Page 1 of 1

CMS Security

Posted: Thu Oct 06, 2005 5:29 pm
by <?php echo $php-addict
Hi,

I have constructed a few sites now with cms systems inbuilt for the site admin to add/edit/delete data and images etc.

I am using sessions for login and security around the cms.

What do I need to consider for security of the cms so it cant be hacked or have distructive code etc posted, just all round general security for cms systems?

Thank You

Posted: Wed Oct 12, 2005 5:16 pm
by Belloc
I would use sessions, cookies and even md5() to encrypt the password, that could take some time to break through =)

Posted: Wed Oct 12, 2005 5:28 pm
by pickle
The trouble with CMSs is that seemingly simple code can turn destructive if it's not formatted properly. Leaving a <table> or <div> open can really screw up your layout.

To stop PHP code from being inserted, I believe you can use strip_tags() to pull it all out before you dump, save the page code.

Make sure you have error conditions set up for every instance where you are expecting a particular value. I'd imagine that's often how web applications are hacked - hackers keep throwing weird stuff at the app until they get an error message that exposes more information than the programmer intended.

Posted: Wed Oct 12, 2005 5:31 pm
by Belloc
Then again, why use tables when you can use CSS ;) ? Just kidding hehe. I use tables as well, and had no problems at all so far, even on my last CMS for my sisters site I used an IFrame that links to the various CMS pages with an cookie script that checks if you are logged in and it works fine for me (so far) :)

Posted: Wed Oct 12, 2005 5:37 pm
by pickle
CSS could break to. If opening and closing <div> tags don't match, you're in for a fun time.

Posted: Wed Oct 12, 2005 5:39 pm
by Belloc
Jup thats right, always a good thing to keep in back of the mind to close your tags ;)