passing passwords in GET mode 4

[RobBroekhuis]

I'm very new at this, so the answer is probably obvious... I have just developed a small PHP application which asks the user for username/password upon entering, and then passes this information along when moving between page requests. This is fine when the transitions use forms and the POST method, but in several cases I use links of the url?var=value (i.e., GET) kind, and in that case the password shows up in the url bar. What is the best way to avoid this? Is there a generally accepted way of dealing with user authentication/passwords that I can look up somewhere?
Thanks much


Rob

 

[ingresman]

Some of the config settings can't be over ridden check the manual. I would think that register_globals can niot be changed as it occurs in PHP before control is passed to you. As far as things causing problems quick answer is yes. One of the "good things about PHP in the old days was it made all your variables from forms etc availalbe i.e. register_globals =on. The problems was if you had a form variable called (say) amount which contained a number I could also append &fred=hello on the URL in the browser it might over write the form value automaticlay (I'm not sure what the precidence would be). You could probabbly also overwrite cookie variabes as well. If your script didn't check the format of fred you might to put a string into a number field in the database and possibly generate an error.
Just be aware that somebody could be up to no good and you always need to validate that what is coming in is at least what you expect.