To keep login status in URL by PHP's GET

Question

I put the variables email and password from POST to GET such that

Part of my *handle_login_form.php*

 header("Location: /codes/index.php?ask_question&" . "email=" . $_POST['email'] . "&" . "passhash_md5=" . md5($_POST['password']) );

The user then clicks the About link. He should have the login info in the url, but he does not. He has only index.php?about&.

Part of my index.php

if (isset($_GET['email'])) {
         echo  ("<li><a href='?about&email='" .
             $_GET['email'] .                                                                                      
             "&passhash_md5" . 
             $_GET['passhash_md5'] . 
             ">About</a></li>");
     } else {
         echo "<li><a href='?about'>About</a></li>";
     }

This is what is happening

STEP      | handle_login_form.php  index.php?email&passhash_md5    index.php?about&
protocol  | POST                -> GET                          -> GET
----------------------------------------------------------------------------------
variables | password               passhash_md5                    passhash_md5
          | email                  email                           email
                                                                   Problem HERE!

Answer 1

You need to escape the & character in HTML. Use & instead of & for every ampersand that is printed in HTML.

You also added an extra quote single quote in your second statement. This is a fixed version:

  echo  ("<li><a href='?about&email=" .
    $_GET['email'].
    "&passhash_md5" . 
    $_GET['passhash_md5'] . 
    "'>About</a></li>");

Keep in mind that it is unsafe to store (a hash of) the password in your query string: everyone sniffing the data can spoof the user by just copying the right URL. Consider using a session cookie instead.