akondeti Posted January 29, 2008 Share Posted January 29, 2008 Gurus,I have created a website and added a login form. Upon login I will be thrown a html form which allows me to do admin kind of work, which only i want to have access to.The login page is doing good. But here is what i noticed. When i enter in the browser the private html file name following my domain name, the form appears right away and I or anyone could do the admin functions bypassing the login.How can I make sure that a specific form is accessible only thru login script and not by direct invocation(just by typing form name on webbrowser following domain name)?Thanks for your help.Regards,novice123 Link to comment Share on other sites More sharing options...
killboy Posted January 29, 2008 Share Posted January 29, 2008 Use sessions. You could take a look at this:http://w3schools.invisionzone.com/index.php?showtopic=17505It's not a very good code, but it will do what you want. Link to comment Share on other sites More sharing options...
jhecht Posted January 29, 2008 Share Posted January 29, 2008 Have a column in your user table called user_level, for your admin account, set it to some value(it doesn't matter what you choose, just as long as you remember), and some other number for normal users. upon login, check the level of the user, if they're the right level, show the form, if not, don't. By the way, no offense to w3, but I personally found the PHP articles here kinda bad, and very un-useful. It's best to just find freeware scripts on googlecode and just take it apart one line at a time. Link to comment Share on other sites More sharing options...
kishou Posted January 29, 2008 Share Posted January 29, 2008 you oculd rename what the file's login name is. like login344565and have like$ip = $_SERVER['REMOTE_ADDR'];if ($ip=your ip)include(login344565); else//blah Link to comment Share on other sites More sharing options...
justsomeguy Posted January 29, 2008 Share Posted January 29, 2008 Security through obscurity does not work. If someone gets a directory listing they can find out the filename and go there anyway. Or they can look at your browser and write down the name. Or they can use a traffic analyzer to sniff the network and see the name. That's not a great solution. A better solution is to actually put security on the file. The way to do that is create user accounts and check on the page for someone logged in. I've already gotten a request to write a tutorial about that but I haven't found time yet, if I can find time I'll get one together and post it to my tutorial thread. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.