Page 1 of 1

Custom Made CMS

Posted: Tue Sep 21, 2010 12:46 pm
by CoolAsCarlito
I have a custom made CMS project that I helped establish and was looking to see if I could get someone to scan over the 8 or so files and just critique them all to see if they undertand the CMS as a whole and each page. It isn't huge by any means but it wouldn't work to post all 8 page posts in here. Please PM if you would be able to just scan over them and tell me what you think.

Re: Custom Made CMS

Posted: Tue Sep 21, 2010 12:56 pm
by MichaelR
You can post it here. Using the code tag automatically contracts the data so it won't take up loads of space (until we click "expand").

Re: Custom Made CMS

Posted: Tue Sep 21, 2010 12:59 pm
by CoolAsCarlito

Code: Select all

<?php
	ob_start("ob_gzhandler");  // cache system

	require "backstageconfig.php";
	require "backstagefunctions.php";

	if ((!empty($_POST)) && (isset($_POST['action']))) 
	{
		$action=$_POST{'action'};
	} 
	else
	{
		$action="mainmenu";
	}

	if ((isset($_POST['uname'])) && (isset($_POST['pword'])))
	{
		$uname=$_POST{'uname'};
		$pword=md5($_POST{'pword'});
		validate($fedid, $uname, $pword, 0, 0, $cookiedomain, $cookiepath, $admincssfile);
		$action="mainmenu";
	}
	elseif ((!(isset($_COOKIE['uname']))) && (!(isset($_COOKIE['pword']))))
	{
		require_once "backstage_libs/login.php";
		login($admincssfile,$fed,$url);
	}
	else
	{
		$uname=$_COOKIE["uname"];
		$pword=$_COOKIE["pword"];
		validate($fedid, $uname, $pword, 0, 0, $cookiedomain, $cookiepath, $admincssfile);

		if (isset($_POST['newdefaultcharacterid']))
		{
			$newdefaultcharacterid = (integer)$_POST["newdefaultcharacterid"];
			$query = "UPDATE
					efed_handler
				SET
					default_char_id = '$newdefaultcharacterid'
				WHERE
					login = '$uname' and
					fed_id = '$fedid'"; 
			mysql_db_query($dbname, $query) or Die (mysql_error());
		}
	}

	$query = "SELECT
			h.id as userid,
			h.surname as surname,
			h.firstname as firstname,
			h.isadmin as isadmin,
			newscat.id as defaultcategoryid,
			bio.id as defaultcharacterid,
			bio.style_id as styleid,
			bio.username as defaultcharacterusername,
			bio.charactername as defaultcharactername,
			styles.name as style
		FROM
			efed_handler as h
		LEFT JOIN
			efed_bio as bio
		ON
			(
				h.default_char_id = bio.id and
				bio.fed_id = '$fedid'
			)
		LEFT JOIN
			efed_list_styles as styles
		ON
			(
				bio.style_id = styles.id and
				bio.fed_id = '$fedid'
			)
		LEFT JOIN
			efed_list_newscategory as newscat
		ON
			(
				h.default_news_id = newscat.id and
				newscat.fed_id = '$fedid'
			)
		WHERE
			h.login = '$uname' and
			h.password = '$pword' and
			h.fed_id = '$fedid'"; 
	$result = mysql_query ($query); 
	while ($row = mysql_fetch_assoc($result))
	{
		$fieldarray=array('userid','surname','firstname','isadmin','defaultcharacterid','defaultcharacterusername','defaultcharactername','defaultcategoryid','styleid','username','style','charactername');
		foreach ($fieldarray as $fieldlabel)
		{
			if (isset($row[$fieldlabel])) 
			{ 
				$$fieldlabel=$row[$fieldlabel];
				$$fieldlabel=cleanquerydata($$fieldlabel);
			}
		}
	}

	if ($action != "logout")
	{
		headercode($fedid,$admincssfile,$userid,$isadmin,$defaultcharacterid,$defaultcharacterusername,$defaultcharactername,$surname,$firstname,$action,$dirpath,$folder,$headshot,$bioheadheight,$bioheadwidth,$surname,$firstname,$forums);
	}
	else
	{
		headercode($fedid,$admincssfile,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);
	}
	// print "<center>\n";

	switch ($action)	
	{
		case "mainmenu":
			mainscreen();
			print "</div>\n";
			footercode();
			break;

		case "login":
			require_once "backstage_libs/login.php";
			login($admincssfile,$fed,$url);
			break;

		case "handler":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/handler.php";
				handler($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$ip); 
			}
			break;

		case "character":
			require_once "backstage_libs/character.php";
			character($fedid,$uname,$pword,$userid,$dirpath,$isadmin,$admincssfile,$dbname,$sortorderarray,$iframe,$defaultcharacterid,$styleid,$defaultcharacterusername,$heatmetersenabled,$heatmeters);
			break;

		case "newscategory":
			if ($isadmin == "1") 
			{
				require_once "backstage_libs/newscategory.php";
				newscategory($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$targetarray); 
			}
			break;

		case "news":
			require_once "backstage_libs/news.php";
			news($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$defaultcategoryid,$ip,$defaultcharacterid,$defaultcharactername);
			break;

		case "content":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/content.php";
				content($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname); 
			}
			break;

