Admin page security // md5 // php/mysql

1

I’m working on a site for a company that is basically a distribution wharehous for engine parts. It’s mostly php/mysql to keep track of inventory and I’m trying to keep the ‘update inventory’ pages as secure as possible for the owner to log in and change amounts, add items, etc… I have already written a log-in/verification script that’s money but I’m trying to think of the best way to keep the pages secure so that someone can’t just open one up by luck or something.

I was thinking of encrypting a random string to an md5 hash each time a link is clicked from the adminMenu and storing that in the db and then passing that random string to the next page via $_POST or ($_GET?) and then encrypting and checking the md5 against the one in the db. Is this redundant? flawed? necessary? My brain is fried from running my real business where I have to leave the house. :beam: :wink: HELP!

2

For my CMS thingie, i stored the password’s hash in a cookie. I had my own setup for executing queries, but basically, the hashed password in the cookie was compared to the hash of my real password everytime before a query is executed. If someone got there by luck, he/she’ll get a mysql error :evil:

You might want to implement then along with other methods… try searching google, im sure you’ll find some good articles on securing this kinda things :slight_smile:

3

what I do is basically the same as ahmeds. I write up an if statement and save just the if statement as an .inc file and then include it at the top of each PHP page that I need secured. The if statement checks the username and password of the viewer thru cookies stored on their machine.

however, you should use sessions instead of cookies because sessions are more secure and easier to upgrade and manage. Learn sessions. :thumb:

4

yeah, I worked a lot with sessions on a previous site. I my go that route. Just exploring my options. I freaking hate cookies.

5

the best bet is to write up your security statements as an include file and then just include that at the top of each page. It saves a bunch of re-writing the same code and its just as secure. Make sure you toss the include file into its own folder and .htaccess it to deny all so no one can get to it :slight_smile:

6

how do you set the .htaccess to that? Thanks for the help btw.

7

this is a good tutorial on htaccess

http://www.freewebmasterhelp.com/tutorials/htaccess/

8

http://www.google.com/search?hl=en&ie=utf-8&oe=utf-8&q=.htaccess

I don’t have time to find somehting for you but that list should get you started. :slight_smile:

[edit] or follow Ahmed’s link…[/edit]

9

Thanks fellas, I’ve got it taken care of. I appreciate the help. Hey Jubba, I’ll mail you $1 ;).

wishes you mods would ban that guy