Append Login Credentials to URL

The example here is if you had a form on a website that when submitted, needed to use that information to go to a special URL where the login information was all appeneded to the URL. You could have the form post with method GET, but that is limited to the typical ?variable=foo&variable2=bar format.


Typical form with three bits of information that submits to a file called ftp.php

<form action="../processing/ftp.php" method="post">
<p><label for="ftp-company-name">Company</label><input type="text" name="ftp-company-name" id="ftp-company-name" /></p>
<p><label for="ftp-user-name">User Name</label><input type="text" name="ftp-user-name" id="ftp-user-name" /></p>
<p><label for="ftp-password">Password</label><input type="password" name="ftp-password" id="ftp-password" /></p>
<p><input type="submit" id="ftp-submit" class="button" value="submit" /></p>

PHP file

This file reads in the POST variables (if they are set), builds the URL from them, and redirects to it. You'd probably want to clean up the POST variables for security purposes.


    if (isset($_POST["ftp-company-name"])) {
        $company = $_POST["ftp-company-name"];
        $username = $_POST["ftp-user-name"];
        $password = $_POST["ftp-password"];
        $url = "ftp://$username:$$company";
        header( "Location: $url" ) ;
    } else {
        // do nothing



  1. User Avatar
    Permalink to comment#

    Seems a little insecure

    • User Avatar
      Umar Farooque

      It is absolutely secure. PHP is a very secure server scripting language. In this a good snippet and you can use it as your FTP login form. It’s work is simple, to just replace the sent username, password and and company name to those variables provided in the url.

    • User Avatar
      Permalink to comment#

      @Umar PHP is only secure if you take the proper steps to make it so. It’s not automatic.

  2. User Avatar
    em gi
    Permalink to comment#

    Thanks for the tutorial!
    How can you avoid “phishing” or “fraudulent site” warnings in some browsers like Safari when submitting the form?

  3. User Avatar
    Allan Nienhuis
    Permalink to comment#

    I have to agree with Will – this is terribly insecure. The redirect will perform a ‘GET’ request with the password right in the URL, which will leave passwords in plain text in server logs, including 3rd party proxy servers. Also, anytime you are sending a password across the wire you should restrict the communication to https. Just because PHP _can_ be secure, doesn’t mean that you don’t need to be aware of basic secure coding practices – the tools won’t protect you from incorrect use.

    • User Avatar
      Permalink to comment#

      Yes Mr.Allan I tried the script in my server and checked the server log it do leave the password open .

  4. User Avatar
    Permalink to comment#

    Kinda insecure i agree with Allan . I tried this code with my server , this do leave trace in logs :(

  5. User Avatar
    Jenny T
    Permalink to comment#

    I’m agree with most comments here, never attach any string that should be encoded right away to URLs, and try to avoid by any cost
    URLs formed by the user input for it’s not so hard for a malicious user to DoS your server.

  6. User Avatar

    Its Simple …..

    we can make Encrypted password by using MD5 Algorithm function

    $uname = mysql_escape_string($_POST[‘uname’]);
    $pass = mysql_escape_string($_POST[‘pass’]);

    $pass = md5($pass);  // MD5 Encryption
    • User Avatar
      Permalink to comment#

      It’s actually insecure as well. MD5 is a very fast algorithm meaning that someone can run billions of combinations on a single GPU to brute-force their way in.

    • User Avatar
      Michael Hanon

      Sha512 is where its at.

  7. User Avatar
    Permalink to comment#

    This look simple however it is vulnerable for XSS attack. This could lead to a database injection too.

Leave a Comment

Posting Code!

You may write comments in Markdown. This makes code easy to post, as you can write inline code like `<div>this</div>` or multiline blocks of code in triple backtick fences (```) with double new lines before and after.

Code of Conduct

Absolutely anyone is welcome to submit a comment here. But not all comments will be posted. Think of it like writing a letter to the editor. All submitted comments will be read, but not all published. Published comments will be on-topic, helpful, and further the discussion or debate.

Want to tell us something privately?

Feel free to use our contact form. That's a great place to let us know about typos or anything off-topic.