spartacus Posted June 7, 2006 Share Posted June 7, 2006 have a web site that was created in php useing dream weaver, now i have it set up as a forum where people can log in and i also have it set up with an admin page that is hidden to all other users, now i'm just trying to make sure thatt there is now way of some one typeing in the url, like /admin/ to just get there even if they have no permission, if so can you tell me how some one would do that so i can figure out how to block that so my sit will be securethanks much Quote Link to comment https://forums.phpfreaks.com/topic/11391-security/ Share on other sites More sharing options...
.josh Posted June 7, 2006 Share Posted June 7, 2006 er..you programmed an entire forum and you don't know the answers to this? or am i reading that wrong...there is no way you can prevent the user from typing in blah.com/forum/admin/ or whateveryou would have a login screen just like a normal login for logging into your forum. or you could check the ip address and if it doesn't match your ip then don't allow access. Quote Link to comment https://forums.phpfreaks.com/topic/11391-security/#findComment-42703 Share on other sites More sharing options...
trq Posted June 7, 2006 Share Posted June 7, 2006 How exactly are you [i]logging in[/i] users? Using sessions? If your login system is built correctly it shouldn't matter if a user guesses the address of the admin area, they will simply be denied access and redirected back to the main site. Quote Link to comment https://forums.phpfreaks.com/topic/11391-security/#findComment-42705 Share on other sites More sharing options...
wildteen88 Posted June 7, 2006 Share Posted June 7, 2006 If you have coded a forum then surely you have setup some form of permissions? Such as if user has a permission value of 1 they are admins, if they have permission value of 2 they are mods, if they dont have a permission value of 1 or 2 they are normal users.does your forum usessessions? If it does, do you store the users permission in the session? If you do then you can simply place the following in all your admin pages:[code]<?phpsession_start();//if the uisers permission level is not equal to 1, they are not authorised, so kill the scriptif($_SESSION['permission'] != '1') { die("YOU DONT HAVE ACCESS HERE! ONLY AUTHORISED USERS ALLOWED IN THIS AREA!");}// rest of admin code[/code]Thats the most basic way of checking the user has the correct permission. Quote Link to comment https://forums.phpfreaks.com/topic/11391-security/#findComment-42739 Share on other sites More sharing options...
Orio Posted June 7, 2006 Share Posted June 7, 2006 Of course adding a username+pass using a htaccess can make it even more secure.Orio. Quote Link to comment https://forums.phpfreaks.com/topic/11391-security/#findComment-42755 Share on other sites More sharing options...
justsomeone Posted June 7, 2006 Share Posted June 7, 2006 [!--quoteo(post=380953:date=Jun 7 2006, 12:56 PM:name=Orio)--][div class=\'quotetop\']QUOTE(Orio @ Jun 7 2006, 12:56 PM) [snapback]380953[/snapback][/div][div class=\'quotemain\'][!--quotec--]Of course adding a username+pass using a htaccess can make it even more secure.Orio.[/quote]htaccess is very insecure. It sends the username and password in plaintext. You should use a customised login system, ideally over https, for your admin section. Quote Link to comment https://forums.phpfreaks.com/topic/11391-security/#findComment-42776 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.