1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to create Custom PHP CMS?

Discussion in 'PHP' started by hafizahmedraza, Apr 16, 2015.

  1. #1
    Respected members,

    I want to create a custom CMS for an organisation, which may include different sections/categories for their content. Please tell me the way I can create. I am using Cpanel, PHP and MySQL.

    I want to use HTML, XHTML and Ajax in front end and secure database in back end.

    Please guide me. Hopefully this will benefited all other members.

    Regards
     
    hafizahmedraza, Apr 16, 2015 IP
  2. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #2
    My first question is "why"? There are plenty of CMSes out there, which would probably work wonders for your needs. That being said, coding up a basic CMS isn't really that hard - it depends a bit whether you want to do everything yourself, or if you're open to applying ready-made solutions for mundane tasks (uploading files and media management, for instance). The basic needs you'll have to fulfill is a decent admin-page, where the user(s) are able to input new content, edit old content, keep track of changes and updates and manage files. On the front-end, it's basically just about how interactive you want to do it - you can easily make categories, tags, and other means of find just the right content for whomever is visiting.
    As for security, as long as you go with PHP, I suggest using PDO for working with the database, and remember to do parameterized queries (never, ever use user-input directly in SQL-queries - that is bound to come back and bite you in the butt).
    You don't use HTML and XHTML - you pick one over the other (usually HTML) - unless you're actually planning on using XML and math-specific content - then you might just go with XHTML. Ajax is fine, but you should create the page, and make it work without - then you know that the page is working, and you can add ajax on top to make it smoother and have fewer page-loads when users do stuff on the page.
     
    PoPSiCLe, Apr 16, 2015 IP
  3. hafizahmedraza

    hafizahmedraza Active Member

    Messages:
    141
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    71
    #3
    Thanks for your reply.
    Actually, I have to create a site and a senior developer said that "you have to create own CMS, bcz Wordpress or any other will not support you", thatswhy I am thinking to create custom own CMS.
    I would like to create a site like minhaj dot org
     
    hafizahmedraza, Apr 16, 2015 IP
  4. Mrtvac

    Mrtvac Member

    Messages:
    77
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    43
    #4
    Hm...one question. Do you know how to write code? Don't mean PHP, but any programming language code?
    I'm asking this because, if I read well from your question, you're not developer/programmer. And, if you're not, then question isn't how to create CMS but how to learn to code.
    If that's true, then you have plenty of free programming video sessions online which you could look for and try to learn coding.

    If you do know how to code, then my simple answer would be - get some framework and start to code CMS. Easy as that. See what others CMS are doing well and wrong, learn from that, and code to be better then them.

    Regards.
     
    Mrtvac, Apr 16, 2015 IP
  5. NetStar

    NetStar Notable Member

    Messages:
    2,471
    Likes Received:
    541
    Best Answers:
    21
    Trophy Points:
    245
    #5
    By the time you are capable of creating your own CMS you won't have to ask.

    And hopefully by that time you will also realize that you don't have to create your own CMS. The wheel is round and it has been created over and over and over since the beginning of time.
     
    NetStar, Apr 16, 2015 IP
  6. hafizahmedraza

    hafizahmedraza Active Member

    Messages:
    141
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    71
    #6
    I am a beginner in programming, having basic knowledge of OOP.
     
    hafizahmedraza, Apr 16, 2015 IP
  7. stephan2307

    stephan2307 Well-Known Member

    Messages:
    1,277
    Likes Received:
    33
    Best Answers:
    7
    Trophy Points:
    150
    #7
    Right and Wrong.

    There is a support forum online which covers support for wordpress core and all the plugins that are available via wordpress.org

    Premium plugins that you have to purchase usually have superb dedicated support.

    Also instead creating your own CMS you could use WordPress core and then write your own plugin that will add features that you need to WordPress.

    At my work we are only using WordPress and the flexibility of it and the plugins that are available really make it a no brainer.
     
    stephan2307, Apr 17, 2015 IP
  8. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #8
    Okay? That sounds like a very general dismissal of Wordpress, or other ready-made CMS. I wonder what the senior dev meant by that - did he mean the Wordpress.org support isn't very good? In that, he's right, but then you shouldn't need much support - the Wordpress-framework is quite stable, and the documentation is very good. If he's talking about the community, he's plain wrong - the content of Wordpress-based tutorials and functions and plugins and ideas are abundant - a quick Google-search would tell you as much.

