For some web development practice, I decided to make a dropbox-like site where users would login with a username and password and, assuming the combination is correct, would have access to a file uploader interface as well as a way to retrieve their files. I have something that works, but I have run into one problem. As soon as the user submits their username and password, the page is reloaded (this is fine) with the new php code, however, the URL changes slightly to where it reveals both the username and the password. Can someone tell me how to prevent this from happening?
Here is the index.php file:
<?php
function checkCredentials()
{
if($_GET && $_GET["username"]=="kwaugh" && $_GET["password"]=="password")
{
?>
<html>
<head>
<title>File Storage</title>
<style>
body{font-size:.85em ;font-family:Arial;}
</style>
</head>
<body>
<center>
<br>Please select the file that you would like to upload:<br><br>
<form method="post" enctype="multipart/form-data">
<input type="file" name="filename"/>
<input type="submit" value="Upload" />
</form>
</center>
</body>
</html>
<?php
if ($_FILES)
{
$name = $_FILES['filename']['name'];
move_uploaded_file($_FILES['filename']['tmp_name'], $name);
if(file_exists($name))
{
?>
<html>
<body>
<div style="color:red; font-size:2em; font-family:Arial">
<center>The file has been successfully uploaded <br />Click <a href="getFiles.php">here</a> to go to your uploaded files</center>
</div>
</body>
</html>
<?php
}
else
{
?>
<html>
<body>
<div style="color:red; font-size:2em; font-family:Arial">
<center>Well crap, something went wrong. The file could not be uploaded :'( </center>
</div>
</body>
</html>
<?php
}
}
die();
}
elseif($_GET && $_GET["username"]!=="kwaugh" || $_GET && $_GET["password"]!=="password")
{
?>
<script>
alert("You have entered an incorrect username/password combination");
</script>
<?php
}
}
checkCredentials();
?>
<html>
<head>
<title>File Storage</title>
</head>
<body> <br /><br />
<center>
<img src="elephant.jpg">
<form name="credentials">
Please enter your username and password to upload files: <br />
Username: <input type="text" name="username"><br />
Password: <input type="password" name="password"><br />
<input type="submit" value="Submit" >
</form>
<br />Or click <a href="getFiles.php">here</a> to access stored files.
</center>
</body>
</html>
Use
POSTfor yourcredentialsform. By default, themethodisGETwhich will append the parameters in theURL. Obviously, this means checking variables in the$_POSTarray instead of the$_GETarray.If I can give another suggestion, I would split the application in multiple files. You shouldn’t have the login and the upload interface in the same script, otherwise you will have major problems scaling up your application.
htmlphpfiles would make it easier to do.phpfiles to minimize conflicts when editing the filesA lot of web applications will be split in multiple pages (often implemented in a controller) where you would have the following:
Welcome Page(landing page, allow to log in, allow sign in, display information about your product)Authentication Page(validate log in then redirect to the Profile page, show the sign in form, validate it, create new users, etc…)Profile Page(for a logged in user, display his information)To this you should probably add a
File Managementpage that shows all files owned by a user, allows him to add / delete pages, etc…