vozzek Posted December 14, 2007 Share Posted December 14, 2007 Hi all, My site is almost finished, and I just added a whole ADMIN section where I can update/edit my SQL database via easy-to-use forms. On Page one I use php to require a superuser password, and if correct, I set a $_SESSION variable that enables you to see every other admin page (I do a check for the variable at the top of the page and exit if not there). I know I've read stuff about somehow encrypting (hashing?) the password, but I don't know what that means. If anyone can point me in the right direction, I'd like to keep things as secure as possible. Also, I've heard there are ways to prevent people from running scripts on your site. How is that accomplished? Finally, what's the best way to prevent people from direct linking to my site folders? For example, if you go to mysite.com/images right now, you can see all my images listed. Any way to prevent that? Thanks in advance for the help. I know nothing about site security, and it's probably time to learn. Quote Link to comment Share on other sites More sharing options...
ManOnScooter Posted December 14, 2007 Share Posted December 14, 2007 Ok lemme just break down your question into 2 parts 1. Hashing 2. scripts 3. mysite.com/images with my knowledge, 1. Hashing would mean, saving ur password(or any other field) in an hashed format. Where anybody reading ur database cant find the password. I would suggest sha1 - easy to implement 2. scripts, typically for login pages when you dont have captcha, its easy to make scripts to create repeated inserts into ur database for say username & password so 1 recommended way to prevent this and ensure humans r operating your site, try implementing captcha or sound validations 3. To ensure that no random user gets to view any link - such as - mysite.com/images, i recommend a session tracking to ensure every page is viewed only when certain steps/process is followed. guess its answers ur queries Quote Link to comment Share on other sites More sharing options...
vozzek Posted December 14, 2007 Author Share Posted December 14, 2007 Thanks, I will definitely look into hashing and captcha. I'm still not sure how to prevent people from looking at the root folders however. On page1, page2, page3, etc... I can implement some session tracking at the top of each page to prevent people from opening those pages directly (without coming from the proper page), but the 'images' folder isn't actually a page. It's a folder. So how can I protect it? Quote Link to comment Share on other sites More sharing options...
peranha Posted December 14, 2007 Share Posted December 14, 2007 The easiest way to stop people from accessing folders directly is by adding a index.php page, redirecting them to the root folder. You can also create .htaccess files which is more secure. Quote Link to comment Share on other sites More sharing options...
CMC Posted December 14, 2007 Share Posted December 14, 2007 Or simply set a CHMOD so that viewing isn't permitted. Setting the folder's CHMOD to 711 will stop read access but allow the images to still be executed. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.