[WIP] Web Panel / Web Admin: Permission Based Web Admin to Change/View Database Values

Web Admin: Change Database Values with Permissions Using Essentialmode.

Zua’s Webpanel / Webadmin is a resource that allows users and admins to easily changes specific persons’ database values.

Installation

Watch the Youtube Video for Step-by-Step Setup


  1. Download Here.
  2. Deploy the files in your webserver or put them in your htdocs folder if you are using apache
  3. Add a new column in your database called 'password' (varchar 50, default: 'password')

    I didn’t make an SQL script for it because I didn’t want to learn how to, (use https://www.heidisql.com)

Configuration

inc/config.php

<?php
/* Change the Database Values to your Database */
////////// CONFIG ////////////
$title = "Webpanel";
//DB CONFIG//
$dbServername= "localhost";
$dbUsername = "root";
$dbPassowrd = "";
$dbName = "essentialmode";
////////////
$ServerLogo = "img/logo.png";
// This is the permission level in the db where admins have to have a greater value to access admin.
$perm_levelForAdmin = 3;

Features

  • Anyone that has a permission level of less than 3 can only see their own stats (user).
  • Anyone that has a permission level greater than 3 can edit db values easily (admin).
  • Toggleable Users Table (admin).
  • Materialized Design (modern).
Screenshots



!

Demo

https://www.youtube.com/watch?v=q--ATB9La2Y

Please note that I have not tested for SQL injections w/ or w/o SSL so be careful and set it up correctly.

2 Likes

Looks very clean! Keep it up!

1 Like

Plaintext password storage ?
Pretty sure it’s vulnerable to SQL injection. (var from $_POST, injected to a SELECT query, without any protection)

1 Like

Just from a quick glance on my phone, I can see this has a ton of security vulnerabilities. The user logging in could drop tables whenever they want with the correct SQL query.

Edit: Now that I am on my computer I can grab you some links to look at. I would strongly recommend using Sign in Through Steam as then you aren’t worrying about passwords or sensitive user information. If you want to see the way I prevented SQL injections (AFIK, currently wanting more people to test it) you can take a look at the functions escapestring and dbquery here. My method isn’t as nice as using PDO but it is easier for large amounts of data processing and should still be secure.

2 Likes

Why would people use this when there is PHPMyAdmin

1 Like

Lots of SQL Injection capabilities here, plus like others said, plaintext password storage is a really, really, really bad idea.

Look into using PDO for prepared SQL statements that will greatly reduced the SQL Injection attack surface. Then, look into hashing for the passwords. Bcrypt is baked into PHP, which would make it somewhat easy to implement. https://thehackernews.com/2014/04/securing-passwords-with-bcrypt-hashing.html?m=1

1 Like

Thank you. I’ll try to implement this and also improve the security, appreciate this.

This is for admins getting access to change table data. I don’t think you can even forward phpmyadmin to others

Why would I want people I only know from the community that worked their way up to admin to have access to the back end of my server so they can fiddle around in PHPMyAdmin and mess up stuff they have no reason to be in.

1 Like

trying to get this working but having some issues https://i.imgur.com/81r4mIv.gifv

it’s a no brainer to not use this till there are security patches. It’s worse than people deleting something from phpmyadmin.

1 Like

He’s right everyone, I’ll be trying to work on enhancing security for this, as of now, try not to use this.

So, how’s it going? Almost a month later, just checking in.

Maybe someone a little more fluent in this type of stuff can chime in if this is possible or not: but add maybe a permission to where someone can only access the whitelist table for adding new users to the whitelist? I know my community, as well as many others, have a group of individuals that do the interviews, training, etc. and would be nice for them to be able to add them instead of always having to wait for an admin.

Hope the other issues get fixed as well!

Your easiest bet would be to use phpMyAdmin and setup a MySQL account that only has access to that specific table. This is very easy to do through phpMyAdmin.

Sorry, but I never went around to actually fix the security issues. maybe in the future I will, but for now; I lost all motivation for this due to the fact that this release is impractical.

Very nice release man :slight_smile:

Most of the SQL Injections can be remediated by using PDO for interfacing with the database. It should be minimal changed to the scripts, but will substantially help with protecting against SQLi. Lots of tutorials out there.

Also I would like to use this panel, however, does not function the sql file unfortunately and unfortunately I do not know how to insert a table manually can someone help me?

I would suggest you not use this in it’s current form. There’s nothing it does that you can’t do with any secure mysql frontend.