    Granted, building your own CMS might be a better solution if you need a lot of very specific functionality, which would mean 10s of plugins - however, that is rarely the case. Also, to build a proper CMS, with good security and well-though-out code, you need to be more than an amateur - not to mention that if you're alone on this project, it's gonna take a lot of time - especially if you're not very good at coding. There's gonna be tons of bugs, and when you remove one of them, 3 new ones are gonna pop up. Trust me on this.

    .As for the webpage you mentioned, minhaj.org, it looks dated, it's not modern in looks at all (it basically looks like a 10-15 year old site), it's not responsive (hence it works like crap on both smaller screens, cellphones and tablets) etc. etc. I wouldn't pay too much attention to how they've done things.

    That page is probably custom-coded, maybe based on some sort of framework, it's hard to know, but what it does wouldn't be hard to replicate in Wordpress - so I dunno what your "senior dev" is blabbering about - sounds to me like he doesn't really know what he's talking about.

    There are plenty of reasons not to use Wordpress, but making a page like that is not one of them.
     
    PoPSiCLe, Apr 17, 2015 IP
  9. hafizahmedraza

    hafizahmedraza Active Member

    Messages:
    141
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    71
    #9
    Bundle of Thanks Sir,

    It means that , for me, Wordpress 'll best rather than to create a new cms. My aim is just to compete minhaj dot org type organizational website for my customer.
    Please guide me, that whether a wordpress theme development suitable for this purpose or something else?
     
    hafizahmedraza, Apr 17, 2015 IP
  10. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #10
    Well. Finding a ready-made theme to fit your every need might be difficult. I would suggest putting up a list of requirements (no order to them at first), then do an evaluation of each requirement, putting them in a "must have", "nice to have" and "purely cosmetic fluff" - then try to find something that will cover most, if not all of the "must have". There are literally thousands of ready-made themes out there for Wordpress - quite a lot of them are free, or at least have a free test-version (which might lack some functionality) - finding something to fit your needs shouldn't be impossible, but without having set up a requirements tree, it can be a daunting task.
     
    PoPSiCLe, Apr 17, 2015 IP
  11. hafizahmedraza

    hafizahmedraza Active Member

    Messages:
    141
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    71
    #11
    Wonderful approach. I think SDLC concepts applied here. :)

    Regards
     
    hafizahmedraza, Apr 17, 2015 IP
  12. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #12
    Contrary to what a lot of people are telling you, I applaud any effort to make a custom system instead of using some crappy off the shelf solution! It means you can customize the data handing to YOUR data instead of shoe-horning your data into a system that was most likely never designed for it. It means you can learn enough about how they work, or more importantly SHOULD work that you can recognize flaws and inefficiencies in other systems and fix them.

    WAY too many people just grab some crappy template from one of the whorehouses like ThemeForest or Template Monster, slap it into some crappy off the shelf CMS like Joomla or Turdpess, sleaze in a bunch of buggy insecure mods/plugins/extensions/whateverTheyAreCallingThemThisWeek without understanding any of the underlying systems... Then wonder why their sites are slow, insecure, and generally end up relegated to "also ran" status unless their content really is "that damned good" -- and to be brutally frank, most site content isn't!

    If you even know the first damned thing about HTML and CSS, much less JavaScript, 99% of templates should absolutely horrify you, and to anyone out there NOT horrified by the rubbish most CMS vomit up and have the giant pair of brass to call a website you most likely have ZERO damned business running or developing websites in the first place! There's a REASON I call people who use things like Turdpress or Joomla, or frameworks like CodeIgnitor, Laravel, bootStrap, YUI, jQuery, Blueprint, or preprocessing nonsense like LESS and SASS "Mouth breathing halfwits"

    Now, that said I do have a general design pattern I like to use when making a custom CMS. What follows here is just a rough breakdown of the methodology I use, recommendations on things to use and things not to use, and some discussion of security topics that many people creating systems in PHP seem to be woefully ignorant of.

