[lee sands]

Hi All I Am Writing My Own CMS And I have a few questions

1. Is it safe to have all globals set in one file ie :

<php global $var1; global $var2; //ect ?>

2. dose anyone know where i can learn securty in php
3. in phpbb the use

<!-- include site_html.html -->

how do i recreate that

This post has been edited by lee sands: 26 January 2012 - 07:52 PM

[andyl]

lee sands, on 26 January 2012 - 07:41 PM, said:

Hi All I Am Writing My Own CMS And I have a few questions
1. Is it safe to have all globals set in one file ie :

<php global $var1; global $var2; //ect ?>

Global variables in PHP are commonly looked upon as bad practice - or lead to poor code. This is a good article on the matter: http://blog.lukemort...l-variables-bad

lee sands, on 26 January 2012 - 07:41 PM, said:

3. in phpbb the use

<!-- include site_html.html -->

how do i recreate that

In simple PHP you can just use:

<? @include "site_html.html" ?>

This post has been edited by andyl: 26 January 2012 - 08:09 PM

[lee sands]

and what about number 2

[The Web Solution Provider]

For security you mainly want to look into MySql injection attacks, and XSS (cross site scripting). The first you can easily get around by escaping your mysql queries properly. Take a look at php.net for mysql_real_escape_string() or something similar.

With XSS this is usually where someone tries to run some client side script on your page to perform actions. more info: http://en.wikipedia....-site_scripting This can be overcome by mainly escaping outputted javascript and making sure that none of your query variables have JS in them when running your pages.

Hope this helps

[lee sands]

ok any other tips for a cms and forum

[The Web Solution Provider]

lee sands, on 26 January 2012 - 08:31 PM, said:

ok any other tips for a cms and forum

Not sure about forums really, i very rarely work on forums. As far as CMS i would recommend Wordpress as it is fairly easy setup and easy to use for beginners. Stay away from Joomla its very complex, heavy and slow.

[lee sands]

i am wroting my own thats why i am asking have you got any ideas on my other questions

[The Web Solution Provider]

lee sands, on 26 January 2012 - 08:35 PM, said:

i am wroting my own thats why i am asking have you got any ideas on my other questions

The other guy answered those like i would really, global vars are very bad practice these days. You should really be using an MVC architecture. Maybe an open source framework like CodeIgniter or CakePHP. You should definately be using OOP and splitting your layouts from functionality. Scripting from top to bottom is outdated, slow and not very good for expansion.

[FizixRichard]

I'll have a go.

lee sands, on 26 January 2012 - 07:41 PM, said:

Hi All I Am Writing My Own CMS And I have a few questions

Good luck! Seriously, its a task and a half. Especially the forum you mention later.

lee sands, on 26 January 2012 - 07:41 PM, said:

1. Is it safe to have all globals set in one file ie :

<php global $var1; global $var2; //ect ?>

Yes its "safe", but you shouldn't do it. Well, actually I might make some people spit bricks but, you can do it. It's considered a bad practice because it can lead to incoherent code or variables being altered and you don't know where or how.

When I was taught OO, fair few years ago, but we were told globals should only be used for data that really is global.

So you can do it, but only if it really is global data. You don't use globals to save passing variables, just to allow easy access to stuff that is global.

In other words, globals are for references to classes and to variables that are a global part of your architecture only. And even then, if you decide to make it global you should argue with yourself over it.

Generally speaking, its bad though.

lee sands, on 26 January 2012 - 07:41 PM, said:

2. dose anyone know where i can learn securty in php

1. Do not store raw passwords in your database, encrypt them with a salt value.
2. Clean all input
3. Sanitise all input
4. Validate all input, even if you think the input will always be the same (i.e. a form dropdown selection)


As someone else has said, SQL Injection attacks and XSS vulnerabilities are the two big ones.


SQL Injection Attacks are where a malicious user enters SQL or other code via inputs (i.e. url or forms) that manipulate your database.

XSS attacks are where a malicious user enters malicious code into your site (i.e. a comment system), which does something bad (i.e. user adds from javascript that steals cookies to a post on your forum, readers of the post have their cookies stolen).

lee sands, on 26 January 2012 - 07:41 PM, said:

3. in phpbb the use

<!-- include site_html.html -->

how do i recreate that

Do you mean to include the application backend like this:

require_once(CWD . 'includes/class_something.php')

Or do you mean for your UI templates?

If the latter, I refer you to this thread: http://www.webdesign...plating-system/

Quote

ok any other tips for a cms and forum

You'll be getting into a rather big project. Here are some general tips:


1. Learn Object Orientated PHP, it'll help
2. Learn how to structure your application (see that link, it shows an architecture, partially anyway)
3. Read up on XSS and SQL Injection
4. Learn how to use or create template engines
5. Good luck


Now I wouldn't use an open source framework, i.e. Joomla, Concrete, CodeIgniter etc. I got fed up with them and built my own framework.

I find they are bloated, slow, poorly structured. Build you own, lean! framework and you'll be much happier and learn a lot while you do it.

This post has been edited by FizixRichard: 27 January 2012 - 11:20 AM

[Sogo7]

As a suggestion go take google for a one page CMS system called 'Nuggetz', the free version is very basic with much of the work done by the Tiny-MCE editor and simple flat (text) file storage. However, it's a good starting point because at this stage there is not a lot of code involved and you can see how it works.

Tweeking it to support multiple pages and use a database should be within the capabilities of most.