Page 1 of 1

web page structure

Posted: Sat May 26, 2007 2:17 pm
by staar2
How you make your web page? I am little pit confused about that. How you connect all pages? How you make them secure?

Posted: Sat May 26, 2007 2:18 pm
by John Cartwright
Those are all very broad questions, and quite impossible to answer without writing a novel. Please ask specific questions.

Posted: Sat May 26, 2007 2:26 pm
by staar2
How i connect all the data between pages. Like in admin panel, i dont want to use GET to transfer all the data.
Like web.ee/admin/delete.php?id=1

Posted: Sat May 26, 2007 2:28 pm
by John Cartwright
the information in the url after ? is available in the $_GET superglobal.

Posted: Sat May 26, 2007 2:41 pm
by staar2
Jcart wrote:the information in the url after ? is available in the $_GET superglobal.
Sorry, did not explain clearly, wanted to say that someone evil man can also go into web.ee/admin/delete.php?id=1 this page and delete entry. How can i avoid it, use some sessions to control is the admin logged in ?

Posted: Sat May 26, 2007 2:44 pm
by feyd
  1. requiring another login to get into the admin area (or any pages underneath) can help.
  2. changing the session id when transitioning to other security layers helps too.
  3. Don't actually delete anything. Instead, mark it as deleted using a flagged column.

Posted: Sat May 26, 2007 2:45 pm
by John Cartwright
Typically when logging in a user is given a session flag to indicate they have permission to access specific pages. In the simplest sense, a is_logged_in flag of some sort is given, ie.

Code: Select all

//semi pseudo
session_start();

if (login is valid)
{
   $_SESSION['loggedin'] = true;
}
and then on your admin/delete.php at the top of the page you'd do

Code: Select all

session_start();
if (!isset($_SESSION['loggedin']) || !$_SESSION['loggedin'])
{
   //redirect to main page
   header('Location: http://domain.com/');
   exit();
}

Posted: Sun May 27, 2007 2:55 am
by staar2
should i make Sessions like this Username and md5(password) each time when loads some secret page it checks username and password?