Home/ Questions/Q 8276193
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T08:18:23+00:00

So I’m building a GUI admin area for my site. I will be the

  • 0

So I’m building a GUI admin area for my site. I will be the only one to login and it will just show a clean (printable) layout of info from my db.

Here’s what I’m doing for security. Let me know if you think this is good and how I can improve.

  1. headers on all pages check for admin == true or die/redirect
  2. since i have a dedicated ip at home and i will only login from home. I made all pages including the login form page check for my IP $_SERVER['REMOTE_ADDR']; != header redirect
  3. My login script is in dir set 700 in folder permissions.
  4. my login and pw contain 10 total combo of letters, numbers and special chars. PW is stored as SHA2 HASH
  5. my login script checks for regex prior to sql and my credentials are stored in a separate admin table
  6. The entire site is on SSL.

So is this secure? Can I do more? Is this overkill? Please share your opinions and suggestions (especially regarding my IP check. Can that be circumvented?)

Used to escape bad data – in conjunction with regex on every field

function escape_data ($data) {
    if (function_exists(‘mysql_real_escape_string’)) {
        global $dbc;

        $data = mysql_real_escape_string (trim($data), $dbc);
        $data = strip_tags($data);
} else {
        $data = mysql_escape_string (trim($data));
        $data = strip_tags($data);
        }
        return $data;

    }
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    • Have you also set the secure, domain and http only flag on your cookies?

    my login script checks for regex prior to sql and my credentials are stored in a separate admin table

    And please, don’t use mysql_* functions for new code. They are no longer maintained and the community has begun the deprecation process. See the red box? Instead you should learn about prepared statements and use either PDO or MySQLi. If you can’t decide, this article will help to choose. If you care to learn, here is a good PDO tutorial.

    P.S. as far as I know the $_SERVER['REMOTE_ADDR'] variable would be pretty safe to use, because the only way I see that being exploitable is by an attacker proxying through your machine or spoofing the ip. And (correct me when wrong) both are pretty hard to do.

    P.S. 2:

    Is see you are using global in your code, also please stop using that 🙂 For more information about this watch this talk about dependency injection and SOLID programming in general. Nothing to do with security, but simply best practices for programming.

    • 0