SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Evangelist lirux's Avatar
    Join Date
    Jan 2001
    Location
    Lisboa : Portugal
    Posts
    418
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Alternative content management navigation system

    Hello. After following Kevin's tutorial about making a php/MySQL content management system, I had the idea of, instead of mamking a separate script for the administartion, putting some links right in the content pages. The idea is to login and have a cookie sent to me, and then on the pages that have mySQL content (articles), I'll put a
    <? require "/path/to/admin/links/script.php"; ?>
    that checks if I'm logged in, and If I am, it'll send me a cookie. About security, U don't really need a password to receive the cookie, as it will just say loggedIn=1;
    The problem with this is that I don't think the cookie script is sending the cookie (or maybe the other script isn't getting it). Here's what I have:


    file: login.php - Which I'll use as my homepage so I'm always logged in:
    ---start---
    <? setcookie('log', '1'); ?>
    ---end---



    file: functions.php - Prints out the table with the admin links:
    ---start---
    <? if (isset($log)): ?>
    <tr><td><img src="/graphics/white.gif" width=126 height=20></td></tr><tr><td><img src="/graphics/minidiv/admin.gif" height=12 width=126></td></tr><tr><td><font face="Arial,Charcoal,Helvetica" size=2><b><center><a href="/admin/update.php">Update Homepage</a><br><a href="/admin/new.php">New Article</a><br>
    <? if(isset($id)): ?>
    <a href="/admin/edit.php/<? echo "$id"; ?>/<? echo "$page"; ?>/">Edit</a>
    <? endif; ?>
    </font></b></center></td></tr><tr><td><img src="/graphics/minidiv/clear.gif" height=12 width=126></td></tr>
    <? endif; ?>
    ---end---



    file: article.php - Which I'll use as my homepage so I'm always logged in:
    ---start---
    HTML and php code that gets the article, etc..
    <? require "/blah/blah/functions.php"; ?>
    my template's footer.
    ---end---


    Can anyone help me out?

    PS: I didn't spell check this becouse of all the code. Sorry...
    Duarte Carrilho da Graša
    RailsHelp.com: Searchable Rails reference
    CACA: Committee for the Annihilation of Complicated Acronyms

  2. #2
    SitePoint Zealot moshe_be's Avatar
    Join Date
    Dec 2000
    Posts
    169
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The correct syntex for setcookie is:

    setcookie("cookiename", value, time() + 3600, "/", "", 0);

    time() + 3600 = for one hour.

    One thing though, why you need to use a cookie? you can just use URL:

    functions.php?log=1

    that will do the same effect, thus to increase security you might want to have it functions.php?admin=password

    then you check

    if(isset($admin) && $admin == 'correctpassword')
    {
    // admin options.
    }

  3. #3
    SitePoint Evangelist lirux's Avatar
    Join Date
    Jan 2001
    Location
    Lisboa : Portugal
    Posts
    418
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Moshe! I'll redo the cookie script.

    I need to use a cookie to know if the person who is seing the page is an admin, and functions.php only prints out a table that is inside the rest of the page. It needs to be there becouse like that, i can browse the site like a normal user would do, and with a small table with the admin functions in the sidebar -> The article.php script has variables i'd need, like $id (the article id), so I can just click 'Edit Article' to edit the article I am seing in that page... so the links pass the $id automatically so i don't need to type it myself (This is all becouse I'm a lazy guy:)

    I'll post back to tell u if it worked!
    Duarte Carrilho da Graša
    RailsHelp.com: Searchable Rails reference
    CACA: Committee for the Annihilation of Complicated Acronyms

  4. #4
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'd strongly suggest against having a system where the cookie simply says "admin = yes". If some wily cracker guesses how your system works they could just open up notepad, create the cookie for their own machine and save it in their cookies directory - and then gain full access to your site.

    Much safer to at least have an obscure "secret word" stored in the cookie like "34fadsDFSú%%skjdhfi" or something. Even then it's not ideal - set the cookie on a machine out side of your control (like one in a public library) and you're leaving your site wide open.

  5. #5
    SitePoint Zealot moshe_be's Avatar
    Join Date
    Dec 2000
    Posts
    169
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Since PHP just convert cookies into variables, and if you ask

    if(isset($log))

    then having a cookie is the same as functions.php?log=1

    Thus you might want to think on the admin=password without cookies.

  6. #6
    imagine no limitations exbabylon's Avatar
    Join Date
    Dec 2000
    Location
    Idaho, USA
    Posts
    452
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    use sessions and cookies ot make a very secure site.

    Just have a login page. Use the cookie to see if you are the admin. If you are then have it display a login page, Have a login, then if you pass, have it set a session. then you are good to go.... it's much more secure.

    If you want to know more about them, search for sessions.. sorry I don't have time to explain.. if I find time I'll get back to you! Hopefully someone else will though...

    the way you were talking about is a HUGE security risk... even I could figure out how to access your admin...

    anyways,

    god bless
    Blamestorming: Sitting around in a group discussing why a deadline was missed or a project failed and who was responsible.

    Exbabylon- Professional Internet Services

  7. #7
    SitePoint Evangelist lirux's Avatar
    Join Date
    Jan 2001
    Location
    Lisboa : Portugal
    Posts
    418
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not worried about the security; The cookie only gives you links to files in the /admin/ directory, which is protected by .htaccess; Allthough if anyone could tell me where to learn more about these sessions, please?
    Duarte Carrilho da Graša
    RailsHelp.com: Searchable Rails reference
    CACA: Committee for the Annihilation of Complicated Acronyms


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •