Re: [PHP-WIN] Get/Post and Security Issues

Mon, 24 Jun 2002 11:42:44 -0700 

Here it is. Please note that all of this output from a function; if you
would like the PHP code that outputs this, please just ask.


<form
        action=<?=$_SERVER["PHP_SELF"]?>
        method=post
        name="login"
      >
    <tr>
      <td>
   <center>
        <!-- .:Login Table - Name & Pass:. --!>
       <table>
         <tr>
    <td>
      <span class=text>Name:
    </td>
    <td>
      <input
        type=text
        size=10
        name=usern
      >
    </td>
         </tr>
         <tr>
    <td>
      <span class=text>Pass:
    </td>
    <td>
      <input
        type=password
        size=10
        name=userp
      >
    </td>
         </tr>
         <tr>
    <td colspan=2><center>
      <input
        type=submit
        value="Login"
        class="submit"
        name="login"
        onsubmit="document.login.login.disabled='true'"
      ></center>
    </td>
         </tr>
         </form>

And there we are!

"Mikey" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Can you send a copy of the HTML form that posts to your function?
>
> > -----Original Message-----
> > From: Brian Graham [mailto:[EMAIL PROTECTED]]
> > Sent: 24 June 2002 08:27
> > To: [EMAIL PROTECTED]
> > Subject: [PHP-WIN] Get/Post and Security Issues
> >
> >
> > Apache 1.3.26
> > PHP 4.2.1
> >
> > When I enter username and password information onto a page, it
> > uses Get and
> > puts the session ID along with the username and the password into the
URL,
> > despite my saying "method=post" in the form attributes.
> >
> > This seems like it would be a common problem, but my research
> > isn't bringing
> > up anything even remotely about it.
> >
> > I've done very, very little tweaking to my php.ini and httpd.conf to
give
> > you an idea of what defaults are in place still. Here is the
> > function code:
> >
> > function user_login() {
> >  global $usern;
> >  global $userp;
> >  global $feedback;
> >  global $loginswitch;
> >  if (!isSet($usern) && !isSet($userp))
> >   return FALSE;
> >  if ($usern == '' or $userp == '') {
> >   $loginswitch = FALSE;
> >   $feedback = "Username and/or password is missing.";
> >   return FALSE;
> >  }
> >  $uname = strtolower($usern);
> >  $query = "SELECT user_name, user_pass, user_isconfirmed
> >     FROM user
> >     WHERE user_name = '$usern'
> >     AND user_pass = '$userp'";
> >  $results = mysql_query($query) or die(mysql_error());
> >  $row = mysql_fetch_row($results);
> >  if ($usern == $row[0] && $userp == $row[1]) {
> >   $_SESSION['loginswitch'] = TRUE;
> >   $_SESSION['username'] = $usern;
> >   $feedback = "You are now logged in.";
> >   return TRUE;
> >  }
> >  else {
> >   $_SESSION['loginswitch'] = FALSE;
> >   $feedback = "Username of password are incorrect.";
> >   return FALSE;
> >  }
> > }
> >
> >
> >
> >
> >
> >
> >
> > --
> > PHP Windows Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> >
>







-- 
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to