Creating PHP Admin Script for only one user
@Dragon Why? No one ever sees your source code. If someone looks on your screen while programming, it is not in clear text. Better than just comparing it to a static variable.
3 Answers 3
I don’t see any reason why you couldn’t do it this way, assuming you will always have just the one user. The main consideration would be if someone somehow got a look at your code, they would see the stored password. So, you could store it using password_hash to generate a one way hash, and then verify it with password_verify . Here’s how I might do it:
// copy the hash output, then delete this code echo password_hash("thepassword", PASSWORD_DEFAULT); Then, in your code, store the hash:
// paste hash here $passwordKey = '$2y$10$j33UPA7gNxSOBsXQcyquLOZRuO6X8k8hZOb1RA79iN8gLlqp9eIPO'; if (password_verify($userInput, $passwordKey)) echo "correct"; else echo "incorrect"; consider looking at this manual for encryption methods with php. My gut instinct is to make a user table, or at least a table with just the encrypted password in it, rather than just checking the variable against a value.
That being said, if you don’t think anyone will really even consider trying to fool around with the system and get past it, you probably don’t need to be this cautious. I’ve built a few front-ends as well as back-ends to communicate somewhat friendly with a database, and I’ve never experienced a considerable amount pressure on the security.
Hope this helps, if you have any questions about how I’ve designed the ones I’ve made, feel free to email me at spencer@codeshrub.com
It should be noted that storing the password (even as a hash) in the PHP code is less secure than storing it in a database (such as MySQL), as a malfunctioning web server code leak the code out, there’s the possibility that a hacker could change the code, etc. Also, if you ever need to allow more than one user then its alot easier if you a user table instead of just a variable.
If phpmyadmin is installed at your server localy, than it is NOT securely at all
You can use any MySQL client that supports ssh connection. E.g. Sequel Pro for Mac or HeidiSQL for WIN.
Also, you can use basic HTTP Authentication for you admin script. But, since it’s very simple it’s not protect you from bruteforce or password leaking, etc.
Anyway, if you prefer security you need to make your own authentication in PHP, You can use this package for example. It is simple and has many security features
One admin php script
A solution that will ease the website administration for all of you who use multiple of our PHP Scripts.
Do you use multiple of our PHP scripts? Are you tired of log in and out various administration pages? Then let us show you how the «One admiN» feature works so you can enjoy the ease of working with multiple PHPjabbers.com scripts!
The standard menu
This is how a typical navigation menu looks like in our PHP scripts. When you’re logged into the script administration page, on the left side you’ll see the menu which lets you navigate to the most important sections of the script.
You have this for each of our PHP scripts!
«One admiN» menu
We can imagine the hassle of having to login multiple PHP scripts. You need to remember each URL and its login details. You need to type these login details every time you want to access any of the PHP scripts’ administration pages.
Not any longer! Then «One admiN» feature will add a simple drop down menu above the main script menu where you can add any of the PHP scripts that you use.
Click and go!
Click and go! Just select the PHP script you want to manage and the «One admiN» will take you there without the need of remembering the web address for its administration page or its login details.
It couldn’t be simpler, could it?
Manage all your PHP script with a single click.
How to set it up
Please, follow the steps below to enable «One admiN» in our products. You can also watch the video below. Need help? Contact us.
Simple PHP Admin Panel (Free Download)
Welcome to a tutorial on how to create a simple PHP admin panel. Since you are reading this, I will assume that you are interested in “powering up” your existing project and want to build an administrative component to it. So here is a sharing of my own – All done in pure HTML, CSS, Javascript, and PHP. No third-party frameworks. Read on!
TABLE OF CONTENTS
PHP MYSQL ADMIN PANEL
All right, let us now get into the details of how to create a simple admin panel with PHP and MySQL.
PART 1) USER DATABASE
-- (A) USERS TABLE CREATE TABLE `users` ( `user_id` bigint(20) NOT NULL, `user_email` varchar(255) NOT NULL, `user_name` varchar(255) NOT NULL, `user_password` varchar(255) NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; ALTER TABLE `users` ADD PRIMARY KEY (`user_id`), ADD UNIQUE KEY `user_email` (`user_email`), ADD KEY `user_name` (`user_name`); ALTER TABLE `users` MODIFY `user_id` bigint(20) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=1; -- (B) DEFAULT USER -- EMAIL: JOY@DOE.COM | PASSWORD: 123456 INSERT INTO `users` (`user_id`, `user_email`, `user_name`, `user_password`) VALUES (1, 'joy@doe.com', 'Joy Doe', '$2y$10$vZJy7y4uqQQTRN3zdi2RE.5ZJJzGEEPnzEjFXm4nEOx023XQ2Qe..');- user_id Primary key and auto-increment.
- user_email User email, unique to prevent duplicates.
- user_name User name.
- user_password The user’s password.
PART 2) PHP ADMIN LIBRARY
pdo = new PDO( "mysql:host=".DB_HOST.";dbname=".DB_NAME.";charset=".DB_CHARSET, DB_USER, DB_PASSWORD, [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC ]); > // (B) DESTRUCTOR - CLOSE CONNECTION function __destruct () < if ($this->stmt !== null) < $this->stmt = null; > if ($this->pdo !== null) < $this->pdo = null; > > // (C) HELPER FUNCTION - RUN SQL QUERY function query ($sql, $data=null) : void < $this->stmt = $this->pdo->prepare($sql); $this->stmt->execute($data); > // (D) GET USER BY ID OR EMAIL function get ($id) < $this->query(sprintf("SELECT * FROM `users` WHERE `%s`=?", is_numeric($id) ? "user_id" : "user_email" ), [$id]); return $this->stmt->fetch(); > // (E) SAVE USER function save ($name, $email, $password, $id=null) < // (E1) SQL & DATA $sql = $id==null ? "INSERT INTO `users` (`user_name`, `user_email`, `user_password`) VALUES (. )" : "UPDATE `users` SET `user_name`=?, `user_email`=?, `user_password`=? WHERE `user_id`=?" ; $data = [$name, $email, password_hash($password, PASSWORD_DEFAULT)]; if ($id!=null) < $data[] = $id; >// (E2) RUN SQL $this->query($sql, $data); return true; > // (F) VERIFICATION function verify ($email, $password) < // (F1) GET USER $user = $this->get($email); $pass = is_array($user); // (F2) CHECK PASSWORD if ($pass) < $pass = password_verify($password, $user["user_password"]); >// (F3) REGISTER MEMBER INTO SESSION if ($pass) < foreach ($user as $k=>$v) < $_SESSION["admin"][$k] = $v; >unset($_SESSION["admin"]["user_password"]); > // (F4) RESULT if (!$pass) < $this->error = "Invalid email/password"; > return $pass; > > // (G) DATABASE SETTINGS - CHANGE TO YOUR OWN define("DB_HOST", "localhost"); define("DB_NAME", "test"); define("DB_CHARSET", "utf8mb4"); define("DB_USER", "root"); define("DB_PASSWORD", ""); // (H) START! session_start(); $_ADM = new Admin();- (A, B, H) When $_ADM = new Admin() is created, the constructor will connect to the database. The destructor closes the connection.
- (C) query() A helper function to execute an SQL query.
- (D to F) The actual admin functions.
- get() Get user by ID or email.
- save() Add or update a user.
- verify() Verify the given email and password. Register the user into $_SESSION[«admin»] .
PART 3) LOGIN PAGE
verify($_POST["email"], $_POST["password"]); > // (C) REDIRECT IF SIGNED IN if (isset($_SESSION["admin"])) < header("Location: 5-protected.php"); exit(); >?> error!="") < echo "?>ADMIN LOGIN
- (D) A good old HTML login form.
- (A & B) On submission, we use the library to process the login request.
- (C) On successful login, we redirect the user to the “main admin page”; Any users who are already signed in will also be redirected.