    First and foremost is to have a logical directory structure so I don't have to "up-tree" link and to maintain a separation between "content" and "theme" -- just as the HTML and CSS are separation of presentation from content. Having a plan for WHERE you are going to put things can work wonders.

    A rough outline of the directory structure would go something like this:

    / -- root directory would contain all user callable HTML and/or PHP files. Typically when I do this there is only ONE directly user callable file, an index.php that handles ALL CMS request. This allows me to easily integrate each page's theme/template in one place instead of many separate files, handle user logins and sessions from one location resulting in a very strong outer-ring and single entry vector, and so forth.

    /blog -- blog pages if I'm not storing them in SQL

    /downloads -- downloadable files, I usually leave this open so people can browse the downloads directly; oh noes, not thatz!. If you are worried about people browsing the contents of this directory or grabbing files directly from it, what the hell are they doing on your website in the first damned place.

    /images -- Content images; aka anything that goes into a IMG tag. See the comment about leaving this directory in a state that people can still access it directly under /downloads? Yeah, that here too!

    /modules/moduleName -- sub-commands in the system each get their own directory. This allows new functions to be easily added with their own queries subdirectories, fallback markup and style should the current template not support said functions, etc, etc...

    /pages -- Static pages if I'm not storing them in SQL

    /queries/sqlEngineName -- contains subdirectories for each SQL engine I'm supporting. I use something called "named queries" that are loaded as needed from the subdirectories using a .ini style file format. Since I always use PDO this allows me to easily switch between engines as needed as my queries are no longer hardcoded into the functionality. I usually have a seperate db.php for each /sqlEngineName that extends the PDO object to make certain operations that are different between engines able to be tweaked on the fly.

    /scripts -- content related javascripts or common libraries

    /sources -- Common PHP code libraries

    /texts/languageCode -- each languageCode is a two letter language name like "en" which contains the static interface texts for the CMS for each language. This allows one to easily implement different interface languages for things like the admin and moderation controls, error messages and so forth. I'll often make a "texts" singleton that will test to see if it's already loaded a requested text in the current language, if so return it otherwise try to track it down from /texts/en or /modules/moduleName/text/en (switching en for whatever language is currently in use).

    /theme/themeName -- location of the CSS file and any PHP files containing the template.

    /theme/themeName/fonts -- webfonts for the theme (if any)

    /theme/themeName/images -- presentational images specific to the theme

    You get the general idea. Again, separation of things that probably shouldn't be mixed (like template images and content images), separate locations to allow the use of different themes off one system (a must have for any starting CMS), etc, etc...

    I mentioned the use of a single index.php -- the way I like to do it is to have a whitelist of file extensions to allow Apache to serve, so anything not ending in a whitelisted extension is sent to PHP. An .htaccess line for that goes like this:

    RewriteEngine On
    RewriteRule !\.(gif|jpg|png|css|js|html|htm|txt|ico|zip|gz|rar|pdf|xml|wav|mp3|mp4|mpg|flv|swf|mkv|ogg|avi|webm|woff|svg|eot|ttf)$ index.php
    Code (markup):
    Which is handy for easy deployment, though if you care about performance you might want to do a more complete approach by putting the rule into httpd.conf instead.

    Basically that does what I just said -- any file extension not on that list is redirected to index.php in the http root.

    A lot of people will try to pull all sorts of stunts of trying to parse getdata or the URL in the htaccess -- I consider this inefficient and a waste of time when PHP has a perfectly good $_SERVER['REQUEST_URI'] that you can parse. I've got a nice little singleton for handling that. Here: free code, use it if you like.

    final class request {
    	private static $data = [];
    	public static function value($index = 0) {
    		if (count(self::$data) == 0) {
    			$path = trim(str_replace(
    				['\\', '%5C'], /* yes we want %5C literal, not evaluated! */
    				'/', 
    				parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH))
    			), '/');
    			if (strpos($path,'..')) die('Hacking attempt detected!');
    			$path = substr($path, strlen(HTTP_ROOT) - 1);
    			self::$data = empty($path) ? ['introduction'] : explode('/',$path);
    			foreach (self::$data as &$p) $p = urldecode($p);
    		}
    		return isset(self::$data[$index]) ? self::$data[$index] : false;
    	}
    } // class request
    Code (markup):
    Using a singleton with a getter that's also a setter with private scope on the result array prevents code elevations from screwing with the values -- this can be important depending on what you do with any result. I often clean the result even further by stripping anything other than a..z, A..Z, 0..9 and _ from it after doing the urldecode to it. Likewise I have a more robust template function called "bomb" I usually use instead of "die" that is a far prettier in result.

