Append Login Credentials to URL

The example here is if you had a form on a website that when submitted, needed to use that information to go to a special URL where the login information was all appeneded to the URL. You could have the form post with method GET, but that is limited to the typical ?variable=foo&variable2=bar format.


Typical form with three bits of information that submits to a file called ftp.php

<form action="../processing/ftp.php" method="post">
<p><label for="ftp-company-name">Company</label><input type="text" name="ftp-company-name" id="ftp-company-name" /></p>
<p><label for="ftp-user-name">User Name</label><input type="text" name="ftp-user-name" id="ftp-user-name" /></p>
<p><label for="ftp-password">Password</label><input type="password" name="ftp-password" id="ftp-password" /></p>
<p><input type="submit" id="ftp-submit" class="button" value="submit" /></p>

PHP file

This file reads in the POST variables (if they are set), builds the URL from them, and redirects to it. You'd probably want to clean up the POST variables for security purposes.


    if (isset($_POST["ftp-company-name"])) {
        $company = $_POST["ftp-company-name"];
        $username = $_POST["ftp-user-name"];
        $password = $_POST["ftp-password"];
        $url = "ftp://$username:$$company";
        header( "Location: $url" ) ;
    } else {
        // do nothing



  1. will
    Permalink to comment#

    Seems a little insecure

    • Umar Farooque

      It is absolutely secure. PHP is a very secure server scripting language. In this a good snippet and you can use it as your FTP login form. It’s work is simple, to just replace the sent username, password and and company name to those variables provided in the url.

    • chrisburton
      Permalink to comment#

      @Umar PHP is only secure if you take the proper steps to make it so. It’s not automatic.

  2. em gi
    Permalink to comment#

    Thanks for the tutorial!
    How can you avoid “phishing” or “fraudulent site” warnings in some browsers like Safari when submitting the form?

  3. Allan Nienhuis
    Permalink to comment#

    I have to agree with Will – this is terribly insecure. The redirect will perform a ‘GET’ request with the password right in the URL, which will leave passwords in plain text in server logs, including 3rd party proxy servers. Also, anytime you are sending a password across the wire you should restrict the communication to https. Just because PHP _can_ be secure, doesn’t mean that you don’t need to be aware of basic secure coding practices – the tools won’t protect you from incorrect use.

    • Aaryadev
      Permalink to comment#

      Yes Mr.Allan I tried the script in my server and checked the server log it do leave the password open .

  4. Aaryadev
    Permalink to comment#

    Kinda insecure i agree with Allan . I tried this code with my server , this do leave trace in logs :(

  5. Jenny T
    Permalink to comment#

    I’m agree with most comments here, never attach any string that should be encoded right away to URLs, and try to avoid by any cost
    URLs formed by the user input for it’s not so hard for a malicious user to DoS your server.

  6. mr.khan

    Its Simple …..

    we can make Encrypted password by using MD5 Algorithm function

    $uname = mysql_escape_string($_POST[‘uname’]);
    $pass = mysql_escape_string($_POST[‘pass’]);

    $pass = md5($pass);  // MD5 Encryption
    • Sim00n
      Permalink to comment#

      It’s actually insecure as well. MD5 is a very fast algorithm meaning that someone can run billions of combinations on a single GPU to brute-force their way in.

    • Michael Hanon

      Sha512 is where its at.

  7. jacktheking
    Permalink to comment#

    This look simple however it is vulnerable for XSS attack. This could lead to a database injection too.

Leave a Comment

Posting Code

We highly encourage you to post problematic HTML/CSS/JavaScript over on CodePen and include the link in your post. It's much easier to see, understand, and help with when you do that.

Markdown is supported, so you can write inline code like `<div>this</div>` or multiline blocks of code in triple backtick fences like this:

  function example() {
    element.innerHTML = "<div>code</div>";

We have a pretty good* newsletter.