PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Sep 22, 2019 10:46 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Mon Nov 15, 2010 7:02 pm 
Offline
Forum Newbie
User avatar

Joined: Mon Nov 15, 2010 6:51 pm
Posts: 6
Location: Cyberspace, Quadrant 512
I have recently started developing a new PHP CMS (code-named "Pagini") as a hobby of mine. It has currently reached version 0.3.1 and is available at . Being a relative newcomer to PHP, Pagini was written without ANY advanced features. Inasmuch, please don't attempt to convert me to changing the whole structure of the program - for now, Pagini will remain simple, for good or bad.
What does concern me, however, is Pagini's security. I have gotten reports on Sourceforge.net that it is easily hackable, and I know of a friend who did get hacked. So I would mostly like it if you give a general review of Pagini, with a strong emphasis on security.
Security concerns aside, I hope you enjoy what has been so far a thoroughly enjoyable project for myself!
Note: Pagini development is at a standstill for now due to lack of time. :(
Features:
- Simple, intuitive interface,
- Simple code, easy to change,
- No-nonsense page editor,
- Integrated news manager,
- Theme manager,
- User manager,
- And more to come!


Top
 Profile  
 
PostPosted: Tue Nov 16, 2010 12:57 pm 
Offline
DevNet Master
User avatar

Joined: Thu Mar 15, 2007 6:28 pm
Posts: 2765
Location: Redding, California
I looked through the code a bit. Is this your first attempt? The first security issue I encountered was that it never cleans input. It would take a very small amount of time to put in mysql_real_escape_string() and intval() where needed.

I also observe that the software is heavily procedural. The good thing is that it's marginally easy to understand. The bad thing is that as things get more complex (which they do, *even if the project is kept simple), the understandability goes way down very quickly. This is where OOP saves the day.

Your code syntax is nice and uniform. Although, you may want to take a look at the . Zend code is very well formatted.

With those in mind (and other issues I may have missed), you've done a pretty good job so far.

* Yes, it's possible for a project to be both simple and complex


Top
 Profile  
 
PostPosted: Tue Nov 16, 2010 5:05 pm 
Offline
Forum Newbie
User avatar

Joined: Mon Nov 15, 2010 6:51 pm
Posts: 6
Location: Cyberspace, Quadrant 512
Yes, this is my first time.
I know I need mysql_real_escape_string(), but I don't know where to put it.
I'd love to implement an OOP system, but I don't know of any good tutorials. Any help?


Top
 Profile  
 
PostPosted: Tue Nov 16, 2010 6:15 pm 
Offline
DevNet Master
User avatar

Joined: Thu Mar 15, 2007 6:28 pm
Posts: 2765
Location: Redding, California
I dunno, but you'd probably get a load tutorials by googling "php oop".

Here's a example for improving your security. This is an excerpt from /inc/content.inc.php:
Syntax: [ Download ] [ Hide ]
function content()
  {
  if(isset($_GET['id']))
    {
    $id = $_GET['id'];
    }
  else
    {
    $id = "1";
    }
  $result = mysql_query("SELECT * FROM content WHERE id='$id'");

This is ripe for a [wikipedia.org]. What happens if $_GET['id'] is "1'; DROP TABLE content;"? You're toast, that's what happens.

The value being injected into the query is expected to be a number, so we can clean it with [php.net] like so.
Syntax: [ Download ] [ Hide ]
function content()
  {
  if(isset($_GET['id']))
    {
    $id = $_GET['id'];
    }
  else
    {
    $id = "1";
    }
  $id = intval($id);
  $result = mysql_query("SELECT * FROM content WHERE id='$id'");

That converts it to the native integer type (thereby stripping out any extraneous characters), instead of a string.

I looked through the code more, and didn't find any place where you didn't use mysql_real_escape_string().


Top
 Profile  
 
PostPosted: Tue Nov 16, 2010 6:21 pm 
Offline
Forum Newbie
User avatar

Joined: Mon Nov 15, 2010 6:51 pm
Posts: 6
Location: Cyberspace, Quadrant 512
Okay, I'll work on that.
But there are mysql_real_escape_string() in the admin section!


Top
 Profile  
 
PostPosted: Tue Nov 16, 2010 6:56 pm 
Offline
DevNet Master
User avatar

Joined: Thu Mar 15, 2007 6:28 pm
Posts: 2765
Location: Redding, California


Top
 Profile  
 
PostPosted: Tue Nov 16, 2010 7:13 pm 
Offline
Forum Newbie
User avatar

Joined: Mon Nov 15, 2010 6:51 pm
Posts: 6
Location: Cyberspace, Quadrant 512
Oh, sorry, I misinterpreted your answer. :oops:
Otherwise, any suggestions for Pagini? In terms of usability, for example, or organization...


Top
 Profile  
 
PostPosted: Tue Nov 16, 2010 7:36 pm 
Offline
DevNet Master
User avatar

Joined: Thu Mar 15, 2007 6:28 pm
Posts: 2765
Location: Redding, California
Okay, I'm giving your program the immense privilege of being installed on my computer and tested. 8O

First impressions. Nice interface. Error messages are displayed nicely. Under "website location", it says "without trailing slash". Instead, you should just use .

It says "don't forget to delete the install/ directory". Instead, you should have a checkbox asking if you want to delete it. Also, does it log the installation process?

On the admin/(build/manage/customize) pages, there is nothing but links to sub sections. That is an unnecessary extra click. Try to figure out how to make some sort of summary, or put one of those sub sections in the top.

Overall, you've done a pretty nice job. It's very much like Wordpress, but much much simpler. Note though, I have not tried to break anything. The breakability and level of self-repair is important. Keep going, perhaps you can get the attention of other developers interested in working on this.


Top
 Profile  
 
PostPosted: Tue Nov 16, 2010 7:52 pm 
Offline
Forum Newbie
User avatar

Joined: Mon Nov 15, 2010 6:51 pm
Posts: 6
Location: Cyberspace, Quadrant 512
I'm considering deleting "Website location" I thought of using it like Wordpress does (my inspiration...), but so far I've gotten by using relative paths so although it's an interesting function (thanks for the tip!) I don't think I'll need to use it.

Delete /install directory? But wouldn't the user have to chown that directory to www-data then?

That menu is a placeholder. It's okay so far, but I'm really trying to figure out a way to make it better. A dropdown menu might work, but it might fit with difficulty in there. A sidebar would be perfect, except, once again, it wouldn't fit well into the overall theme. I guess I could do like Wordpress (like you suggested)... But even then, ultimately, I'd want something better.

Breakability I have not tested. So far, I've opened the puzzle box, taken out the pieces and merged a few that looked like they went together; I haven't tried forcing some to fit yet. So... eventually.

Thanks for your criticism. :D


Top
 Profile  
 
PostPosted: Tue Nov 16, 2010 8:09 pm 
Offline
DevNet Master
User avatar

Joined: Thu Mar 15, 2007 6:28 pm
Posts: 2765
Location: Redding, California


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group