tags:

views:

180

answers:

3
Q: 

Passing arguments via header in php

I have got 3 files with me.

login.html
login_check.php
welcome.php

In login.html when the username and password is entered and submit button is clicked login_check.php checks whether the username entry is in the database on the basis of $_POST['username'] and some SQL querry. Now I have put the following code at the bottom of login_check.php

login_check.php

header('Location:welcome.php')

But I want to pass $_POST['username'] from login_check.php to welcome.php so that I can make use of $_POST['username'] in my welcome page. Is there any way by which I can pass an argument like in the above case?

A: 

This can be done using QUERY_STRING (I am sure you have seen it before - these ?'s and &'s in the address bar), but you shouldn't do it as it's just insecure.

A session is the common way to store a username after login and authorization in general.

Col. Shrapnel  2010-05-21 07:47:27
Yep, don't do it this way, use the $_SESSION super global.
Rich Bradshaw  2010-05-21 07:49:14
+4  A: 

Use session instead because you would be showing the user's name everytime on the welcome page no matter which page you land at welcome page.

You can set the session on login_check page like:

session_start(); // this should be on top of login_check file

// this goes just before redirect line
$_SESSION['username'] = $_POST['username'];

Now on the welcome page, you can show username like:

session_start(); // this should be on top of welcome page.
echo `Welcome ` . $_SESSION['username'];
Sarfraz  2010-05-21 07:49:17
A: 

The session should only be used for session data - not for data relating to a specific page transition. However recording the fact the user has been authenticated and the the username with which they authenticated is session data.

So while you shouldn't use session data to pass information from login.php to login_check.php, in login_check.php, if the authentication is succesful, then you should then store the authenticated username in the session.

While, as Col. Shrapnel says you could do:

header('Location:welcome.php?username=' . urlencode($_POST['username']));

This is trivial to circumvent - you just need to type welcome.php?username=admin into your browser to break the security.

If that's still not clear, consider the situation where the user has two browser windows open at the same time, navigating through different parts of the site (i.e. using same session data). If both browser submit data at the same time which is written to the session and you're not sure of the outcome, then you probably shouldn't be keeping the data in the session.

HTH

C.

symcbean  2010-05-21 08:09:00
That will show the user name only for the first time that is coming from login_check page but that is not what he is looking for.
Sarfraz  2010-05-21 08:11:49

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases