Login and pass showing in url..

thefisherman

This line of code here:

<? echo '<a href="order.php?login='.$login.'&passw='.$password.'"><img src="/button.jpg" border=0 align="center">';?>

shows the user's login and id in the link to the next page.

How can i avoid this?

thnx

thefisherman

Sorry,

i meant login and password, not id.

thefisherman

mystrymaster

it's showing it in the url because you are putting it in the url

If you would like to do it with an image you can simply have a form with the image as the submit button and use method='post'

thefisherman

As the subject says!

Thanx

thefisherman

Weedpacket

Why would you be writing the login and password in the page for all the world to see anyway? Once the user has logged in to begin with those things shouldn't be leaving the server.

thefisherman

Well,

Whenever a user logs in, has login & password are checked in the database.

So when a user keeps surfing the pages, checking out in the end, i should know who it is.

The session_id() and the l/p alltogether would do the trick, but it resulted in a link to the final procedure, which (in my case) holds the l/p

I guess session registering the l/p could do it?

Anyway, since i am not entirely clear on the matter, i am open to any suggestions.

thefisherman

Weedpacket

Yes, once you've confirmed that the username and password the user has supplied are valid, put them in $SESSION['login'] and $SESSION['password'] (assuming you need to check them on every page anyway).

----order.php-----8<---------
session_start();
if(!isset($_SESSION['login']))
{ // Not logged in at all.
   // Deal with this case (e.g., redirect
  // them to an appropriate page) and
  // exit.
}
$login = $_SESSION['login'];
$password = $_SESSION['login'];
...

The only thing that gets sent out to the client is then the session ID. Anything else that needs to be retained from page to page during a session is kept on the server.

thefisherman

I figured it'd be something like that,

I'll give it a go and reply later with results.

Thanx a lot!

thefisherman

Ok,

i've done this:

session_register("loginok");

$loginok=$login;

session_register("logok");

$passwordok=$password;

This is done in the script which is called upon from the l/p form.

So the l/p fields are filled out, the form is submitted, the 2 vars are checked to see if they're set (!isset());, if so, the login & pass are checked in the database and when they exist, they're registered. I removed 2 the 2 vars from the button, not showing anything in the link, and it works like a charm, thanks a lot!

I had a little trouble with your code, somehow $_SESSION['loginok']; and $loginok=$login; didn't work. I tried echoe'ing the vars on the next page and got blank.

thefisherman

Oops,

sorry for wrong PHP-makeup!

thefisherman