admin directory ... web user to physically create pages.

[robbiesmith79]

So here's a quick brief.

This is the first time I've built an admin control panel for a client that would allow them to physically create, rename, and delete pages in PHP. It all works splendidly but with one minor glitch; it's a big fat gaping security hole.

The MySQL database knows of the pages, location, and unique page id's, so the content, for the "static" pages are controlled from within the database. It's the whole God mode from public http that worries me.

A suggestion was brought up to remove the admin directory to a miniature version of an internal intranet behind the firewall with htallow/htdeny in the apache configuration file, so all physical pages are closely monitors, and lock down the web root as good as it gets.

What do you think? Yes I messed up.

 

[jpadie]

htaccess control works ok but might not be great for your script paradigm. i would prefer to see a combination of the following:

1. for admin pages redirect to a secure site using ssl
2. use a php based pwd challenge response

this way you don't need to change your directory structure, you can just protect your pages by adding something like

require_once 'protect_page.php';

to the beginning of the relevant page or function.

 

[robbiesmith79]

I don't have the SSL installed, but I do require loginng (email address / complicated password) into the website to access the admin folder that has all the tools.

 

[jpadie]

without ssl the password will always be communicated in plain text. which is hardly secure.

anyway there are loads of php password protection scripts out there that will get you where you want to be. i have posted a number in this forum too.