    When it comes to the templating "engine" I always keep in mind that PHP IS a templating engine, so idiotic halfwit nonsense like "Smarty" need not apply. If your front-end developer cannot handle functions, echo and simple logic, they likely have no damned business being a front-end developer. (As plainly evident from the crap vomited up in most template "engines")

    Generally I use a system very similar to the forum software "SMF" where I have a 'index.template.php' containing template_header and template_footer functions that output the elements common to every page and parse the page specific information needed for the headers (META, TITLE, etc). Each sub-function in the CMS can then have it's own "moduleName.template.php" file that is included. If the file exists in the template that is given priority, if it's not found the one in /theme/default will be used, and if that's not found it will look for /modules/moduleName/theme to see if it's there. If it's required and not found, throw an error instead of continuing on.

    I like to maintain a separation of user input and data processing from output. This is akin to MVC's separation concept (a good thing) without the current sick trend of wasting megabytes of code and objects for nothing to proactively shoe-horn an event driven programming paradigm into a language that was NEVER meant to handle it on a user interface that was NEVER meant to work with the concepts. I like the general idea of keeping input/data processing/output isolated from each-other only passing what needs to be passed, but MVC on PHP is a mis-match of monumental proportions which is why it's taken nearly a decade for anyone to come up with anything usable with it -- Generally speaking in the majority of cases MVC on PHP just ends up pointless slow code bloat and making people work harder, not smarter.

    In maintaining that separation one thing I like to do is extend PDOStatement so I can lock it from having further queries run against it. One of PDOstatements most powerful abilities is that once you PDO:: prepare, you can run PDOStatement::execute against that query multiple times with different data sets. "locking out" the ability to run ::execute again lets you pass PDOStatement to the theme without exposing the database where it shouldn't be exposed.

    Which is another area that many systems are incredibly lax, scope. I am a firm believer in isolating the scope of the connection info and the database connection itself, only exposing it to what NEEDS access to it. This is a common failing and another reason why the now deprecated mysql_ functions have to go; on top of the insecure/silly practice of blindly dumping variables into query strings, you have the fact that the connection once established is global in scope, so until you close it, ANY executing code can have access to it.

    Why is that a problem? PHP is FAR too easy to trick into "code elevations" -- while a diligent programmer can avoid it, once you start letting people mod your system with plugins/extensions, or have some future maintainer working with it you run the risk of having it happen... There's also just the simple fact that NONE of us is perfect and mitsake's happen. A multi-layer security isolating the damage that can be done from any point in the system may not prevent hacks, but it can make them far less catastrophic.

    Systems like Wordpress operate on a "one ring" security policy; they have an outer perimeter where ALL security occurs; the problem is that outer wall has several hundred directly callable entry points, and mods/plugins/extensions/whatever can create even bigger gateways to roll that giant wooden horse filled with soldiers through. This gets worse when developers do something REALLY unbelievably stupid like put the sql username, password and hostname into DEFINE, an undeletable global scope storage. That's the equivalent of leaving the master key for every gate and door in your castle on a large post right inside the main gate with a sign saying "here's the keys to the city, have fun!". That's why whenever ANY plugin/extension for Wordpress or other CMS systems has a vulnerability, it automatically means the ENTIRE system is pwned. Which is why TP really deserved that 2008 pwnie for M4ss 0wnage It's the equivalent of building a Maginot line type defense and then not bothering to man it or build a military on the other side of it when surrounded by an aggressive neighbor, then having half your citizenry openly in support of welcoming said neighbor with open arms.

    Note that since that Pwnie award Wordpress HAS made great strides, but it's still chock full of holes and broken methodologies that make me question how anyone would choose it other than ignorance, apathy and wishful thinking. But again, NEVER underestimate the broad mass appeal of ignorance, apathy and wishful thinking; a human weakness religions and governments have been exploiting since Kruk bashed in Orruk's skull with a rock over a difference of opinion over tribal god images on a cave wall painting.

    Multiple ring security worked for medieval castles, it worked for SAC bases in the cold war, it works for security levels in Federal buildings, it works for OS kernels like Linux and BSD, it even works for the levels of hell in Dante's Inferno -- it can work for you! Isolating scope of the database connection variable by creating it in a main() function, only passing it to things that NEED it, keeping it private as much as possible, deleting the connection info when you are done with it, and even writing the file containing the connection info so that it's a function that bombs if main() in index.php isn't what's calling it (this can be done with debug_backtrace) shores up the defenses greatly.

    Hell, I'm so paranoid about scope, I actually do this:

    function safeInclude($file) {
    include($file);
    }
    Code (markup):
    Why? Because if you are inside a function like:

    function main() {
    	$test = 'This is a test';
    	include('test.php');
    }
    Code (markup):
    test.php will have the same scope as the function calling it. If test.php was:

    <?php echo $test; ?>
    Code (markup):
    using main() as listed above will output "this is a test", use safeInclude and the echo will do nothing other than report an attempt to access a variable that's undefined.

    Generally speaking I think there needs to be a include method in PHP that breaks scope, since includes should for security reasons ONLY contain functions... in a similar security minded vein I think include and require should ONLY be able to include files ending in .php, and fopen and readfile should be unable to access .php files. But what do I know, I also want to see PHP shorttags (<?php ?> <?=), nowdoc and heredoc go the way of the dodo! Generally speaking I'm not that wild about double quote parsing either. Thanks to those commands being allowed to do things they NEVER should have been allowed to do in the first place, it's not uncommon practice for shared hosts and the security minded to disable readfile and fopen altogether in the php.ini

    In a LOT of ways PHP is insecure by design, and it's an uphill fight to make it secure.

    In that same way of having multiple rings of security and internal fences, that use of one single index.php that can actually be called via http means you only have one gate to defend. We completely break the concept of multiple entry vectors with that redirect so sub-files being called directly (one fo the biggest flaws in many off the shelf CMS) simply doesn't exist. It's like a 'choke point' that anyone trying to get in the door has to go through. Again, a classic military concept that can allow a handful of soldiers to hold off an army of thousands.

    Even so, another good practice to keep in mind is that library files -- basically anything you call with include or require -- should NEVER output anything if called directly. You never know when your redirect rule might fail due to a server mus-configuration, so wrapping EVERYTHING in functions inside your includes prevents anything from being accidentally "exposed" should someone be able to call them via HTTP directly. It's another "good practice" in scripting languages that many people vomiting up crappy CMS like Joomla and Turdpress never seem to have heard of.

    It's also why I'm NOT a fan of opening and closing PHP willy nilly with <?php and ?> every time you want to output markup/CDATA. IMHO in all but the rarest of cases (like in a non-SQL driven single file per request "poor man's CMS") if you have more than once instance of <?php and ?> in a .php file, you are doing something horribly and terrifyingly WRONG.

    I also find it a pain in the ass to read, YMMV.

    Alright, I'll stop prattling endlessly. I don't know if you'll find any of this useful, but I hope it at least gets you pointed in the right direction and lights the way a little. You follow even half the stuff above, you'll be WAY ahead of anything some crappy off the shelf system like turdpress or Joomla offers.

    Which I'd assume is what you and your "senior developer" are aiming for.

    -- edit -- and apologies for length, there's a reason I can't use Twitter and utterly and completely fail to see the appeal. Generally speaking so far as I'm concerned the TLDR crowd can piss right off!
     
    Last edited: Apr 18, 2015
    deathshadow, Apr 18, 2015 IP
  13. NetStar

    NetStar Notable Member

    Messages:
    2,471
    Likes Received:
    541
    Best Answers:
    21
    Trophy Points:
    245
    #13
    So deathshadows lengthy post probably gave you a great insight on how he develops and from a programmers perspective may not be a bad idea. I skimmed through it and saw a bunch of non relative bs ranting and pointless opinions and opted not to read it since it ultimately does not help the original poster. SO here's my short $.02:

    You can spend and waste a LOT of time rewriting CMS's, Frameworks, Libraries, etc. with the theory of "I can do it better" but the reality is you most likely will not do it better than the collaboration of nerds that put together that frame work that has been tested and tried by thousands of others for years. If you chose to "roll your own" you absolutely will face the same challenges that the existing ones faced a long time ago. To be as productive and efficient as possible it's in your best interest to use an existing CMS or Framework. Otherwise you will spend more time and stress on implementing the dependencies than you will on your actual project.
     
