[frott]

I've set up a PHP driven MySQL backed website for a client. I've decided with this project to learn it all myself rather than just package/configure scripts.

The final piece is building a content management system so that they can:

1. login
2. edit/add/delete stuff from the database

A few questions...

first, the directory structure is:
cgi-bin
htdocs

inside the htdocs are all of the nonsensitive php files, which link via include to a php file in the cgi-bin that holds all of the MySQL db info. I am under the impression that this file with the login/pass etc. is secure because its not in the public web folder. Is this necessarily true or do I have to have it set up a certain way?

When I set up the login/password, I am assuming that I will simply set a cookie in PHP that stores the login/pass and check that against a php script stored in the cgi-bin directory (if it is indeed secure) that is pulling user info from the database, at every page load of the CMS.


Is that as good as it gets, granted that my code itself is as secure as possible? This is going to be storing a store inventory and a user would literally get access to be able to delete the entire thing.