Security can play a vastly important part in the existence and success of a website, depending on the number of permissions at stake, having properly managed users and permissions can be the difference between having a beautifully managed website or one which could be entirely defaced by a disgruntled user or hacker.
There are many methods to authenticate a user, the most common method is likely to be the simple username and password however two-factor authentication is becoming more and more importantly available. There are sets of rules which should be followed when managing this kind of data, this includes handling the data with care and ensuring data is hashed so that no users’ passwords are at risk of being leaked.
One method used is to authenticate users of reporter status is by having a column on the users table called “verifiedReporter” this is a tinyint(1) which will store either a ‘0’ (not a verified reporter) or ‘1’ (verified reporter) which enables administrators to ensure only verified reporters may access the page post.php. This is done by developing the page to check the session of the user and find out if the ID of the account they are on has a ‘1’ in the verifiedReporter field, if they meet this requirement, they are then presented with the post.php page. Additionally, a function has been developed which checks the level of authorisation a user should have based on several things - Whether they are logged out, logged in, or logged in as a verified reporter.
Each level of user is presented with a different header menu. Members with verifiedReporter permissions will have a menu which links to the post.php page, having this functionality means that regular users are less likely to be able to map areas of websites they otherwise would/should not be able to see, further increasing security.
Other security features include the usage of prepared statements. Prepared statements are a great way to reduce and remove the threat that is SQL injection. SQL injection usually involves, but is not limited to, a malicious user who wishes to inflict damage or harm on a system by sending unexpected queries to an SQL server. This can be done with ease in environments which do not sanitise their database inputs. The easiest and best way to avoid SQL injection is to make use of PHP prepared statements, instead of immediately executing queries developed on the spot, they obtain a template of sorts from the hard-coded query and take inputs which is send to the database to run only as expected. Prepared statements are incredibly useful and should be used everywhere applicable. Additional features have been added to the post.php page to allow reporters to add style to their posts, this translates the desired look into HTML to which is inserted into the database to be displayed with the desired markup on the viewing page.
word count: 482