Jump to content

security

spartacus

By spartacus
in PHP Coding Help

 Share

Recommended Posts

spartacus Newbie

spartacus

Posted
Posted
have a web site that was created in php useing dream weaver, now i have it set up as a forum where people can log in and i also have it set up with an admin page that is hidden to all other users, now i'm just trying to make sure thatt there is now way of some one typeing in the url, like /admin/ to just get there even if they have no permission, if so can you tell me how some one would do that so i can figure out how to block that so my sit will be secure
thanks much
Link to comment
Share on other sites
.josh Advanced Member

.josh

Posted
Posted
er..you programmed an entire forum and you don't know the answers to this? or am i reading that wrong...

there is no way you can prevent the user from typing in blah.com/forum/admin/ or whatever

you would have a login screen just like a normal login for logging into your forum.

or you could check the ip address and if it doesn't match your ip then don't allow access.
Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
How exactly are you [i]logging in[/i] users? Using sessions? If your login system is built correctly it shouldn't matter if a user guesses the address of the admin area, they will simply be denied access and redirected back to the main site.
Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted
If you have coded a forum then surely you have setup some form of permissions? Such as if user has a permission value of 1 they are admins, if they have permission value of 2 they are mods, if they dont have a permission value of 1 or 2 they are normal users.

does your forum usessessions? If it does, do you store the users permission in the session? If you do then you can simply place the following in all your admin pages:
[code]<?php
session_start();

//if the uisers permission level is not equal to 1, they are not authorised, so kill the script
if($_SESSION['permission'] != '1') {
    die("YOU DONT HAVE ACCESS HERE! ONLY AUTHORISED USERS ALLOWED IN THIS AREA!");
}

// rest of admin code[/code]
Thats the most basic way of checking the user has the correct permission.
Link to comment
Share on other sites
justsomeone Newbie

justsomeone

Posted
Posted
[!--quoteo(post=380953:date=Jun 7 2006, 12:56 PM:name=Orio)--][div class=\'quotetop\']QUOTE(Orio @ Jun 7 2006, 12:56 PM) [snapback]380953[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Of course adding a username+pass using a htaccess can make it even more secure.

Orio.
[/quote]

htaccess is very insecure. It sends the username and password in plaintext. You should use a customised login system, ideally over https, for your admin section.
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.