Personally I would use it as part of the session and verify it that way... ie: check to see if the $PHP_SELF is www.mycms.com, if not refresh the page to that URL automatically and then make them do the login. Only after logging in does the session key get the "mysite=true" key or whatever you want to check for. That SHOULD keep it from getting hacked, as your basically verifying at the beginning that you are only allowing entry from your location. You should also be making sure that your server does not allow others to host primary images so that nobody could phish your site. Paypal and chase are really lamely set up which is making phishing easier for people who use them. My $.02 Wolf Shaun wrote: > Hi, > > Thanks for your reply, just had a thought: How secure would it be if I made > sure that the URL of the browser was www.mycms.com and only allow access to > pages in the /cms folder if true? > > Is this safe or an easy hack? > > > "Wolf" <LoneWolf@xxxxxxxxx> wrote in message > news:4443E960.2070403@xxxxxxxxxxxx >> So, swap your CMS logins to use the same access code for the user, then >> use sessions to swap the mysql stuff in where needed. >> >> Or make it use a mysql call from the CMS login to access their mysql >> information from another table and do it that way. >> >> 1 login, 1 password, very user friendly. >> >> And only 1 place to have to worry about changing files. >> >> HTH, >> >> Wolf >> >> >> Shaun wrote: >>> I see your point, the only problem is that the user will have already >>> logged >>> once into the CMS, logging in again would be a little frustrating and not >>> very user friendly... >>> >>> >>> ""Weber Sites LTD"" <berber@xxxxxxxxxxxxxxx> wrote in message >>> news:2f9101c6624d$00964610$6901a8c0@xxxxxxxxxxxxxxxxxxxxxxxxxx >>>> I think that you are looking at this from the wrong angle. >>>> What you should do, is password protect all CMS directories >>>> And then, anyone that needs access has to punch in a valid >>>> Username and password. >>>> >>>> Have a look at : http://sourceforge.net/projects/modauthmysql/ >>>> >>>> Sincerely >>>> >>>> berber >>>> >>>> Visit the Weber Sites Today, >>>> To see where PHP might take you tomorrow. >>>> PHP code examples : http://www.weberdev.com >>>> PHP & MySQL Forums : http://www.weberforums.com >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: Shaun [mailto:shaunthornburgh@xxxxxxxxxxx] >>>> Sent: Monday, April 17, 2006 2:52 PM >>>> To: php-general@xxxxxxxxxxxxx >>>> Subject: Re: Including files from another site >>>> >>>> Hi, >>>> >>>> Thanks for your reply, sorry I should have been a little clearer in my >>>> explanation. Here goes... >>>> >>>> I have a dedicated UNIX server with many websites on it. On this server >>>> I >>>> have also created a Content Management System which has a database which >>>> I >>>> use to store HTML content for all the other websites. Each website has a >>>> database connection to the CMS database to retrieve the HTML for its >>>> pages. >>>> >>>> Each website that uses its own database has a folder called /cms and in >>>> here >>>> I keep all the database admin scripts for that website. I want these >>>> pages >>>> to only be accessible from within the CMS website and nothing else. So >>>> when >>>> the user is in the CMS they can click on database admin and it will >>>> include >>>> the pages in that websites /cms folder. >>>> >>>> My Question is how can I ensure that the CMS is the only website that >>>> can >>>> access these scripts securely? >>>> >>>> Thanks for your advice. >>>> >>>> >>>> ""Weber Sites LTD"" <berber@xxxxxxxxxxxxxxx> wrote in message >>>> news:2a6601c6621b$fa43bc60$6901a8c0@xxxxxxxxxxxxxxxxxxxxxxxxxx >>>>> I'm not sure I understand what you are trying to do. >>>>> What is the connection between frames and security? >>>>> >>>>> In general, assuming that all users have access to The same scripts, >>>>> you need to include in all of your Scripts some kind of security logic >>>>> that tells the Script which user can do what. >>>>> >>>>> Usually you would want to also allow group access Rather then user >>>>> access for easier maintenance. >>>>> >>>>> You should keep a user table with user, password And privileges. There >>>>> are endless ways to do this And you need to choose what is best for >>>>> your site. >>>>> >>>>> Have a look at some relevant code examples: >>>>> http://www.weberdev.com/AdvancedSearch.php?searchtype=title&search=aut >>>>> h >>>>> >>>>> berber >>>>> >>>>> -----Original Message----- >>>>> From: Shaun [mailto:shaunthornburgh@xxxxxxxxxxx] >>>>> Sent: Monday, April 17, 2006 12:46 PM >>>>> To: php-general@xxxxxxxxxxxxx >>>>> Subject: Including files from another site >>>>> >>>>> Hi, >>>>> >>>>> I have created a CMS where all sites on our server are administrated >>>>> from one central site, and HTML content is stored in the CMS database. >>>>> >>>>> I want users to all control their sites database functions from the >>>>> CMS site, but I want to keep the database and database admin scripts >>>>> in the individual website account to keep things simple. So I need >>>>> want to be able to include these scripts within the CMS site but keep >>>>> them secure. I have tried using frames but I can't keep a session >>>>> going in the database admin scripts, is there a better way to do this? >>>>> >>>>> Any advice would be greatly appreciated. >>>>> >>>>> -- >>>>> PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: >>>>> http://www.php.net/unsub.php >>>> -- >>>> PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: >>>> http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
