tags:

views:

81

answers:

2
+2  Q: 

Is it dangerous to keep an admin page to administer your database?

Hey guys I have an admin page that checks if you are admin before submitting any queries, and contains a header to the index page if you are not admin, but I am worried about protecting the page. I am concerned someone may be able to destroy my database with it. Does anyone have any recommendation into protecting a page like this, if not, should I just manually admin my database through phpmyadmin and delete the page all together?

Example

function isAdmin(){
      return ($this->userlevel == ADMIN_LEVEL ||
              $this->username  == ADMIN_NAME);
   }

 if(!$session->isAdmin()){
         header("Location: ../index.php");
         return;
      }

The admin value is stored in the database and represents ADMIN_LEVEL

+2  A: 

It's rather common for websites to have an administrators section, but you do have to make sure, on every page, before anything is inserted, removed, etc. that the user is an admin, something you are doing.

However, having a page that lets you enter explicit SQL statements and executes them probably isn't a good idea. You could too easily enter something wrong, and it does leave a MUCH larger security hole, should something go wrong. Larger as in, easier to access system admin-level commands, depending on the setup.

Not to mention the ease of messing something up yourself.

Direct SQL queries is why you have phpMyAdmin. Admin sections are normally intended to be a GUI frontend of your data, just as the website for regular users is, but with a greater range of abilities. Such things as being able to list all users, edit a user's data through a controlled form, then updating or deleting them with a button.

Slokun  2010-03-30 20:53:03
thanks for your advice. The page would just be a GUI to delete topics and ban users and such.
Scarface  2010-03-30 21:06:27
+1  A: 

Sounds pretty well protected to me. With your configuration as is, is it any more likely or easy to hack your site and not your dev pc which runs the phpMyAdmin? Probably not a whole lot more likely. Sounds like you did everything right. If you're still worries you could limit your execution of sql to select statements which are rather innocuous in terms of db danger.

Paul Sasik  2010-03-30 20:53:40
thanks for your input man, appreciate it. I feel a bit better now lol.
Scarface  2010-03-30 21:05:50

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL