PHP CMS from scratch

Good point, and this convincingly adds even more weight to the argument that people should think twice before rolling their own CMS.
Click to expand...
I disagree TBH, as your own takes you off the radar and therefore not that easy to find via search engine hacking.

Ning's one is awful and how many sites do they populate?
I won't even use a site using it because of the ability of one dev to pretty much do what ever they want from that site.

Two of my recent projects involve migrating web sites away from dead-end bespoke code.
Click to expand...
I can see why your bitter. :cry:

But if someone wants to create one their self then they just have to look at it from certain security implementations.

That being login.
To me it should have a a password and user name, seen some CMS's with just a password and then the user placed it as banana I mean yeah no wonder they got in, secondly use PHP's sleep function if they get it wrong at least 30 seconds delay, pretty much say good bye to brute force attacks, automated ones have just been seriously hampered wipe out any data that you don't expect to be in the password.

So if you say a password must have lower and upper case and alphanumeric characters wack in a regexpression to look for it, I can write 1 for anyone who needs one, if that's correct load up a backup password with the name of the password field as something like trees then a hacker assumes that it is a backup password of tree names when it is in fact a 32 -100 alphanumeric, computer generated password, again if they get it wrong wack in PHP sleep function for 30 seconds and kick them to the first login.

Save the attempt and log it as well so you can see how they got passed the first one, but escape it incase they wack in special code which wipes your db.

If the second password is correct save the user name in a session with a token, bye bye session hijacking, then test for the token and user name when they are logged in to all pages on the inside if it is not correct boot them out to the home page.

Then if you want to set up separate users set them certain privileges, not every user of a CMS should have access to everything, why does the SEO need access to write articles, why does the copy writer need access to Site tracking? bare in mind I checked out 1 CMS last week, or the week before and it let every user control the entire CMS?
Why?

Only the root user should be able to add users, or view passwords of all users.

Then use the name saved in the session, and in the db set CMS privileges in a table so, and test against them.

Table ~ User
Food ~ y
User tracking ~ y
Add food products ~ y
Add user ~ n

Then if they go to access the add user page either delete the link and check the page to see if they have sufficient privileges, or if they go to access the link the first think the page does is gets from the db the add user field from the User table and see if it equals y, if it doesn't they don't have privileges so send them to the admin page with a message saying unfortunately you don't have sufficient privileges, log the attempt and send the root user an email telling them that an unauthorized user tried to access the add a new new user page.

Then on all the other sections screen the data, only allow certain html tags and test to make sure that any beginning tags have a closing partner so not to screw the code up when it gets outputted to the user, and anything not cleared to be entered wiped before it gets added, or send back to alert the said admin that they can not use that character do they want to use another?

That way it is secure as any CMS if not more secure, and you can then create it to do what ever you want.

If you have intermediate server language knowledge, PHP, ASP whatever, or even beginning knowledge with the will to learn the rest then it's pretty easy to code TBH.

Time consuming slightly but if you track what all your users do then you can know when an attack attempts to happen then learn from it and see if your code is up to stuff, and if you limit privileges then only 1 user can access the parts the really effect the whole CMS and to get in they must know their username and password and 32-100 alphanumeric character password, which can be sent in an email to them so they don't forget.

But I got hacked and as a result will never relie on code I haven't written again, if I don't know what it does how good is it?
I have no idea, should I be surprised if I get hacked? No.

But relieing on updates?
How many ppl have updated to 7, or even from 6 yet you have faith they will update thier CMS.
How many security holes are in 6 and 7 that have been fixed with IE 8?
Yet ppl still use it. Mmm....
 
Jazajay said:
I disagree TBH, as your own takes you off the radar and therefore not that easy to find via search engine hacking.
Click to expand...

Technically that is correct - spot on. BUT, you have to put this into perspective. Building your own because you don't trust the security in CMS platform code is not only swimming against a strong tide of established, mature and secure CMS, but also suggests a degree of vision inhibiting paranoia. It's a bit like deciding to build your own car because you're not confident they assemble the braking system correctly at the factory.

I can see why your bitter. :cry:
Click to expand...

Bitter? Hell no! I make a good living from bailing out dead-end bespoke coded sites, as I cruelly put it in an earlier post. I just despair when I see clients led up the wrong path, even though it is good business (for me) when they are.

I have been burned by hacked sites and servers - not my work, but it doesn't make me mistrust anything I haven't written myself. Most of the security problems I encounter were caused by individuals who claimed to know what they were doing, but mysteriously disappeared when things went wrong. With a CMS platform, you have communities and vendors who do not disappear, they have an interest it keeping things clean, tight and working. All you need to do is keep the platform code updated which is an order of magnitude easier than being a security expert and pouring over your own code.

Don't get me wrong, I am a hardened bespoke CMS coder myself, I'm just keeping an open mind and moving forward.

Your security argument makes sense if you already have the knowledge and experience as you do, but this thread was originally about advising a CMS coding rookie. In this context it is crazy to suggest that someone should go off and invest a huge amount of time getting to grips with this when they could use a platform where that work has already been done and proven in the field. I guess it depends if they want to learn something, or get some work done, deliver projects, get paid, etc.

In terms of doing good business, bespoke development - in cases where it is not necessary - will make you more expensive, less competitive, etc. I guess you need to decide if you want to be a purist code poet or a businessman. Maybe you just operate in a truly bespoke arena where your skills have real value?

But relieing on updates?
How many ppl have updated to 7, or even from 6 yet you have faith they will update thier CMS.
How many security holes are in 6 and 7 that have been fixed with IE 8?
Yet ppl still use it. Mmm....
Click to expand...

End users are different to devs. IE is a poor browser, dangerous to use even, and the reasons why people don't update are many and varied. Not relevant to this discussion.
 
I apologize for not getting back to you last night, decided this will go on for a while with us both saying at the end of it "God can you believe that guy?"

But sorry will so have to disagree.
....only swimming against a strong tide of established, mature and secure CMS...
Click to expand...
No it's swimming against the tide of established hackers and established attack sites TBH. 10,000 sites a week get hacked, fact. Why? mainly because of detailed attack vectors and unpatched software.

...vision inhibiting paranoia
Click to expand...
Wow it normally takes ppl a few days to notice that about me, truly impressed, but again it's more of a plus as it pushes you to learn the latest techniques and not relie on others "secure" code.

It's a bit like deciding to build your own car because you're not confident they assemble the braking system correctly at the factory.
Click to expand...
For starters my last accident, don't pick up on the word last implies more than 1, was actually because my brakes failed TBH, lol, what are the odds you pick that?

But that is not relevant, because when it comes to websites I have the tools and knowledge to build them, do I have the tools and materials to build a car in my garage? Well I don't have a garage but you get the point. No! Now if I did have the tools and equipment to build my own car, do you think I would build my own? God dam right I would. But I don't unfortunately. :cry:

All you need to do is keep the platform code updated which is an order of magnitude easier than being a security expert and pouring over your own code.
Click to expand...
Again I'm not saying in every circumstance it isn't it's about getting the balance right between need and the risk of getting hacked and thus being off line and losing your data.

will make you more expensive, less competitive
Click to expand...
Really?
Now lets explore this as you are a CMS coder yourself.
First off you only need to create the code once, and then you can use it again, and again.
So for example you create the hard to beat login script I laid about above and you create the security test and you create a directory layout. Then when someone comes and says I would like a site and you say would you like a CMS with that, I can supersize your order for an extra 20p if you do?

You copy and paste your directory structure and wella, don't need to spend a day getting it right.
Now if you create 3 versions, a business, ecommerce and blog layout then you have already got the basis for all 3.

If you then have the same tables in a DB, so product, blog, login etc... and save the create table blar, blar blar query's in a txt file then again you only have to pick and chose and run the query and wella don't have to spend time on creating them.

The hardest bit would be making slight amendments to the insert, update and delete queries, and adding any new features the client wanted. But thats only what 2-3hours on top if that.

And with web design companies charging anything from £3000 to £500 for an ecommerce site wack it in the middle say £1500 and you are cheaper than the most expensive offer features the others who go on code they don't truly understand don't offer. Dev time is negligible if you think about it first. And because you have vision inhibiting paranoia you spend time learning the latest techniques which the others cant offer until it becomes made available to them by the support team. Again any new features then go through the beta testing and hackers learn quickly areas they can exploit and well it's then available to any wannabe hacker to take advantage of. Where as because you are swimming against the tide you've kept yourself up to date and thus can offer the feature with out the issue of then having to up date your code because every hacker and his dog has read about what 1 hacker found.

Because yours is created for your clients you are off the radar if you do it correctly.
Maybe you just operate in a truly bespoke arena where your skills have real value?
Click to expand...
No I work for who ever wants to pay me, freelancer.
End users are different to devs
Click to expand...
Yeah but devs aren't the only ones paying other devs for work, o no wait :D, it's the client that suffers. How does a client no when an update has come available if they don't have the devs who built it on call?

So as normally ppl want them as well as devs, trust me I've got a few mates who like to take advantage of my skills and you should see there eyes when you mention coding, why will they care about updates? I mean if they can still use the net with IE6 or IE7 why upgrade to IE8?

I mean the reason IE6 is still going strong is because big companies don't see the benefits of up dating, why because IE6 works for browsing the net. So if they don't update their browsers and they paid once for a company to build their site using whatever CMS why should they update their CMS, how do they know it needs updating?

Now think of the security consequences of you giving a paying client who has no idea they need to update yet alone where to find them or how to do it, a website?

Custom CMS's should be given out with the site IMO. Sets good web design sites out from the rest, again IMO. And I know some members here do offer custom CMS to their clients as well. :)
 
Bare in mind I could argue that the sky is not blue, I would be right if I did, it's white and it's molecules in the air that make it seem blue, but I do like the fact someone has decided to argue my point, makes my point stand out better. :D
 
You must log in or register to reply here.
Back
Top