    NetStar, Apr 18, 2015 IP
    ThePHPMaster and PoPSiCLe like this.
  14. Dominic Ceraso

    Dominic Ceraso Member

    Messages:
    52
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    38
    #14
    they must have one heck of a budget for this project. Heck order up an expression engine 2 licnese and mod it - there you go a supported CMS that has ENDLESS possibilities.
     
    Dominic Ceraso, Apr 19, 2015 IP
  15. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #15
    Assuming there's one that does what you want done, and isn't the equivalent of using a 3 pound lump hammer to drive that square peg into the round hole. Much less assuming you can find one that does things HOW you want things done, one that doesn't need a complete rewrite due to those alleged "thousands" being either fools coasting along on ignorance, apathy and wishful thinking, or just flat out being the classic problem of too many cooks spoiling the stew.

    I have yet to see a off the shelf CMS or framework I'd be comfortable allowing ANYONE to use for a website if they are doing anything more complex than a crappy blog for grandma where it's going to have nobody visit but family and nobody gives a shit about search, accessibility, performance, or even hosting costs. Everything I've seen is pointless bloated crap written by people who generally seem to have no business writing back-end or front-end code! Wordpress, Joomla, Laravel, Codeignitor, Bootstrap, YUI, Blueprint -- they're all pointless bloated rubbish that do the exact opposite of EVERYTHING they claim, and generally piss all over any project involving them.
     
    deathshadow, Apr 20, 2015 IP
  16. Xochitl Shatt

    Xochitl Shatt Greenhorn

    Messages:
    194
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    23
    #16
    The technique applied is actually structured on the ultimate make use of on your undertaking. If you wish some thing which is going to be scaleable as well as adaptable to larger as well as larger levels of make contact with facts and become searchable to produce brand new details towards user within sudden techniques, We would opt for a properly created HTML/CSS/JavaScript/jQuery (Wordpress). That would provide the overall flexibility to also have any CMS program that is certainly seen by simply a wide range (PC, MAC PC, Tablet, Smartphone) without having reinventing this wheel. In addition Managment, entrance stop as well as backend instruments are actually developed. No matter what an individual decided, have fun.
     
    Xochitl Shatt, Apr 20, 2015 IP
  17. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #17
    @Xochitl Shatt, did you run that through an English to Yoda translator before posting?

    Offered, great advice can be, but understand it, only if people can.
     
    deathshadow, Apr 20, 2015 IP
  18. freelanceDeveloper

    freelanceDeveloper Member

    Messages:
    59
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    43
    #18
    People have this weird idea that creating a website is something available to all...
    And in a way they're right... install wordpress (5 clicks ) , install 2 modules (4 clicks - 2 to download and 2 to activate) and you have 'a website'.
    People who create such sites often don't bother securing directories, mysql privileges, ... and so on ...
    And that's fine, for a month or 2, untill the site is hacked and they end up creating a topic "help, my site is being hacked and I don't know why nor where to start" (been there , done that :) )

    I used wordpress & many other scripts before & I still do ...for what they were originally designed for ... ("unimportant") content sites.
    And for those sites, I will recommend Wordpress for many reasons!
    But, I havn't seen any online banking system running on wordpress ... you ? (if you do please share the link)

    So I (mostly) agree with deathshadow...

    I'm not against them but don't think all plugins were written by nerds & security experts. If such a plugin becomes really popular, be sure the real nerds will take a look at it and (try to) figure out how to hack it :)

    I fear 3rd party "plugins/templates" as much as I fear user input , but I might be paranoid ;)

    So if you want to create your own cms, that's great... learn as much as you can and you will eventually be able to create the ultimate (and unknown to the public -> security through obscurity ) cms system... But as long as you're not 100% comfortable with programming, you'll probably be better off using wordpress or any other open source cms ... No matter what, in the beginning, any established cms will be better than your attempts to create one...

