security

Securing your site

Submitted by Daniel Hensby

comic from xkcd.com

PHP has a very shallow learning curve, it's free and anyone can have a go at making a website by following a few tutorials and implementing their experience with other languages. However, coding for the web can be a risky business, especially with dynamic websites that take some kind of user (or external) input and use that to get data from a database.

Old school websites will use an id to get a pages content, eg: www.example.com/index.php?id=3.

This can lead to a few problems if the id is not sanitised before being added to an SQL query.

Read More >>

How to access your admin account when you've forgotten the password

Submitted by Dalesaurus

I managed to forget my admin password and found quite a few ways to unlock an SS install.  I originally thought about poking around the database and changing the hashes myself.  After reviewing the Security and password encryption code, I would recommend against doing that.  SilverStripe uses salted SHA1 encryption which is no fun to try and create yourself.  Also you'd have to update multiple tables to get the password changed.

Luckily the SS Core team has included multiple features for accomplishing this.  The options below assume you have access to your webserver to use some PHP code.

Option 1 - Set a Default Admin Login

From: http://doc.silverstripe.com/doku.php?id=security#system_configuration

Add the following to your _config.php:
Security::setDefaultAdmin('adminuser', 'password');

Read More >>