Securing admin pages in a CMS

Lemme think these ones over. <br /> <br />1. &quot;all included files below root&quot; - Would work, though I think there&acute;s no real need for it. PHP files are secure enough, since they will always be parsed, unless someone hack into your ftp. <br /> <br />2. &quot;never send datbase modifying request in query strings&quot; - I suppose you mean in an url. Certainly wise. <br /> <br />3. &quot;register_globals off&quot; - Something which should not be necessary if you make sure you initialise all your potentially dangerous variables before use. <br /> <br />4. &quot;special requests via $_POST&quot; - Good. I handle almost requests via POST. Note that $_POST can be simulated, so always check what&acute;s coming in. <br /> <br />5. &quot;password protecting the admin dir&quot; - Another good decision. <br /> <br />Another thing you could do is to check if someone has the correct privileges to do what he or she is planning on doing. Say you have a block of code that deletes something, always check if the user that is trying to delete something is entitled to do so. This of course would require some kind of user system, with login and so on.