    To get you started : https://www.google.co.uk/search?q=c...&oe=utf-8&gws_rd=cr&ei=9O40VZyOGMqP7AbR3IHgBg

    I would like to quote this as this is exactly what happens to the people who do care & try to make the web a better place
    After several years working on PHP, mySQL, HTML, CSS and Javascript, I needed a break. I've spent way too much time working on other people's stuff, and have been plodding along through complete burnout for the better part of three years.
     
    Last edited: Apr 20, 2015
    freelanceDeveloper, Apr 20, 2015 IP
  19. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #19
    Quite the opposite, many of these systems (wordpress in particular) reek not only of being FOR people who know nothing about websites, but seem to have been made BY people who know nothing about websites -- so when it comes to plugins, they are usually many, MANY times worse; that's why the majority of known 'holes' that let turdpress' utter and complete lack of internal security be turned into total pwnage comes from those plugins. Just pull up the CVE listing for wordpress to see that in action.

    https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress

    MOST of the vulnerabilities listed are attributed to plugins/mods/whatever.

    Most of these "thousands of nerds" with ALLEGED experience being utterly and completely ignorant of the most basic of rules -- like ID's being unique on a page, fallback families as an accessibility REQUIREMENT, EM's being an accessibility REQUIREMENT, much less the most simple of semantic markup rules, logical document structure, or tags and attributes that have had ZERO business being used on any website written after 1997 like ALIGN, TARGET, CENTER, etc, etc... the laugh being when these ignorant fools then call things like that "personal preferences" as yet another lame excuse to cover up their ignorance or ineptitude.

    The "open source has less bugs" nonsense is often similarly flawed -- when the people using and needing the software are qualified to work on it you have all the security in the world; but when the users and number of contributors outnumber the people qualified to work on it the alleged "more eyes on target' security falls apart miserably. The end result can be decade or more older vulnerabilities that remain unnoticed, unfixed, or end up screwing over large numbers of users en-masse.

    You also have the flaw that in making the software do what you want, you might neuter your upgrade path; see what happened in the early part of the last century with phpBB and the "neverNoSanity" worm where only old versions of the software was effected, but so many people had made changes and mods that prevented upgrading pretty much EVERY phpBB install in actual use was still vulnerable despite the fix being over six months old.

    ... which is why what you said next:

    Isn't wrong -- A healthy dose of paranoia when it comes to web technologies is NEVER a bad thing. Bad things are doing things like ignoring two decade old safety practices for interpreted languages, blindly exposing internal elements to global scope, blindly letting direct calls to sub-files to output anything, and the host of other things that it seems most of the dipshits behind the 'big name' CMS and frameworks seem to be blissfully unaware of -- leaving everyone who uses said systems equally vulnerable.

    It's actually a little shocking we've gone as long as we have the past five or six years without a MAJOR web-wide takedown given some of the holes and bad practices most of these off the shelf systems seem to think is deployable code. Knowing our luck it will correspond with the next dotcom bubble burst just as the string of worms at the early part of the new millennia did.

    That sounds really familiar... OH WAIT...

    Sadly such burnout that I've been dealing with for some time is why most of the really good developers I've known have either thrown up their hands and walked away in disgust, or gone to an early grave; mostly of that disgust stemming from the halfwits morons and fools who ignore specifications, good practices, guidelines and recommendations to sleaze things out any old damned way out of -- as I often borrow from Ike -- apathy, ignorance and wishful thinking.

    Getting a little tired of outliving close personal friends half my age who were absolutely brilliant, and utterly frustrated at the world thanks to the asshat ignorant bullshit like that found posted by certain folks in this thread. The only reason I even bother trying to fight the good fight at this point is in memory of Dan, Aaron, and Bill.
     
    Last edited: Apr 20, 2015
    deathshadow, Apr 20, 2015 IP
  20. freelanceDeveloper

    freelanceDeveloper Member

    Messages:
    59
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    43
    #20
    Which is what I ment :)

    So true lol

    Which is what I'm doing day in day out ... Not saying I'm perfect, but at least I try to be...
     
    freelanceDeveloper, Apr 20, 2015 IP