Your Location is: Home > Php

PHP $_POST works but $_GET does not

From: Apia View: 4548 caffeinehigh 
 php

Question

I have a PHP script that takes a username and password posted and logs the user in to wordpress. If I create a simple form and post the values with the form it works. However if I put the values in the url and use a get it does not. I see the data still echoes out but the login does not work. Does anyone have any ideas.

So this works:

Form:

 <form action="/signon.php" method="post">
     <input type="text" id="email" name="email" class="form-control" placeholder="email" required autofocus>
     <input type="password" id="password" name="password" class="form-control" placeholder="password" required>

     <button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
      
</form>

Script

    <?php

/**
  * custom log in functionality
*/

//load wordpress
if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/wp-load.php')) {

  require_once($_SERVER['DOCUMENT_ROOT'] . '/wp-load.php');

}

     if ( !isset($_POST["email"]) || !isset($_POST["password"]) ) {
        echo "no user or pass set";
         return;
     }

     if (is_email($_POST['email'])) {
         $user = get_user_by('email', $_POST['email']);
         if (empty($user)) {
           echo "no user email set";
             //wp_redirect($_POST['_wp_http_referer']);
             exit;
         }
     } else {
         $user = get_user_by('login', $_POST['email']);
         if (empty($user)) {
           echo "no username set";
             //wp_redirect($_POST['_wp_http_referer']);
             exit;
         }
     }

     $user_admin_url = get_blogaddress_by_id($user->primary_blog) . 'wp-admin/';

     $creds = array();
     $creds['user_login'] = $user->user_login;
     $creds['user_password'] = $_POST['password'];
     $creds['remember'] = true;
     $user = wp_signon($creds, false);
     if (is_wp_error($user)) {

       echo "login error";

         exit;
     }
     wp_set_current_user($user->ID);
     wp_set_auth_cookie($user->ID);
     wp_redirect($user_admin_url);
     exit;

 ?>

And this does not if I put it in the browser bar and change the $_POST to $_GET

urltoscript.com/[email protected]&password=123

script

    <?php

/**
  * custom log in functionality
*/

//load wordpress
if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/wp-load.php')) {

  require_once($_SERVER['DOCUMENT_ROOT'] . '/wp-load.php');

}

     if ( !isset($_GET["email"]) || !isset($_GET["password"]) ) {
        echo "no user or pass set";
         return;
     }

     if (is_email($_GET['email'])) {
         $user = get_user_by('email', $_GET['email']);
         if (empty($user)) {
           echo "no user email set";
             //wp_redirect($_GET['_wp_http_referer']);
             exit;
         }
     } else {
         $user = get_user_by('login', $_GET['email']);
         if (empty($user)) {
           echo "no username set";
             //wp_redirect($_GET['_wp_http_referer']);
             exit;
         }
     }

     $user_admin_url = get_blogaddress_by_id($user->primary_blog) . 'wp-admin/';

     $creds = array();
     $creds['user_login'] = $user->user_login;
     $creds['user_password'] = $_GET['password'];
     $creds['remember'] = true;
     $user = wp_signon($creds, false);
     if (is_wp_error($user)) {

       echo "login error";

         exit;
     }
     wp_set_current_user($user->ID);
     wp_set_auth_cookie($user->ID);
     wp_redirect($user_admin_url);
     exit;

 ?>

Best answer

@ is a reserved symbol, used to separate user info from host name in the authority component (the bit after the //) of a URL.

When you are typing in an email address as a parameter you need to use %40 instead of @.

This kind of substitution of reserved symbols is often seen when %20 is used instead of the space character.