PHP admin control panel

Discussion in 'Web Design and Development' started by jacob.3336, Nov 19, 2012.

  1. macrumors newbie

    Joined:
    Jul 25, 2012
    #1
    I am currently making my website. I have a "Type" column in my users table in my database. For most users it says "Standard" in the type column but for me and a few other uses, it says "Admin". Does anybody know the best and most secure way to give users with "Admin" in the type column access to special admin control pages without giving access to standard users.

    :)
     
  2. SrWebDeveloper, Nov 20, 2012
    Last edited: Nov 20, 2012

    macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #2
    Does your website have a third party CMS under the hood?

    If yours is a DIY web site, the essential elements in writing a basic permissions system to control access to content could be (one of many ways):

    Roles table defining fields role ID and name (1="Admin",2="Standard", etc)
    Users table joining role table based on role ID
    Content table with content and field which defines which roles ID are permissed.

    When the user visits a given page, a permissions check function is called which queries their role ID and permissed role ID's and ensures a match and display content. Otherwise deny access to the page.

    Most custom CMS's follow this same basic procedure except some of them groups content into content types as an easy way to invoke permissions, or they create SDK's or API's which make it easier for developers to query user/content/role data without SQL statements. As you mentioned you prefer the "best and most secure" way - be aware of these pitfalls in your design:

    Try to avoid shortcuts like storing roles only in cookies. Cookies are easily spoofed. Use sessions (which also involve cookies) with limited information such as user ID and a hash with a hash table and session expiry on the back end. Make sure all forms are protected from SQL injection and follow basic XSS procedures to ensure safe session control. These are reasons folks use third party CMS's.

    Hope this helped you in terms of generic, high level view of things.
     

Share This Page