Re: Simple open source CMS as a starting point

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for your advice,
Dzenan

> dzenan.causevic@xxxxxxxxxx wrote:
>> I need simple CMS sistem that I could use as a staring point (to save
>> some
>> time in setting up the structure) in developing my own CMS. The code
>> should be simple to understand so that I can easily get on and start
>> building on it. It would be of great help if it already had features
>> like
>> statistics, rss feeds, and multi-language support (visitors can click on
>> the flag at the top of the page and have the pages display the content
>> in
>> that particular language), but if it doesn't it's okay I would build
>> them.
>>
>> For example Joomla seems to be too powerfull, and pretty diffucult to
>> understand at the coding level in order to customize it to serve my
>> specific needs.
>>
>> Does anyone know of any promising open source CMS project that I could
>> use
>> in this respect?
>>
>> Thanks,
>> Dzenan
>>
>>
>
> I have a rather low opinion of most CMS apps out there.
>
> I can't recommend one - but I would recommend whatever you do, if you
> are starting from scratch, use the php xml DOMDocument class to build
> your pages.
>
> So many of the content management systems out there have XSS exploit
> after XSS exploit after XSS exploit.
>
> By using DOMDocument, a script node can not be created unless you create
> it in your code, making insertion of XSS code into your site a lot more
> difficult.
>
> Also, I highly recommend you use a server that has php hardened by
> suhosin.
>
> http://www.hardened-php.net/suhosin/
>
> A lot of the exploits (IE from sloppiness with globals) that are found
> in php apps would not work on servers that are protected by suhosin.
>
> Speaking of globals, there seems to be a bad habit amongst many
> developers to overuse them.
>
> IE with DOMDocument, they will set their document as a global for use in
> functions when what they should do is simply add the document as the
> first parameter to the function thus avoiding the need to use a global.
> For example -
>
> function spanText($document,$class,$string) {
>     $span = $document->createElement("span",$string);
>     $span->setAttribute("class",$class);
>     return($span);
>     }
>
> If my DOMDocument is, say, $myxhtml - to create a bit of text I want to
> apply my red class to -
>
> $someNode = spanText($myxhtml,"red","This string will be in the red
> span");
>
> Another thing the common CMS tools frequently do - they want a
> configuration file that the web server has write permission to that is
> parsed as php by almost every page the app displays. Big mistake - if
> you want a web interface to change settings, store the settings in a
> database table, don't have the web app write them to a file that other
> pages include.
>
> Finally, another thing they often do is to have a directory the web
> server has write permission to in the web root. Big mistake, you don't
> want apache to have write permission to any directories (or files) that
> it serves, you want to keep those outside the web root and use php to
> grab what needs to grabbed (IE a php wrapper to fetch images that users
> have uploaded).
>
> Have fun, but if looking at other apps to figure out how to do things,
> just remember that many of the webapps out there are not examples of
> good code and remember that most php books are not written by security
> gurus (I'm not a security guru, and even I've found insecure practices
> in several books).
>
> Unfortunately a lot of jerks exist who want to own your server and use
> it to spam the world (or attack other servers).
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux