Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Site security, am I doing it rigth?
Site security, am I doing it rigth?
  • El Forum
    Guest
  •  
#1
01-14-2012, 09:40 AM

[eluser]cdonate[/eluser]
Hi guys.

I am coding a web site for a personal project and I need a master user that can access one function/model/view in particular.

He will be the first row in my database with an ID = 1, ID as primary key and auto increment.

Is the code below a good practice? Should I do something more or something different?

Code:
<?php

class Login extends CI_Controller{

function __construct()
    {
        // Call the Model constructor
        parent::__construct();
  session_start();
}

function index(){

  $this->load->view('login_view');
}

/**********************************************************************************************************************************************/
  

/*Função que valida as credenciais e checa se o mesmo é administrador*/


function validate_credentials(){


  $this->load->library('form_validation');
  $this->form_validation->set_rules('username','Login','required');
  $this->form_validation->set_rules('password','Senha','required|min_length[4]');
  
  if($this->form_validation->run() != FALSE){
  $this->load->model('membership_model'); //Model que controla o acesso ao BD para validas as credenciais
  $query = $this->membership_model->validate($this->input->post('username'),$this->input->post('password'));//Função de Validação
  
    if($query){ //Se as credenciais forem validadas
  
      /*Cria um array com o nome de usuario e que a seção foi iniciada*/
     $data = array(
      'username' => $this->input->post('username'),
      'ID' => $query->id,
      'is_logged_in' => true);
      
    
    /*Inicia a seção com o nome de usuario*/  
     $this->session->set_userdata($data);
    
     if($this->session->userdata('ID') == 1 ){
      redirect('admin_view');
     }
     if($query->is_active == 0){
      redirect('activationNeeded_view');
     }
     if($query->is_finished == 1){
      redirect('cadastroFeito_view');
     }
     $this->load->view('escolha2');
    
    }
  
  }else{$this->load->view('login_view');}
}

I check if the data in the login form exist, if so, I put the ID in the session. I do one if statement to see if the ID is equal to "1", if that is the case, just redirect to the administrator function that loads the admin_model and admin_view.

Inside my administrator function I placed this:

Code:
if($this->session->userdata('ID') != 1 ){redirect('login');}

Is that enough? Can anyone change the ID field in the cookie? If so, how should I approach this problem?

My administrator function is set like this:

Code:
function _administrator($sort_by = 'id', $sort_order = 'asc', $offset = 0){

Thanks for any held!




Theme © iAndrew 2016 - Forum software by © MyBB