The example here is if you had a form on a website that when submitted, needed to use that information to go to a special URL where the login information was all appeneded to the URL. You could have the form post with method GET, but that is limited to the typical ?variable=foo&variable2=bar format.
HTML Form
Typical form with three bits of information that submits to a file called ftp.php
<form action="../processing/ftp.php" method="post">
<p><label for="ftp-company-name">Company</label><input type="text" name="ftp-company-name" id="ftp-company-name" /></p>
<p><label for="ftp-user-name">User Name</label><input type="text" name="ftp-user-name" id="ftp-user-name" /></p>
<p><label for="ftp-password">Password</label><input type="password" name="ftp-password" id="ftp-password" /></p>
<p><input type="submit" id="ftp-submit" class="button" value="submit" /></p>
</form>
PHP file
This file reads in the POST variables (if they are set), builds the URL from them, and redirects to it. You’d probably want to clean up the POST variables for security purposes.
<?php
if (isset($_POST["ftp-company-name"])) {
$company = $_POST["ftp-company-name"];
$username = $_POST["ftp-user-name"];
$password = $_POST["ftp-password"];
$url = "ftp://$username:[email protected]/$company";
header( "Location: $url" ) ;
} else {
// do nothing
}
?>
Seems a little insecure
It is absolutely secure. PHP is a very secure server scripting language. In this a good snippet and you can use it as your FTP login form. It’s work is simple, to just replace the sent username, password and and company name to those variables provided in the url.
@Umar PHP is only secure if you take the proper steps to make it so. It’s not automatic.
Thanks for the tutorial!
How can you avoid “phishing” or “fraudulent site” warnings in some browsers like Safari when submitting the form?
I have to agree with Will – this is terribly insecure. The redirect will perform a ‘GET’ request with the password right in the URL, which will leave passwords in plain text in server logs, including 3rd party proxy servers. Also, anytime you are sending a password across the wire you should restrict the communication to https. Just because PHP _can_ be secure, doesn’t mean that you don’t need to be aware of basic secure coding practices – the tools won’t protect you from incorrect use.
Yes Mr.Allan I tried the script in my server and checked the server log it do leave the password open .
Kinda insecure i agree with Allan . I tried this code with my server , this do leave trace in logs :(
I’m agree with most comments here, never attach any string that should be encoded right away to URLs, and try to avoid by any cost
URLs formed by the user input for it’s not so hard for a malicious user to DoS your server.
Its Simple …..
we can make Encrypted password by using MD5 Algorithm function
$uname = mysql_escape_string($_POST[‘uname’]);
$pass = mysql_escape_string($_POST[‘pass’]);
It’s actually insecure as well. MD5 is a very fast algorithm meaning that someone can run billions of combinations on a single GPU to brute-force their way in.
Sha512 is where its at.
This look simple however it is vulnerable for XSS attack. This could lead to a database injection too.
Then, Which are a good solution of how handle that case? I new in php. Thanks