Thanks for your advice, Dzenan > dzenan.causevic@xxxxxxxxxx wrote: >> I need simple CMS sistem that I could use as a staring point (to save >> some >> time in setting up the structure) in developing my own CMS. The code >> should be simple to understand so that I can easily get on and start >> building on it. It would be of great help if it already had features >> like >> statistics, rss feeds, and multi-language support (visitors can click on >> the flag at the top of the page and have the pages display the content >> in >> that particular language), but if it doesn't it's okay I would build >> them. >> >> For example Joomla seems to be too powerfull, and pretty diffucult to >> understand at the coding level in order to customize it to serve my >> specific needs. >> >> Does anyone know of any promising open source CMS project that I could >> use >> in this respect? >> >> Thanks, >> Dzenan >> >> > > I have a rather low opinion of most CMS apps out there. > > I can't recommend one - but I would recommend whatever you do, if you > are starting from scratch, use the php xml DOMDocument class to build > your pages. > > So many of the content management systems out there have XSS exploit > after XSS exploit after XSS exploit. > > By using DOMDocument, a script node can not be created unless you create > it in your code, making insertion of XSS code into your site a lot more > difficult. > > Also, I highly recommend you use a server that has php hardened by > suhosin. > > http://www.hardened-php.net/suhosin/ > > A lot of the exploits (IE from sloppiness with globals) that are found > in php apps would not work on servers that are protected by suhosin. > > Speaking of globals, there seems to be a bad habit amongst many > developers to overuse them. > > IE with DOMDocument, they will set their document as a global for use in > functions when what they should do is simply add the document as the > first parameter to the function thus avoiding the need to use a global. > For example - > > function spanText($document,$class,$string) { > $span = $document->createElement("span",$string); > $span->setAttribute("class",$class); > return($span); > } > > If my DOMDocument is, say, $myxhtml - to create a bit of text I want to > apply my red class to - > > $someNode = spanText($myxhtml,"red","This string will be in the red > span"); > > Another thing the common CMS tools frequently do - they want a > configuration file that the web server has write permission to that is > parsed as php by almost every page the app displays. Big mistake - if > you want a web interface to change settings, store the settings in a > database table, don't have the web app write them to a file that other > pages include. > > Finally, another thing they often do is to have a directory the web > server has write permission to in the web root. Big mistake, you don't > want apache to have write permission to any directories (or files) that > it serves, you want to keep those outside the web root and use php to > grab what needs to grabbed (IE a php wrapper to fetch images that users > have uploaded). > > Have fun, but if looking at other apps to figure out how to do things, > just remember that many of the webapps out there are not examples of > good code and remember that most php books are not written by security > gurus (I'm not a security guru, and even I've found insecure practices > in several books). > > Unfortunately a lot of jerks exist who want to own your server and use > it to spam the world (or attack other servers). > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
