dzenan.causevic@xxxxxxxxxx wrote:
I need simple CMS sistem that I could use as a staring point (to save some
time in setting up the structure) in developing my own CMS. The code
should be simple to understand so that I can easily get on and start
building on it. It would be of great help if it already had features like
statistics, rss feeds, and multi-language support (visitors can click on
the flag at the top of the page and have the pages display the content in
that particular language), but if it doesn't it's okay I would build them.
For example Joomla seems to be too powerfull, and pretty diffucult to
understand at the coding level in order to customize it to serve my
specific needs.
Does anyone know of any promising open source CMS project that I could use
in this respect?
Thanks,
Dzenan
I have a rather low opinion of most CMS apps out there.
I can't recommend one - but I would recommend whatever you do, if you
are starting from scratch, use the php xml DOMDocument class to build
your pages.
So many of the content management systems out there have XSS exploit
after XSS exploit after XSS exploit.
By using DOMDocument, a script node can not be created unless you create
it in your code, making insertion of XSS code into your site a lot more
difficult.
Also, I highly recommend you use a server that has php hardened by suhosin.
http://www.hardened-php.net/suhosin/
A lot of the exploits (IE from sloppiness with globals) that are found
in php apps would not work on servers that are protected by suhosin.
Speaking of globals, there seems to be a bad habit amongst many
developers to overuse them.
IE with DOMDocument, they will set their document as a global for use in
functions when what they should do is simply add the document as the
first parameter to the function thus avoiding the need to use a global.
For example -
function spanText($document,$class,$string) {
$span = $document->createElement("span",$string);
$span->setAttribute("class",$class);
return($span);
}
If my DOMDocument is, say, $myxhtml - to create a bit of text I want to
apply my red class to -
$someNode = spanText($myxhtml,"red","This string will be in the red span");
Another thing the common CMS tools frequently do - they want a
configuration file that the web server has write permission to that is
parsed as php by almost every page the app displays. Big mistake - if
you want a web interface to change settings, store the settings in a
database table, don't have the web app write them to a file that other
pages include.
Finally, another thing they often do is to have a directory the web
server has write permission to in the web root. Big mistake, you don't
want apache to have write permission to any directories (or files) that
it serves, you want to keep those outside the web root and use php to
grab what needs to grabbed (IE a php wrapper to fetch images that users
have uploaded).
Have fun, but if looking at other apps to figure out how to do things,
just remember that many of the webapps out there are not examples of
good code and remember that most php books are not written by security
gurus (I'm not a security guru, and even I've found insecure practices
in several books).
Unfortunately a lot of jerks exist who want to own your server and use
it to spam the world (or attack other servers).
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
