[RESOLVED] How a page is accessed

thekidscareya

I have a page called admin.php that calls all the necessary pages from the admin folder. How do I keep hackers from trying to access admin pages via the admin folder?

What should I put on each php page in the admin folder?

Thanks.

devinemke

you have few choices:

store admin files outside of your server's document root
CHMOD the admin files to be non-world readable
hide the admin files behind some server level authentication wall (like htaccess if you are using Apache).

option #1 is the most secure.

thekidscareya

I don't want to use option 1 because I'll probably move this site and I don't want the files to be disorganized. Is there some sort of way I can do it by determining what IP address is accessing this page? (If the ip address is the same as the server, then it will be allowed to access the script)

devinemke

what about options 2 or 3?

thekidscareya

Will the chmod of the file be the same if i transfer web hosts?

If not ill do option 3...and use the following .htaccess file:


AuthType Basic

AuthName "Access Denied"

AuthUserFile "/home/joel/.htpasswds/fbla/admin/passwd"


require valid-user

Is that a good .htaccess file? Is that hackable?

halojoy

🙂 🙂

<?php
// this is what halojoy is using, to block per IP access to php page
// remember, anyone else using your PC will pass, without a password
// but I am the only one using my PC

// drawback is you can not access your pages from another computer
// the usual is to perform a login via password
// but this one checks ip-address instead of password

// you can use your real IP-address here of course
// instead of localhost = 127.0.0.1

//if not localhost die
if ( $_SERVER[ 'REMOTE_ADDR' ] != '127.0.0.1' ) {
     die( 'Maybe next time, man!' );
     exit();
}

//////////////////////////////////////////////////////////////

// your code for admin.php goes here

?>

🙂 🙂

devinemke

thekidscareya wrote:
Will the chmod of the file be the same if i transfer web hosts?

depends on your new server's upload mask, but regardless you can always CHMOD your files again.

thekidscareya

Thanks for all your hlep. I went with the .htaccess file. I appreciate your help.