Jump to content
  • Advertisement
Sign in to follow this  
erdirck

[web] passwords and admin security

This topic is 3178 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I am new to php and want to make an admin page for my website. For example, say my website is www.mywebsite.com. And my admin page is www.mywebsite.com/admin. Someone who typed that in could access it. How can make is not viewable by the public? Also, same with mysql tables. I set a password to access my data table. However, I have to add the password and username to my php code (mysql_connect()) (I have that page as an include so I can include it in other web-pages that are accessible by the public) Someone could just view source and look-up my password. How can I enable it so the public can not access that page? Edit: Please excuse me but I feel that I am missing something obvious that I should know by now. Then again, I do not typically do webpages a whole lot. Just one for my portfolio and just starting getting into php and mySQL to boost my skills. Thanks for your advice. [Edited by - erdirck on December 1, 2009 8:39:40 PM]

Share this post


Link to post
Share on other sites
Advertisement
One of the great things about PHP or any other server side programming language, is that the client cannot view your code by selecting "view source", all they would see is any HTML generated by your script. If your still worried about it though, place it outside the document root.

As for your admin page make sure to username/password that bad boy, and whatever you do make sure its validated server side. If you want to make sure that only you can load that page up in the first instance (and you have a static IP) you can also tie it to that specific address.

Hope this helps.

Share this post


Link to post
Share on other sites
Quote:
I am new to php...


Regarding the fact that you are a beginner in PHP, i would recommend using the .htaccess method for basic authorization. (In case your webserver supports it.)

Create a dedicated folder ('/admin') and put the .htaccess file in to restrict access to all files below this folder. For your second question (the sql password) create a PHP file which stores all relevant data (password, username, ...) and put it in the .htaccess-secured '/admin' folder too! Now include (PHP command include(path+file);) this file in all other php files outside of this folder where you need the data. These PHP files can access the secured PHP file without providing a username+password because the .htaccess restriction only belongs to requests from outside the server environment (= client requests).

With this method you don't need to worry about correct authorization, password security, sql injection or xss attacks yourself and have a ready to go solution in less than an hour.

Share this post


Link to post
Share on other sites
Quote:
Original post by Anntor
Regarding the fact that you are a beginner in PHP, i would recommend using the .htaccess method for basic authorization. (In case your webserver supports it.)
I've found in the past that it's less about whether your web server support it and more about whether your proxy server does! I've used this method to "hide" sites from the public (issuing the client with a username and password so they can preview the work) and had occasions where the client couldn't see the website as their proxy server was not letting the HTTP authentication work its magic. Hopefully this is pretty rare!

As for password protecting the admin page - you can have a login form that compares a username and password against a database table, and if a match is found set a session variable to indicate that the user has logged on. All admin pages should first check to see if this session variable is present, and if not redirect to the login page and return. Write the login code carefully to ensure that it's not susceptible to SQL injection attacks, and it's generally a good idea to hash passwords so that even if someone gains access to the database server they won't be able to read the passwords.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!