you think you can fix this issue, get in touch!

If you need to make sure the code (typically HTML) you post absolutely posts correctly, escape it and put it within <pre><code> tags.

Current ye@r *

*May or may not contain any actual "CSS" or "Tricks".