Re: Web Security

If you want to learn by example, check out the geeklog application ...
there are several like it, but geeklog prides itself on security. It is a
full functioning website/newssite/pollsite all driven with, in this case,
MySQL... but it would be pretty easy to apply what it's doing to
PostGreSQL. It also uses PHP, which I'm not sure if you're using. But,
anyway, it has basically, all the features you mentioned (Admin section,
way to do passwords, set up users, have users do some things, have even
others who aren't admin, but can do specific things...)

http://geeklog.newsgeeks.com

Steve

On Tue, 27 Feb 2001, Paul Joseph McGee wrote:

> Hi everybody,
> I am trying to implement a website where users may login and view
> available properties. Basically it is an online auctioneering site which
> is my final year project. I want to be able as SysAdmin to log in
> myself
> and modify, add properties, upload images etc. At the moment I am toying
> with letting
> both users and SysAdmin log in from the same authentication window. The
> properties are all saved in a PostgreSQL database on my machine here. I
> have created a user <webadmin> who has insert, update, select and delete
> priveleges
> on all tables in my database. This user is unable to create databases or
> users. When the SysAdmin logs in he will have a page where he can modify
> houses etc, while when an ordinary user logs in he will have the basic
> window where he can search for houses. At the moment I have it such that
> both users and SysAdmin when connected are connected as webadmin. I dont
> think this is a very secure method but its all i can think of at the
> moment. I'm also not sure how to kep the SysAdmin's page secure from
> everybody else. At the moment all my pages are in a
> /usr/local/apache/htdocs/project/ directory. Does anybody have an idea how
> i could make this implementation more secure and functional.
> Thanks,
> Paul
>