Associate
- Joined
- 21 May 2003
- Posts
- 1,008
Hi. I'm trying to make my first php website and i'm having a few problems with security. i'm using PHPmaker to make the code.
i have a users table with a userlevel field which is -1 = administrator, 0 = annonymous, 1 = normal user (this is all built into phpmaker).
when you make it so that users can't see the users table, phpmaker simply hides it from the menu, but it's still accessible directly by a user.
Here's the code PHPmaker made in the page where you can see all the users and edit them (this should be only viewable by the administrator):
The code works when you try to access the page directly before you login, but after you login, it lets you see the page. i've made sure the user i'm trying has a userlevel of 1.
should i just not allow anyone (not even an administrator) to accss this kind of webpage and do everything through phpmyadmin?
i have a users table with a userlevel field which is -1 = administrator, 0 = annonymous, 1 = normal user (this is all built into phpmaker).
when you make it so that users can't see the users table, phpmaker simply hides it from the menu, but it's still accessible directly by a user.
Here's the code PHPmaker made in the page where you can see all the users and edit them (this should be only viewable by the administrator):
Code:
<?php
if (@$_SESSION["project1_status"] <> "login") {
header("Location: login.php");
exit();
if (@$_SESSION["project1_status_UserID"] == "" && @$_SESSION["project1_status_UserLevel"] <> -1) {
ob_end_clean();
header("Location: login.php");
exit();
}
}
?>The code works when you try to access the page directly before you login, but after you login, it lets you see the page. i've made sure the user i'm trying has a userlevel of 1.
should i just not allow anyone (not even an administrator) to accss this kind of webpage and do everything through phpmyadmin?