Jump to content


Photo

security


  • Please log in to reply
5 replies to this topic

#1 spartacus

spartacus
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 07 June 2006 - 07:20 AM

have a web site that was created in php useing dream weaver, now i have it set up as a forum where people can log in and i also have it set up with an admin page that is hidden to all other users, now i'm just trying to make sure thatt there is now way of some one typeing in the url, like /admin/ to just get there even if they have no permission, if so can you tell me how some one would do that so i can figure out how to block that so my sit will be secure
thanks much

#2 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 07 June 2006 - 07:26 AM

er..you programmed an entire forum and you don't know the answers to this? or am i reading that wrong...

there is no way you can prevent the user from typing in blah.com/forum/admin/ or whatever

you would have a login screen just like a normal login for logging into your forum.

or you could check the ip address and if it doesn't match your ip then don't allow access.

Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#3 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 07 June 2006 - 07:31 AM

How exactly are you logging in users? Using sessions? If your login system is built correctly it shouldn't matter if a user guesses the address of the admin area, they will simply be denied access and redirected back to the main site.

#4 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 07 June 2006 - 10:40 AM

If you have coded a forum then surely you have setup some form of permissions? Such as if user has a permission value of 1 they are admins, if they have permission value of 2 they are mods, if they dont have a permission value of 1 or 2 they are normal users.

does your forum usessessions? If it does, do you store the users permission in the session? If you do then you can simply place the following in all your admin pages:
<?php
session_start();

//if the uisers permission level is not equal to 1, they are not authorised, so kill the script
if($_SESSION['permission'] != '1') {
    die("YOU DONT HAVE ACCESS HERE! ONLY AUTHORISED USERS ALLOWED IN THIS AREA!");
}

// rest of admin code
Thats the most basic way of checking the user has the correct permission.

#5 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 07 June 2006 - 11:56 AM

Of course adding a username+pass using a htaccess can make it even more secure.

Orio.
Think you're smarty?

(Gone until 20 to November)

#6 justsomeone

justsomeone
  • Members
  • Pip
  • Newbie
  • 9 posts

Posted 07 June 2006 - 12:42 PM

[!--quoteo(post=380953:date=Jun 7 2006, 12:56 PM:name=Orio)--][div class=\'quotetop\']QUOTE(Orio @ Jun 7 2006, 12:56 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Of course adding a username+pass using a htaccess can make it even more secure.

Orio.
[/quote]

htaccess is very insecure. It sends the username and password in plaintext. You should use a customised login system, ideally over https, for your admin section.
** PHP Gun for Hire **




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users