PHP security questions

Associate
Joined
21 May 2003
Posts
1,008
Hi. I'm trying to make my first php website and i'm having a few problems with security. i'm using PHPmaker to make the code.

i have a users table with a userlevel field which is -1 = administrator, 0 = annonymous, 1 = normal user (this is all built into phpmaker).

when you make it so that users can't see the users table, phpmaker simply hides it from the menu, but it's still accessible directly by a user.

Here's the code PHPmaker made in the page where you can see all the users and edit them (this should be only viewable by the administrator):

Code:
<?php
if (@$_SESSION["project1_status"] <> "login") {
	header("Location:  login.php");
	exit();
	if (@$_SESSION["project1_status_UserID"] == "" && @$_SESSION["project1_status_UserLevel"] <> -1) { 
		ob_end_clean();
		header("Location: login.php"); 
		exit();
	}
}
?>

The code works when you try to access the page directly before you login, but after you login, it lets you see the page. i've made sure the user i'm trying has a userlevel of 1.

should i just not allow anyone (not even an administrator) to accss this kind of webpage and do everything through phpmyadmin?
 
The code that you've posted contains no way of editing the users.

Whether your lgoged in or not it'll still re-direct you to the login page.

Code:
<?php
if (@$_SESSION["project1_status"] <> "login") {
	[B]header("Location:  login.php");[/B] << User [B]NOT[/B] logged in
	exit();
	if (@$_SESSION["project1_status_UserID"] == "" && @$_SESSION["project1_status_UserLevel"] <> -1) { 
		ob_end_clean();
		header("Location: login.php"); << User logged in [B]AND[/B] admin
		exit();
	}
}
?>

There should be no reason to do everything through PMA. I've written numerous login pages with secure admin areas and made sure I've locked everything down :) Never had any security problems.
 
DJ Jestar i don't have a clue what you're talking about. #

I've now changed the code and put a much simpler if statement for now:
Code:
<?php

	if (@$_SESSION["project1_status_UserLevel"] <> -1) { 
		ob_end_clean();
		header("Location: login.php"); 
		exit();
	}
?>
[\code]

but i've realised that i want my users to be able to change their e-mail addresses. surely if i give them access to change the e-mails, they'll have access to the whole table?

Nightmare, so if i follow the security guides for PHP there's no way someone can get around it? isn't there a way to go to a page and define the userlevel to be -1 or something? 

for example when a user clicks on a link, it takes him to another page, and in the address bar there's ?showmaster=1&userID=4. is there no way to do this with userlevels? if so how do i stop it from happening?

Also, PHPmaker puts the db.php file in htdocs, which from what i've read is accessible fom everyone. where should i move it to, and how do i tell *** resdt of the site to look for it in another folder?
 
i can't forget phpmaker becuase this is the first time i'm writing php and i don't have time to learn it.

I'll look through that guide it seems very detailed and newbie friendly. thanks!
 
Back
Top Bottom