0

I have public website with no database (with static content). I have one admin page, which allows to edit static content. I want to use that page only when website is on my local computer but not when it's uploaded to hosting server.

Is it safe to add check in admin page for $_SERVER['HTTP_HOST'] or $_SERVER['SERVER_NAME'] to be equal to localhost?

Somnium
  • 105
  • 4

1 Answers1

3

$_SERVER["HTTP_HOST"] is unsafe, as it relies on the HTTP request - meaning it can be manipulated by the client.

You should implement a basic login system for this (or use Apache's folder protection)

Tom
  • 880
  • 1
  • 7
  • 14
  • Authorization - it is that I wanted to avoid. Then probably best solution will be simply not to upload to hosting server admin page. – Somnium Jul 30 '16 at 16:01
  • Correct :) Although you really should check Apache's folder protection, it doesn't even require programming. – Tom Jul 30 '16 at 16:20