Coding a cms

  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

I need a cms. I had a look round the various OSS CMS's and the first thing I see on the front pages are a list of security fixes....
This doesn't inspire confidence :lol:

I'm also not that keen on completely stripping down the script to fit it into my page designs and I don't like working with other people's code at the best of times.

It's only really got to be a pretty basic cms: news/blog bit, a few pages of content, multi-page articles. I don't think it would be that hard to code from scratch. It will be a great help in improving my PHP skills. I imagine that I would be starting with a basic, generic script and then building up features over time.

My main question is, if I do decide to code this, what are the main security considerations I should have? I am a good boy and no nothing of hacking :)

Any input welcomed. :)
  • _Leo_
  • Proficient
  • Proficient
  • User avatar
  • Posts: 279
  • Loc: Buenos Aires, Argentina

Post 3+ Months Ago

I have been wondering about it too. At work, I go with my own CMS solution, building the front-end for every project and reusing the back-end.

The question is whether you have to share the administration with other people. If you have to, then what kind of security do you need to avoid them accessing some sections in the back-end.

Will the end user have access to submit information in the site. There you have a new critical point.
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

the idea is to build the cms for a client and then they can edit / add their own pages. I would prefer to be giving them a fully functioning piece of software and then just have to be there for technical problems afterwards. The end user will have access to content only really. How many problems can this cause if it is all properly secured?

I want to give the client a working system and I don't want to tell them that it needs updating every 2 weeks else they'll get hacked. I'm thinking that once the security updates are made public, the hackers will go to work on out of date versions, because the security holes are freely advertised! :shock:

As a side note, do the updates come as patches or would I have to strip down the code each time?
  • _Leo_
  • Proficient
  • Proficient
  • User avatar
  • Posts: 279
  • Loc: Buenos Aires, Argentina

Post 3+ Months Ago

Well, depends on the author of the tool you will be using. Having a FOSS CMS will make you life easier from the development point of view. You can't sell the FOSS, therefore you will be selling the service of maintaining the system working. It's cheaper to you customer but he will be paying by using software under ceratin risks. These are risks your customer must accept by using an FOSS.

In the other hand, he can pay you to build a propietary CMS from scratch. But it will take a lot of money finishing it with all the features an FOSS CMS already has. And it will take a lot of time and money make it secure.

The fact that nobody knows about a bug, doesn't make the bug just disappear. That's why FOSS is better that propietary/closed one.

The secret is chosing a stable version of the software for working, and chosing a good project to work with. I guess PostNuke is much more secure than PHPNuke, although they have the same features, I would use PostNuke.
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

I can handle the RDBMS side without any problem, but I would have to learn about the security side. Is security really that difficult to achieve?

Would I be right in thinking that I wouldn't be wise to try then?
  • tierra
  • Student
  • Student
  • User avatar
  • Posts: 91

Post 3+ Months Ago

Any system that allows for changing config, content or anything else has security problems. Building your own CMS (which is something I've been thinking of for a long time as soon as I get the time) will have the same if not more security problems than any FOSS CMS system. The only reason I'm considering writing my own is because I've got some ideas that NO CMS system has/does that I'd like on my site.

If you really want to still build your own, I suggest finding a good open user management script and building it into your CMS (relieving you of the job of handling security to a good extent).
  • Axe
  • Genius
  • Genius
  • User avatar
  • Posts: 5739
  • Loc: Sub-level 28

Post 3+ Months Ago

Personally rtm, I'd go with something like PostNuke, and then develop your own in the background.

That way, you can get an idea how others operate, get to learn their inner workings, and help smooth your own processes.

Most of the CMS security alerts are due to add-ons available (for example, most of the PostNuke problems that have come up have been due to insecurities in the PNphpBB module (a modified version of phpBB which uses the PostNuke userbase), or have been due to users running PostNuke on the root account of the MySQL server (which is stupid with any script).

It's the same with many CMS scripts out there (except PHP-Nuke, which just plain sucks, heh). A lot of it is not to do with the software itself, but the addons that others create to add functionality to that software.

The CMS coding teams can't account for things that other people haven't written yet :)
  • webmasterbrain
  • Beginner
  • Beginner
  • webmasterbrain
  • Posts: 51

Post 3+ Months Ago

"PHP and MySQL Web Development" by Luke Welling (no affiliation) would be a good book to get since it uses real life examples whilst teaching you, one of which is building a CMS.
  • diverdan
  • Beginner
  • Beginner
  • diverdan
  • Posts: 46
  • Loc: Alabama, USA

Post 3+ Months Ago

i built my own CMS (simple stuff that i needed), and i figure as long as i don't make it known it won't get eaten up :) (probably a really bad outlook but anyway...)
  • Axe
  • Genius
  • Genius
  • User avatar
  • Posts: 5739
  • Loc: Sub-level 28

Post 3+ Months Ago

webmasterbrain wrote:
"PHP and MySQL Web Development" by Luke Welling

Yup, I agree, a great book... Another good one is the PHP Bible (most of the "Bible" series of books are pretty good - and Amazon has this one right now for $15 discount and free shipping, can't beat that)...

Secure PHP Development : Building 50 Practical Applications is another good one ($16 off, free shipping, and they do a combo deal with the Luke Welling book webmasterbrain mentioned).
  • _Leo_
  • Proficient
  • Proficient
  • User avatar
  • Posts: 279
  • Loc: Buenos Aires, Argentina

Post 3+ Months Ago

I recommend you start using Postnuke and the, you will be able to tell if you need you own CMS... I guess.
  • rtm223
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1855
  • Loc: Uk

Post 3+ Months Ago

Wow thanks everyone. I've actually got the O'Reilly book "Web Database Applications with PHP and MySQL", which takes you through building an eCommerce site and seems pretty security-concious all the way through.

I see what you mean about the modules axe - guess when you have so many people working on a project and people adding their own stuff separately, there's gonna be cracks where the modules join.

I think I will be getting a copy of postnuke (well it's stupid not to -it's free! :)) and have a look at it as well.

I think I should be able to cope with the security as I realised you can split everything down into "this is data in" / "this is data out" for just about everything lol.

Post Information

  • Total Posts in this topic: 12 posts
  • Users browsing this forum: No registered users and 49 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.