I put the variables email and password from POST to GET such that
Part of my handle_login_form.php
header("Location: /codes/index.php?ask_question&" . "email=" . $_POST['email'] . "&" . "passhash_md5=" . md5($_POST['password']) );
The user then clicks the About link. He should have the login info in the url, but he does not. He has only index.php?about&.
Part of my index.php
if (isset($_GET['email'])) {
echo ("<li><a href='?about&email='" .
$_GET['email'] .
"&passhash_md5" .
$_GET['passhash_md5'] .
">About</a></li>");
} else {
echo "<li><a href='?about'>About</a></li>";
}
This is what is happening
STEP | handle_login_form.php index.php?email&passhash_md5 index.php?about&
protocol | POST -> GET -> GET
----------------------------------------------------------------------------------
variables | password passhash_md5 passhash_md5
| email email email
Problem HERE!
You need to escape the
&character in HTML. Use&instead of&for every ampersand that is printed in HTML.You also added an extra quote single quote in your second statement. This is a fixed version:
Keep in mind that it is unsafe to store (a hash of) the password in your query string: everyone sniffing the data can spoof the user by just copying the right URL. Consider using a session cookie instead.