We've all been there before. You spend all this time building a kick-ass, ultra-awesome, super-sweet web application and then you realize you need to build some stupid "administration" module that needs to do the boring, run-of-the-mill things like maintain users, groups, privileges, and so on.
There are several different magnitudes of complexity that can be involved with an administration module, ranging from the full-on set of tables including users, groups, roles, tasks, operations, etc., to a simple IsAdmin column on the users table. Actually, it turns out there's an even simpler way, and that Adam P's predecessor discovered and implemented it for their client's fairly large ecommerce website.
if(strstr($username, '**')) { $admin = 1; $username = str_replace('**', '', $username); $_SESSION['admin'] = 1; } else { $admin = 0; }
That's right: simply add a double-star ("**") to your name when logging in, and you'd have full admin access, including payment records with complete credit card numbers. While you'd think this issue would be Adam's top priority to fix, it turns out that there were even more pressing issues to address, such as being able to enter "/admin/payments" as the URL's path and see those complete payment records without even logging in.