Am I insane to try and make my own forum?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
speedmonk
Forum Newbie
Posts: 13
Joined: Thu Apr 06, 2006 10:54 am

Am I insane to try and make my own forum?

Post by speedmonk »

I am still pretty new to PHP/MYSQL. I want to make a very very simple forum, mostly to learn from. I have been reading articles on PHP security, but each time it seems to add more questions and makes me want to hide under my bed.

I guess I have two concerns.

I striptags() on all form input, and it is my understanding that PHP is escaping automatically. This will be put into MYSQL.

However, sould I also be using the mysql escape functions before I enter it into the db? Or is striptags enough?

The second is all this stuff about header injections.

If my 'TOPIC' list titles have links to show the TOPIC with a thread_id in the URL, do I need to striptags and verify that it is still an integer before I pass it to MYSQL to get the list of messages?

I guess what I am asking, is, do you verify URL variables created by PHP on your site from page to page.

Is there a standard set of functions you can include to do this?

Thanks
James MacLeod
User avatar
Nathaniel
Forum Contributor
Posts: 396
Joined: Wed Aug 31, 2005 5:58 pm
Location: Arkansas, USA

Post by Nathaniel »

mysql_real_escape_string on all input going into the database.

striptags is used when taking data OUT of the database, not while putting it in.

Yes, verify ALL input from $_COOKIE, $_GET, $_POST, $_SERVER... don't trust any of it.

A year and a half ago, I tried to create my own CMS / Blog / Forum system, and I learned a LOT from it. I learned OOP, found Unit Testing, learned how sessions work, learned a lot about htaccess and mod_rewrite, and so many other things. Although I never completed it, it was certainly worth my time - things you learn from experience stick around a lot better than things you read.

The single most important thing I learned, however, was keep things simple. Don't plan out an elaborate system with all of the features you could possibly think of. Do strip the requirements down to the bare minimum: registration, login / logout, manage profile, view list of forums, view list of topics in forum, view topic, post topic / reply to topic will be plenty to keep you busy for a while.

If you don't keep things down the bare minimum, you will burn out, give up, and be frustrated. Keeping things simple gives you a feeling of accomplishment, and allows you to have a "working product" while allowing you to add in more features later.

You may want to look into unit testing (I use SimpleTest), but I won't push it on you. It took me a while to become comfortable with it. It's a complete u-turn from the "standard" programming practice. It saves a lot of time, though, and you'll be a lot more confident in the quality of your work.

Good luck!

- Nathaniel
speedmonk
Forum Newbie
Posts: 13
Joined: Thu Apr 06, 2006 10:54 am

Post by speedmonk »

Nathaniel wrote:mysql_real_escape_string on all input going into the database.

striptags is used when taking data OUT of the database, not while putting it in.

Yes, verify ALL input from $_COOKIE, $_GET, $_POST, $_SERVER... don't trust any of it.

A year and a half ago, I tried to create my own CMS / Blog / Forum system, and I learned a LOT from it. I learned OOP, found Unit Testing, learned how sessions work, learned a lot about htaccess and mod_rewrite, and so many other things. Although I never completed it, it was certainly worth my time - things you learn from experience stick around a lot better than things you read.

The single most important thing I learned, however, was keep things simple. Don't plan out an elaborate system with all of the features you could possibly think of. Do strip the requirements down to the bare minimum: registration, login / logout, manage profile, view list of forums, view list of topics in forum, view topic, post topic / reply to topic will be plenty to keep you busy for a while.

If you don't keep things down the bare minimum, you will burn out, give up, and be frustrated. Keeping things simple gives you a feeling of accomplishment, and allows you to have a "working product" while allowing you to add in more features later.

You may want to look into unit testing (I use SimpleTest), but I won't push it on you. It took me a while to become comfortable with it. It's a complete u-turn from the "standard" programming practice. It saves a lot of time, though, and you'll be a lot more confident in the quality of your work.

Good luck!

- Nathaniel

Fantastic, thanks for the help. I will check into the Unit Testing, as of writing this I have no idea what it even is! LOL.
Post Reply