0

I now try to made admin panel and there want add 3 section:

  1. Edit post
  2. Remowe post
  3. Add post

In file admin.php I using sesions, but I dont know how to seperate this 3 sections. I want use this method made 3 section in page admin.php:

  1. /admin.php?id=edit
  2. /admin.php?id=remove
  3. /admin.php?id=add

I want ask you do this decision is correct ?

Improve this question

3 Answers 3

Reset to default
1

This is correct even though using POST is recommended as it is a little harder to play with for novice hackers. Also make sure you check user has right to access dangerous sections such as "edit" and "remove".

Also as a security recommendation, you should change the name of your admin.php file to something less easily findable: any prospective hacker has automated tools to try the most known admin section names to try to get in. If the name is unique, it will add a difficulty before even trying to break it.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Ok, I will check, but this panel wiil be only for admin (1 user)
As many admin sections are, however anyone can try to call the "admin.php" page and try some known security issues or bad coding to get access.
1

Your answer 'but I dont know how to seperate this 3 sections':

if(isset($_GET['id'])){
    switch($_GET['id']){
        case 'add':
            //your code
        break;
        case 'edit':
            //your code
        break;
        case 'delete':
            //your code
        break;
        default:
            //your code if some one pass anything else add/edit/remove
    }
}

Im using same way in my code and there is no problem, but you should check your code security.

Correct me if i'm wrong

Improve this answer

Comments

0

I would structure the code in such a way so that every one of my admin pages inherited from a single secure base class. All subclasses can implement what ever functionally they need so you won't have one giant file and they can all easily be maintained from a security point of view. Your main entry point into the system can then be an admin.php page that invokes the right class and method based on your http params using a simple switch statement or other method to route the request.

Improve this answer

2 Comments

Mhm I'm too thinking about this, but don't know how to separate this class method invocation, using of case will be correct idea to separate class invocation ?
So from a scalability point of view it might not be the best option. However for an admin page it should work fine. The simplest way I could think to do this it by including the class in the request, switch on class type, then new up an instance and call the method. If you want something that requires less maintenance you could leverage call_user_func(), put everything in a try catch and just use the request params to directly create an instance and make the function call. I've seen this scale well but its hard to understand and debug at times since its "magic"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.