Administration and security with a php-mysql based website

Question

My question is a general one because I lack a hole picture of what I should do!

I am developping a website containing a member area. Each user register trough a login and a password and can access forms that allows them to edit and update their personal page. Non registered users can access a little search engine to find personal users pages based on some characteristics.

This website is developped in php and is now hosted in localhost with Xampp .

My question is about administration and security.

The administration of the website will require to delete and update data published by users on their personal page.

So now in localhost I just go through phpMyAdmin to modify these tables.

-Can I just do the same when the website will be online?

-Is the use of an admin part made to make it quicker than getting in the tables trough phpMyAdmin ? The password of the users are encrypted to prevent their use in case the data would be stollen so anyway I cant use their login and password to connect to there personal pages to delete data in case they wouldent respect the website rules?

Concerning security, is there a need to protect files with an .htaccess with the type of website I am describing?

I secured the php scripts againsts main security breaches( xss, sql injection, csrf, upload ) but I dont completely understand what else should be done when the website gets online.

For example there is a password for mysql to connect to the database: this password is stored in the 'databse.php' like this

    $db = new Database('login', 'password', 'website'); 

What is the use of this password when the website is on a server, does someone else than the administrator can access to the files on the server ?

As you can see, my questions are a bit confused because my picture of administration and security is not clear when it comes to jumping from the world of localhost to the world wide web!

Thanks for your help.

Answer 1

I think it's great what you're doing, but I would recommend improving your PHP by using an existing CMS. Drupal would be a grand choice for such a site described as yours :)

If you are still interested in pursuing this, then look into sessions - that's where you'll want to start (user rights per page).

Answer 2

Can I just do the same when the website will be online?

Yep. In your local phpmyadmin folder, find the file config.inc.php and change the line $cfg['Servers'][$i]['host'] = 'localhost'; where it says localhost to your live mysql server address.

Answer 3

1. .htaccess is ver much needed according to your nature of website you can block the directory listing in this and etc also and your htaccess file can give protection on execution of malicious file.
2. try to use algorithim in password ie sha256 with salt or hash password.

security must be there because vulnerablities make your site a mess.