By any chance, does the broser have cookies disabled? I know when a session can't go to a cookie, it goes to the URL.
-Dash -----Original Message----- From: Brian Graham [mailto:[EMAIL PROTECTED]] Sent: Monday, June 24, 2002 12:27 AM To: [EMAIL PROTECTED] Subject: [PHP-WIN] Get/Post and Security Issues Apache 1.3.26 PHP 4.2.1 When I enter username and password information onto a page, it uses Get and puts the session ID along with the username and the password into the URL, despite my saying "method=post" in the form attributes. This seems like it would be a common problem, but my research isn't bringing up anything even remotely about it. I've done very, very little tweaking to my php.ini and httpd.conf to give you an idea of what defaults are in place still. Here is the function code: function user_login() { global $usern; global $userp; global $feedback; global $loginswitch; if (!isSet($usern) && !isSet($userp)) return FALSE; if ($usern == '' or $userp == '') { $loginswitch = FALSE; $feedback = "Username and/or password is missing."; return FALSE; } $uname = strtolower($usern); $query = "SELECT user_name, user_pass, user_isconfirmed FROM user WHERE user_name = '$usern' AND user_pass = '$userp'"; $results = mysql_query($query) or die(mysql_error()); $row = mysql_fetch_row($results); if ($usern == $row[0] && $userp == $row[1]) { $_SESSION['loginswitch'] = TRUE; $_SESSION['username'] = $usern; $feedback = "You are now logged in."; return TRUE; } else { $_SESSION['loginswitch'] = FALSE; $feedback = "Username of password are incorrect."; return FALSE; } } -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
