开发者

Is it dangerous to keep an admin page to administer your database?

问答 作者:

Hey guys I have an admin page that checks if you are admin before submitting any queries, and contains a header to the index page if you are not admin, but I am worried about protecting the page. I am concerned someone may be able to destroy my database with it. Does anyone have any recommendation into protecting a page like this, if not, should I just manually admin my database through phpmyadmin and delete the page all together?

Example

function isAdmin(){
      return ($this->userlevel == ADMIN_LEVEL ||
              $this->username  == ADMIN_NAME);
   }

 if(!$session->isAdmin()){
         header("Loca开发者_如何学编程tion: ../index.php");
         return;
      }

The admin value is stored in the database and represents ADMIN_LEVEL

It's rather common for websites to have an administrators section, but you do have to make sure, on every page, before anything is inserted, removed, etc. that the user is an admin, something you are doing.

However, having a page that lets you enter explicit SQL statements and executes them probably isn't a good idea. You could too easily enter something wrong, and it does leave a MUCH larger security hole, should something go wrong. Larger as in, easier to access system admin-level commands, depending on the setup.

Not to mention the ease of messing something up yourself.

Direct SQL queries is why you have phpMyAdmin. Admin sections are normally intended to be a GUI frontend of your data, just as the website for regular users is, but with a greater range of abilities. Such things as being able to list all users, edit a user's data through a controlled form, then updating or deleting them with a button.

Sounds pretty well protected to me. With your configuration as is, is it any more likely or easy to hack your site and not your dev pc which runs the phpMyAdmin? Probably not a whole lot more likely. Sounds like you did everything right. If you're still worries you could limit your execution of sql to select statements which are rather innocuous in terms of db danger.

继续阅读:phpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9