In response to "Script Kiddies" with questions

I enjoyed the article titled " Script Kiddies" since I feel I now have personal experience with the subject. I have been learning PHP and HTML for a couple of years now, not long. And by no means do I call myself proficient at either language. I run a small web site for a charter school and I have used PHP running on a server across the country. Teachers fill out simple forms to post homework and newsletters on the site, keeping my ftp's to a minimum. But just the other day, someone found a way to access the teachers' " make data" pages and deleted all the data from mysql tables. I don't think they entered the mysqladmin with my password since all the tables and databases were intact, just the data was gone, all of it.

Here is how I think they got access:

1. My web server posts files and folders and I need them to turn off that function. By looking at the url they can see the string of folders the files reside in and then search the files... now I need to hide the pages at the root... since the "make data" are not password protected.
2. One of the teachers may have deleted the files...we do have some new teachers on staff who might try and disscredit my efforts and thus reduce thier responsibilities.
3. Someone entered script into one of the "make data" to delete the data.

Q: What can I do to secure this site?

Q: I have been unable to see the php ( data from mysql db ) on Netscape. Why is this?

Q: If I want a login on the initial html page to access the "make data" pages, how do I set it up so teachers don't have to login on each page, just the intital page? Then if an outsider found a "make data" page, they would be directed to login?

I appreciate all the help I've received. It upsets me to see such wasted tallent. This experience for me have been good and bad. I now know I need more security. I even dare to say, posting messages on sites like this can open myself up to future problems. But the good outweighs the bad.

I'm not sure how you have set up your website and your database connection, which is what I'm presume you use as a backend for your login, but to make sure you don't have to login on every page just create a session on the initial login then on every page check to see if they have the session, if they don't have the session then send them back to the login page. For example:
<?
session_start(); //This has to be at the start of all your pages.
if(isset($valid_login)) {
//code goes here
} else {
header("Location: /login.php");
}
?>
About your Make pages, I'm not quite sure what your trying to explain there, but if your thinking of them getting to the page directly you can make it so that the page has to be referred to by another page.

and what if they just change the url to

blah.php?valid_login=1

i use session_is_registered('valid_login'); instead...

I currently don't have a login, since my teachers complain at all the logins they have to go through - ie. email, Mac server, Win server, webmail, etc. and now I tell them they need yet another login, and all the user names are different... anyway, tough luck, they can change them down the road.

Seems to me they need a login screen that begins a session, the session is passes to each of their make pages...when should it end? at the end with a logout button? or can it time out?

What if someone slips past the login page? They are redirected to the login?
Please explain the "session_is_registered('valid_login')" script further.

My scripts are all messed up. I have each teacher ( 14 total ) having their own makemath.php, makereading.php, makescience.php, makeletter.php, etc. and so it works ok, each has their own tables in a db. but I feel this is too much work for me. There must be an easier way.... to use a session that directs a user with valid login to write a generic makemath.php page and according to the user login, it goes to their tables, then its pulled from the db from each teacher's page through a link that calls to a viewmath.php page that also uses the session....ugh.

The way I did it was alot of work. If anyone wants to wade into this, please email me and i'll send example code.
You'd be doing an elementary charter school a great service.
Thanks.

I can't say I'm near as experienced as some of the php coders out there, but I'd be willing to help you out with your problem if you want. My email is stephen@nielson.org.

Ok now to address your questions, everyone feel free to correct me if I'm wrong, which undoubtedly as has been shown already you will heh.

Ok, about slipping past the login, in my script above which I showed you, you put that at the top of every page, isset($variable) checks to see if the variable is there but as has been shown they can change that from the URL. Which is why you would use session_is_registered("valid_login")
What this function does is it checks to see if that variable was registered. Now after it goes through that check you can insert your code through there. The else clause is where it redirects if they try to skip past the login. About your question of when it expires, if you leave it unset the session expires when they close the browser or in the case of a logout you can destroy the session, if you set it the session can expire after a certain time.

About your makefiles, I still do not know what you are doing in your makefiles so I don't know the best way to approach it.

Mmm, wouldn't turning register_globals off in the php.ini remove that problem? It's common practice now to remove register_globals anyway since it upons scripts up to hackers if they got hold of variable names. Besides, making that change now would remove later bother after the register globals is completely removed from further php distros.