Can you send a copy of the HTML form that posts to your function?

> -----Original Message-----
> From: Brian Graham [mailto:[EMAIL PROTECTED]]
> Sent: 24 June 2002 08:27
> To: [EMAIL PROTECTED]
> Subject: [PHP-WIN] Get/Post and Security Issues
>
>
> Apache 1.3.26
> PHP 4.2.1
>
> When I enter username and password information onto a page, it
> uses Get and
> puts the session ID along with the username and the password into the URL,
> despite my saying "method=post" in the form attributes.
>
> This seems like it would be a common problem, but my research
> isn't bringing
> up anything even remotely about it.
>
> I've done very, very little tweaking to my php.ini and httpd.conf to give
> you an idea of what defaults are in place still. Here is the
> function code:
>
> function user_login() {
>  global $usern;
>  global $userp;
>  global $feedback;
>  global $loginswitch;
>  if (!isSet($usern) && !isSet($userp))
>   return FALSE;
>  if ($usern == '' or $userp == '') {
>   $loginswitch = FALSE;
>   $feedback = "Username and/or password is missing.";
>   return FALSE;
>  }
>  $uname = strtolower($usern);
>  $query = "SELECT user_name, user_pass, user_isconfirmed
>     FROM user
>     WHERE user_name = '$usern'
>     AND user_pass = '$userp'";
>  $results = mysql_query($query) or die(mysql_error());
>  $row = mysql_fetch_row($results);
>  if ($usern == $row[0] && $userp == $row[1]) {
>   $_SESSION['loginswitch'] = TRUE;
>   $_SESSION['username'] = $usern;
>   $feedback = "You are now logged in.";
>   return TRUE;
>  }
>  else {
>   $_SESSION['loginswitch'] = FALSE;
>   $feedback = "Username of password are incorrect.";
>   return FALSE;
>  }
> }
>
>
>
>
>
>
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>


-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to