Solved

Sending Password

Posted on 2004-09-05
18
211 Views
Last Modified: 2010-07-27
Dear Experts,

Is it possible for PHP to securely send the current user's user name and password to another web site?    If so,  how is this done?

Thanks,


Lee.
0
Comment
Question by:lnwright
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
  • +1
18 Comments
 
LVL 5

Assisted Solution

by:basiclife
basiclife earned 100 total points
ID: 11986510
Are you using a standard login? and is the server you're connecting to capable of SSL?

If it's normal authentication, you can redirect them using https://username:password@somedomain.com or by using https://somedmoain.com/somescript?un=username&pw=password

because the connection is secure BEFORE the GET data is sent, it should be sent in an encrypted form. I've never tried this before, so I'll await other experts opinions before guaranteeing anything
0
 
LVL 1

Assisted Solution

by:f0rdmstang
f0rdmstang earned 100 total points
ID: 11986531
What  try of function are you using this for ?  

If your using some type of database such as MySQL you can have your script connect to the remote computers by using it's domain name or IP address considering the right permissions are granted.
0
 

Author Comment

by:lnwright
ID: 11986662
Thanks basiclife & f0rdmstang,

At this stage it looks like both sites will be https.    It is not a database just PHP.

Lee.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 1

Expert Comment

by:f0rdmstang
ID: 11986741
I know in the past I've called or redirected someto to https sites and also passed things such as Credit Card info.  Make you script and include your info in a url.


base url :  https://www.yourdomain.com/scripts-dir/myscript.php
info to pass
user:   myuser
pass:   MyPassword123

final url = ?

https://www.yourdomain.com/scripts-dir/myscript.php?username=myuser&pass=MyPassword123

Then in the myscript.php reference the user or pass as $HTTP_GET_VARS['username'] or $HTTP_GET_VARS['pass'].  One thing you could always do it encrypt the password with md5 and only pass that password to the https url

Hope that helps
0
 

Author Comment

by:lnwright
ID: 11986863
I am just wondering with passing the username and password through a URL,  if the browser will remember it in it's history and therefore possibly reveal it to other users
0
 
LVL 1

Expert Comment

by:f0rdmstang
ID: 11986896
Your browser shouldn't remember https urls if I remember correctly.  You could also call a url from your Script rather than from the url the user sees.  This code is not verified so i don't know if it woks but I know I use to the the equivelent in Perl

include('http://www.google.com');
0
 
LVL 25

Accepted Solution

by:
Marcus Bointon earned 100 total points
ID: 11988296
Use file_get_contents or CURL to query the other server, not include. Include will not fail gracefully if the connection cannot be made.

The browser will never see the remote URL (it passes server-server, not server-client-server like a redirect), so it will never be stored in the browser history.
0
 

Author Comment

by:lnwright
ID: 11988314
Thanks Squinky,

I am a newbie to PHP so can you give a little more detail?

Regards,


Lee.
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11988424
Build the URL something like f0rdmustang suggests, then retrieve the contents of the page by saying:

$page = file_get_contents($url);

$page now contains whatever the URL returned to you. You can send this back to the original user by just saying:

header('Content-type: text/html');
echo($page);

Or alternatively, just pass the results straight from the server to the client by using:

readfile($url);

The upshot of this is that the client will see the pages from the remote server, but at the URL of your server.

Incidentally, normal syntax for a URL containing id and password handled by HTTP is:

https://user:password@www.example.com/index.php
0
 

Author Comment

by:lnwright
ID: 11988526
Thanks again Squinky,

Can I trouble you for a simple php code example.   I have set up a protected directory here:

https://aus.unlimited-space.com/~onlineac/test/

the username is "experts" and the pass is "exchange"

Thanks.
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11990748
<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}aus.unlimited-space.com/~onlineac/test/";
$page = file_get_contents($url);
//You can do what you like with the page contents in here
header('Content-type: text/html'); //this assumes that what was fetched was actually an HTML page and not something else
echo $page;
?>

Alternatively if you just want to pass the page through untouched:

<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}aus.unlimited-space.com/~onlineac/test/";
readfile($url);
?>

Note that while you've retrieved this page over SSL, the link back to the client may not be secure.
0
 

Author Comment

by:lnwright
ID: 11992179
Thanks Squinky,

With the first one I get this error:

Warning: file_get_contents(https://experts:exchangeaus.unlimited-space.com/~onlineac/test/): failed to open stream: Invalid argument in C:\Inetpub\wwwroot\reports\PassUserAndPassword.php on line 5

Warning: Cannot modify header information - headers already sent by (output started at C:\Inetpub\wwwroot\reports\PassUserAndPassword.php:1) in C:\Inetpub\wwwroot\reports\PassUserAndPassword.php on line 7

I tried adding @ after the pass but still error

For the second I get this:

Warning: readfile(https://...@aus.unlimited-space.com/~onlineac/test/index.htm): failed to open stream: Invalid argument in C:\Inetpub\wwwroot\reports\PassUserAndPassword.php on line 5

Can you please advise.

0
 
LVL 5

Expert Comment

by:basiclife
ID: 11993251
As far as I can tell. everyone agrees with me. Post additional comments if you have any problems
0
 
LVL 25

Expert Comment

by:Marcus Bointon
ID: 11995020
It is just missing the @ - I don't know why putting it in didn't work for you. This script works fine for me (I get an MYOB page back?):

<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}@aus.unlimited-space.com/~onlineac/test/";
$page = file_get_contents($url);
//You can do what you like with the page contents in here
header('Content-type: text/html'); //this assumes that what was fetched was actually an HTML page and not something else
echo $page;
?>

The second script had the same problem, I added an @, and it now works too:

<?php
$username= 'experts';
$pass = 'exchange';
$url = "https://{$username}:{$pass}@aus.unlimited-space.com/~onlineac/test/";
readfile($url);
?>

basiclife, this isn't what you suggested - there's no redirect happening here at all, nor should there be; It's really being a kind of dumb proxy.
0
 
LVL 5

Expert Comment

by:basiclife
ID: 12010154
Sorry, you're quite right - I`was in a rush last night and just scanned the 1st few answers. Please excuse my overbearing asshole attitude :D
0
 
LVL 5

Expert Comment

by:basiclife
ID: 12530411
Seems to me Squinky should get the points for this one
0
 

Author Comment

by:lnwright
ID: 12549633
Sorry forgot about this one.  Thanks for your comments guys.    I ended up not using this type of arrangement so I don't know which actually is the best but I will pick what I thought seemed the best answers.

Regards,


Lee.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question