Quote:
|
But surely a 403 error would show the file DOES exist, which I would think would make it easier for any script kiddies to try and start doing things.
|
Then I have a question, how do you verify a login then ?? a user needs to access a page, and verify with valid username/password if that user, beeing admin or kiddie, gets a 404 when they try and access that page, the login sequence is lost.
Or is it on other admin pages (appmain.php) you do this, ie:
PHP Code:
if(!$_SESSION['username']){
header( 'HTTP/1.0 404 Page Not Found' );
exit;
}
so you would have to have logedin in order to even access the other pages.
Once you start giving other users access to view the things in your database, you need a way to determain if their action is valid due to their admin status or not, in that regard I'd rather start the design fase with implementing the handling of an invalid attempt. That beeing if it's a needed functionality at this stage or not.
Quote:
|
its not just passwords, I want advice about, any small exploits that you can see and how to correct them
|
For later use, once you start expanding, I'd place the mysql connection in a seperate file or function, so you'd only need to call that when you wan't to fetch/add something to your database.