Volcan 3 Volcan 3 - 1 month ago 3x
PHP Question

Signin display information in url

I have been using this login / registration code with a different website before but when adding it to my new one it just display the information in the url (

) I believe that everything is more or less like the old website other than css and html,
form="post" action =""
and code is copied directly from my old website.

Can someone figure out what the problem is, and maybe give a solution on how I can display login error without
since it kills the rest of the page.

*<!DOCTYPE html>

<?php include $_SERVER["DOCUMENT_ROOT"] . "/assets/head.php"; ?>
<title><?php echo $address; ?> - Sign In</title>
<?php include $_SERVER["DOCUMENT_ROOT"] . "/navigationbar.php"; ?>

<div class="wrapper">

<div class="small-banner">
<div id="animate-area"></div>

<div class="tabs" id="tabs">
<h1>Sign In</h1>
<div class="p">

// This variable will be used to re-display the user's username to them in the
// login form if they fail to enter the correct password. It is initialized here
// to an empty value, which will be shown if the user has not submitted the form.
$submitted_username = '';

// This if statement checks to determine whether the login form has been submitted
// If it has, then the login code is run, otherwise the form is displayed
// This query retreives the user's information from the database using
// their username.
$query = "
FROM users
username = :username

// The parameter values
$query_params = array(
':username' => $_POST['username']

// Execute the query against the database
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
catch(PDOException $ex)
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("<div class='red'>Failed to run query: </div>" . $ex->getMessage());

// This variable tells us whether the user has successfully logged in or not.
// We initialize it to false, assuming they have not.
// If we determine that they have entered the right details, then we switch it to true.
$login_ok = false;

// Retrieve the user data from the database. If $row is false, then the username
// they entered is not registered.
$row = $stmt->fetch();
// Using the password submitted by the user and the salt stored in the database,
// we now check to see whether the passwords match by hashing the submitted password
// and comparing it to the hashed version already stored in the database.
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
$check_password = hash('sha256', $check_password . $row['salt']);

if($check_password === $row['password'])
// If they do, then we flip this to true
$login_ok = true;

// If the user logged in successfully, then we send them to the private members-only page
// Otherwise, we display a login failed message and show the login form again
// Here I am preparing to store the $row array into the $_SESSION by
// removing the salt and password values from it. Although $_SESSION is
// stored on the server-side, there is no reason to store sensitive values
// in it unless you have to. Thus, it is best practice to remove these
// sensitive values first.

// This stores the user's data into the session at the index 'user'.
// We will check this index on the private members-only page to determine whether
// or not the user is logged in. We can also use it to retrieve
// the user's details.
$_SESSION['user'] = $row;

$username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
$last_life_update = "UPDATE users SET last_life = now() WHERE username = '$username'";
// Redirect the user to the private members-only page.
header("Location: /");
die("Redirecting to: /");
// Tell the user they failed
print("<div class='red'>Login Failed.</div>");

// Show them their username again so all they have to do is enter a new
// password. The use of htmlentities prevents XSS attacks. You should
// always use htmlentities on user submitted values before displaying them
// to any users (including the user that submitted them). For more information:
// http://en.wikipedia.org/wiki/XSS_attack
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
<form mathod="post" action="" style="margin:20px;">
<label for="username">Username :</label><br />
<input type="text" name="username" maxlength="64" id="username" placeholder="Username" class="input-long" readonly onfocus="this.removeAttribute('readonly');"/>
<div class="clear-top"></div>

<label for="password">Password :</label><br />
<input type="password" name="password" id="password" placeholder="Password" class="input-long" readonly onfocus="this.removeAttribute('readonly') ;"/>
<div class="clear-top"></div>

<label><input type="checkbox" name="sport[]" value="remember" /> Remember Password</label>
<div class="clear-top"></div>

<input type="submit" value="Sign In" class="btn"/><br />

<a href="/forgot-password" class="link"><i style="color:#777f8c;">(Forgot password)</i></a>

<div style="position:relative; clear:both;"></div>
<?php include $_SERVER["DOCUMENT_ROOT"] . "/footer.php"; ?>


You typo'ed 'method' in

   <form mathod="post" action="" style="margin:20px;"> 

The default type is GET which would result in the form parameters being in the URL.