[web] passwords and admin security
Author
I am new to php and want to make an admin page for my website. For example, say my website is www.mywebsite.com. And my admin page is www.mywebsite.com/admin. Someone who typed that in could access it. How can make is not viewable by the public?
Also, same with mysql tables. I set a password to access my data table. However, I have to add the password and username to my php code (mysql_connect()) (I have that page as an include so I can include it in other web-pages that are accessible by the public) Someone could just view source and look-up my password. How can I enable it so the public can not access that page?
Edit: Please excuse me but I feel that I am missing something obvious that I should know by now. Then again, I do not typically do webpages a whole lot. Just one for my portfolio and just starting getting into php and mySQL to boost my skills. Thanks for your advice.
[Edited by - erdirck on December 1, 2009 8:39:40 PM]
One of the great things about PHP or any other server side programming language, is that the client cannot view your code by selecting "view source", all they would see is any HTML generated by your script. If your still worried about it though, place it outside the document root.
As for your admin page make sure to username/password that bad boy, and whatever you do make sure its validated server side. If you want to make sure that only you can load that page up in the first instance (and you have a static IP) you can also tie it to that specific address.
Hope this helps.
As for your admin page make sure to username/password that bad boy, and whatever you do make sure its validated server side. If you want to make sure that only you can load that page up in the first instance (and you have a static IP) you can also tie it to that specific address.
Hope this helps.
Quote:I am new to php...
Regarding the fact that you are a beginner in PHP, i would recommend using the .htaccess method for basic authorization. (In case your webserver supports it.)
Create a dedicated folder ('/admin') and put the .htaccess file in to restrict access to all files below this folder. For your second question (the sql password) create a PHP file which stores all relevant data (password, username, ...) and put it in the .htaccess-secured '/admin' folder too! Now include (PHP command include(path+file);) this file in all other php files outside of this folder where you need the data. These PHP files can access the secured PHP file without providing a username+password because the .htaccess restriction only belongs to requests from outside the server environment (= client requests).
With this method you don't need to worry about correct authorization, password security, sql injection or xss attacks yourself and have a ready to go solution in less than an hour.
Quote:Original post by AnntorI've found in the past that it's less about whether your web server support it and more about whether your proxy server does! I've used this method to "hide" sites from the public (issuing the client with a username and password so they can preview the work) and had occasions where the client couldn't see the website as their proxy server was not letting the HTTP authentication work its magic. Hopefully this is pretty rare!
Regarding the fact that you are a beginner in PHP, i would recommend using the .htaccess method for basic authorization. (In case your webserver supports it.)
As for password protecting the admin page - you can have a login form that compares a username and password against a database table, and if a match is found set a session variable to indicate that the user has logged on. All admin pages should first check to see if this session variable is present, and if not redirect to the login page and return. Write the login code carefully to ensure that it's not susceptible to SQL injection attacks, and it's generally a good idea to hash passwords so that even if someone gains access to the database server they won't be able to read the passwords.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
