Home/ Questions/Q 6119759
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T15:35:25+00:00

Im doing a game and i created an administration panel for it. it works

  • 0

Im doing a game and i created an “administration” panel for it.
it works like this:

admin.php
admin/code1.php
admin/code2.php

admin.php:

<?php
include("lib.php");
$player = check_user($secret_key, $db);
if($player->rank != "Administrador")
{
header("Location: personagem.php");
exit;
}
include("templates/private_header.php");
head("Admin Panel","adminpanel.png");
startbox();
if(isset($_GET['page']))
{
include("admin/" . $_GET['page'] . ".php");
}
else
{
?>
<A href="admin.php?page=code1">Kill Players</a><br>
<A href="admin.php?page=code2">Heal Players</a><br>

<?php
}
endbox();
include("templates/footer.php");
?>

i want to know if im prone to hacking.
the code1.php and code2.php uses a custom query library that is included in lib.php so there is no way to execute them directly without falling in to an error.

Also in My template i have:

if($player->rank == "Administrador")
{
echo "<a href='admin.php'>Admin Panel</a>";
}

so i can access the panel more quickly.There is risk in there too?

Just note that $player is a object created from a query to the player Database that represents the actual player. In my thoughts the only way to hack this is changing they “rank” status in the table to “Administrador” am i right? or there is something i let pass?
Thanks in advance

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Never trust user input

    Never work with any of $_GET $_POST, $_COOKIE without verifying them first (or anything else user-generated for that matter, even stuff from your own database might be dangerous).

    include("admin/" . $_GET['page'] . ".php");

    Don’t do this. otherwise you can include any file you want. I suggest you whitelist all allowed pages to be included like so:

    $allowed = array("admin_index", "page1", "page2");
if(in_array($_GET['page'], $allowed)){
    include("admin/" . $_GET['page'] . ".php");
}
else{
    // perform error handling
}

    Here’s a useful function that you could take a look at, if you don’t want to whitelist all pages: basename() – this will always only return the filename part, without any directory-changing part.

    Furthermore, I do not recommend you work with includes like this at all, but rather have some Controller-hierarchy that can decide what to do on each request.

    What about the authentication?

    Show us your code for the authentication. That’s a crucial part of your system that needs to be secure.

    • 0