URLENCODE for location

chr158

Hi,

I have a login page containing a form with two fields named user and pass.

This form is then POSTED to a validate page. Where it takes the two fields and tries to conect to my MSSSQL server and DB. This is so that the MSSQL securites can be used through my application. I am not using using a USERS table in the DB as it is more work, therefore suing the MSSQL users I can control simply the access and permissions taht each login has.

My problem is that the fields are been lost. I have checked my PHP.ini file and everything seems to be in place to allow globals to be used access but its not working. 😕

The only I seem to be able to work this is to pass the credentials through the URL after a validation so that my pages can then run the queries and gain the connection to my server and DB.

So then, my question is, is it possible to use the URLENCODE function in the header.location function?

The reason for this is so that my usernames and passwords are not humanly readable by the users. If the user can read the two credentials and know a higher up login credentials, they can simply overwrite the URL and have access to the permissions that their own login does not permit.

I have attached below my validate code.

<?
$myServer = "SERVERNAME\PHP";
$myDB = "DBNAME";

$connection = @mssql_connect($myServer, $user, $pass) ;
if (!$connection)
{
header("Location: http://IPADDRESS/invalid.php");
}

$db = @mssql_select_db($myDB, $connection) ;
if (!$db)
{
header("Location: http://IPADDRESS/invalid.php");
}

if ($connection)
{

header("Location: http://IPADDRESS/main.php?user=$user&pass=$pass");
}
?>

If you need to see more code, I shall attach it.

Thank you very much in advance 😉

tsinka

Hi,

I would suggest to use sessions. If you use sessions you can place the two variables into a session and access them from any other page. To make thinks a little bit more secure you could store the two values encrypted in the session because people with shell access might access the clear text session data.

feldon23

Ok, this is one of those cases of instead of us trying to help you make THIS code work, can we help you have BETTER code?

I would say that depending on globals is not good especially when working completely WITHOUT globals is so easy.

Having username and password in the URL is also not good since if someone logs into your site on a friend's computer, suddenly that friend can go into their History and see the login and password plain as day. And it sounds like you have recognized this as a concern anyway!

Can you please post the Form code?

If the name and password are coming in as INPUT type=TEXT fields then you should not need to RAWURLENCODE or RAWURLDECODE anything (URLENCODE and URLDECODE suck!).

The only time I have found that I needed to use those 2 functions was if I was putting a strange NAME for a form field.

I think instead of header, why not use Require?

Here's my shot at your code from what I can see:

<?php
$myServer = "SERVERNAME\PHP";
$myDB = "DBNAME";
$submit = $HTTP_POST_VARS['submit'];
$php_self = $HTTP_SERVER_VARS['PHP_SELF'];

if (!$submit) {
  $html=<<<QQQ
<html><body>
Enter your username & password:
<form action="{$php_self}" method="POST">
<b>User:</b> <input type="text" name="user"><br>
<b>Password:</b> <input type="password" name="password"><br>
<input type="submit" name="submit" value="Login"><br>
</form>
</body></html>
QQQ;
  echo $html;
} else {
  $user = $HTTP_POST_VARS['user'];
  $pass = $HTTP_POST_VARS['pass'];
  $connection = @mssql_connect($myServer, $user, $pass);
  if (!$connection) {
    require('invalid.php');
  }

  $db = @mssql_select_db($myDB, $connection);
  if (!$db) {
    require('invalid.php');
  }

  if ($connection) {
    require('main.php');
  }
}
?>