Disallow access to news.php, instead of index.php?page=news
Moderator: General Moderators
Disallow access to news.php, instead of index.php?page=news
Sorry about the long topic name, but I couldn't think of anything else. Anyways, I have an admin section on one of my sites, and I want to use the "index.php?page=x" thing (where x is included in index, and index is the template/layout). However, this isn't very secure for a admin panel:
Lets say the page was edit-news (index.php?page=edit-news). Index.php checks for the admin session, and if the session is there, then good. If it's not there, then it redirects to a login page. Here's the catch: someone could just go to edit-news.php, and they'd have access to the admin panel, because the session check is on the index.php file.
I asked one of my friends about how to do this, and he told me you have to use a class. I don't want to take the easy way out, and put the session check on the edit-news page. Can anyone help me out?
Lets say the page was edit-news (index.php?page=edit-news). Index.php checks for the admin session, and if the session is there, then good. If it's not there, then it redirects to a login page. Here's the catch: someone could just go to edit-news.php, and they'd have access to the admin panel, because the session check is on the index.php file.
I asked one of my friends about how to do this, and he told me you have to use a class. I don't want to take the easy way out, and put the session check on the edit-news page. Can anyone help me out?
- Sevengraff
- Forum Contributor
- Posts: 232
- Joined: Thu Apr 25, 2002 9:34 pm
- Location: California USA
- Contact:
ive seen it done this way:
in index.php, before the include, define a variable like $IN_INDEX_PHP
then in the files that will be included, check if the variable exists. If it does not, then the file isn't being included.
in index.php, before the include, define a variable like $IN_INDEX_PHP
then in the files that will be included, check if the variable exists. If it does not, then the file isn't being included.
Code: Select all
if( !isset( $IN_INDEX_PHP ) ) {
die("No direct access");
}- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact: