What would be my security risk? [on hold]

0 投票
最新提问 用户: (120 分)

I would like to build a website that has an admin section as usual, written in PHP.

My idea behind it, however, would be a bit different. Instead of having a dedicated admin area, I would have a log in.

If the user is logged in (which would be an admin), then the content of the page would be replaced by input boxes. These boxes would have a button to update.

If user is not a admin: (display as normal page)

Here would be some content, maybe a paragraph.

If user is admin: (show as input boxes with button)

- Header       -              (input)
- Here would be some -
- content, maybe a   -        (input)
- paragraph.         -
            - UPDATE -        (button)

I know this would work but I am wondering about security. If I was going to do this what would be the risk?

I would have the correct steps as far as sql injection and config file outside directory. But does this really add any extra security issues then a dedicated admin page?


So to make things more clear, I would do the same backend steps as a normal admin section. I am not asking necessarily about my code, but the concept of essentially putting and admin section combined with my normal website.

In the comments it was mentioned that as long as I am validating the session, that would be enough. I guess that was kind of what I was looking for.

发表于 用户: (140 分)
Aslong as you validate the session when saving the page then doing it this way would not compromise security. Make sure everything actionable by an admin is blocked if the users session does not exist.
发表于 用户: (380 分)
there's no code so we don't know what exactly would constitute as a security risk.
发表于 用户: (140 分)
Put it in another perspective: your admin will have only access to the admin panel (wathever it is rendered) and cannot navigate the content. As far the administration area is well protected you will not have any added security risk, to me.
发表于 用户: (100 分)
Keep in mind that a session could also be changed/added/removed by the front end user
发表于 用户: (120 分)
How would a user be able to edit a session? Or I guess how would the session be at any more risk then on a dedicated admin section?

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。