		case "template":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/template.php";
				template($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname); 
			}
			break;

		case "biolayout":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/biolayout.php";
				biolayout($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname); 
			}
			break;

		case "quotes":
			require_once "backstage_libs/quotes.php";
			quotes($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$defaultcharacterid,$defaultcharactername);
			break;

		case "alliesrivals":
			require_once "backstage_libs/alliesrivals.php";
			alliesrivals($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$numalliesrivals,$defaultcharacterid,$defaultcharactername,$defaultcharacterusername);
			break;

		case "roleplay":
			require_once "backstage_libs/roleplay.php";
			roleplay($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$defaultcharacterid,$defaultcharactername);
			break;

		case "champions":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/champions.php";
				champions($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname); 
			}
			break;

		case "title":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/title.php";
				title($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname); 
			}
			break;

		case "titlehistory":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/titlehistory.php";
				titlehistory($uname,$pword,$userid,$isadmin,$admincssfile,$dbname); 
			}
			break;

		case "division":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/division.php";
				division($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname); 
			}
			break;

		case "eventname":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/eventname.php";
				eventname($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname); 
			}
			break;

		case "eventbooker":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/eventbooker.php";
				eventbooker($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$dirpath,$headshot); 
			}
			break;

		case "submitmatch":
			require_once "backstage_libs/submitmatch.php";
			submitmatch($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$dirpath,$headshot);
			break;

		case "submitseg":
			require_once "backstage_libs/submitseg.php";
			submitseg($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$dirpath,$headshot);
			break;

		case "resultscompilation":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/resultscompilation.php";
				resultscompilation($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$dirpath,$headshot); 
			}
			break;

		case "resultsediting":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/resultsediting.php";
				resultsediting($uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$dirpath,$headshot,$url); 
			}
			break;

		case "menustructures":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/menustructures.php";
				menustructures($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$dirpath,$headshot,$url); 
			}
			break;

		case "arenas":
			if ($isadmin == "1") 
			{ 
				require_once "backstage_libs/arenas.php";
				arenas($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$dirpath,$url); 
			}
			break;

		case "manageapplications":
			if ($isadmin == "1") 
			{
				require_once "backstage_libs/manageapplications.php";
				manageapplications($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$dirpath,$url);
			}
			break;
		
		case "directory":
			if ($isadmin == "1") 
			{
				require_once "backstage_libs/directory.php";
				directory($fedid,$uname,$pword,$userid,$isadmin,$admincssfile,$dbname,$dirpath,$url);
			}
			break;
			
		case "logout":
			SetCookie ("uname", "");
			SetCookie ("pword", "");
			require_once "backstage_libs/login.php";
			login($admincssfile,$fed,$url);
			break;

		default:
			print "Default Screen<br />";
			footercode();
			break;
	}
	exit;
?>

Re: Custom Made CMS

Posted: Tue Sep 21, 2010 1:07 pm
by CoolAsCarlito
Another file to scan through. That's all I'll post until I hopefully get some responses.

Code: Select all

<?php
	ob_start("ob_gzhandler");  // cache system
	require_once "backstageconfig.php";
	require_once "backstagefunctions.php";
	require_once "backstagefunctions_custom.php";
	if (isset($_GET['routine'])) {$routine=$_GET{'routine'};}
	if (isset($_GET['bookingid'])) {$bookingid=$_GET{'bookingid'};}
	if (isset($_GET['titleid'])) {$titleid=$_GET{'titleid'};}
	if (isset($_GET['menuid'])) {$menuid=$_GET{'menuid'};}
	if (isset($_GET['countryid'])) {$countryid=$_GET{'countryid'};}
	if (isset($_GET['matchid'])) {$matchid=$_GET{'matchid'};}
	if (isset($_GET['bioids'])) {$bioids=$_GET{'bioids'};}	
	if (isset($_GET['remove'])) {$remove=$_GET{'remove'};}	
	if (isset($_GET['type'])) {$type=$_GET{'type'};}	
	if (isset($_GET['fieldid'])) {$fieldid=$_GET{'fieldid'};}	
	if (isset($_GET['getenabled'])) {$getenabled=$_GET{'getenabled'};}	
	
	switch ($routine)	
	{
		case "match":
			if ((isset($_COOKIE['uname'])) && (isset($_COOKIE['pword'])))
			{
				$uname=$_COOKIE["uname"];
				$pword=$_COOKIE["pword"];
				validate($fedid, $uname, $pword, 0, 0, $cookiedomain, $cookiepath, $admincssfile);
			}
			else
			{
				die;
			}
			if ($bookingid != "0")
			{
				print "<select name=matchid class=dropdown>";
				$query = "SELECT
						ecm.id as getmatchid,
						ecm.name as getmatchname
					FROM
						efed_content_matchseg as ecm
					WHERE
						ecm.type = 'match' and
						ecm.booking_id = '$bookingid' and
						ecm.title_id = '$titleid'
					ORDER BY
						ecm.sortorder"; 
				$result = mysql_query ($query); 
				while ($row = mysql_fetch_assoc($result))
				{
					$getmatchid = $row['getmatchid'];
					$getmatchname = $row['getmatchname'];
					print "<option value=\"".$getmatchid."\">".$getmatchname;
				}
				print "</select>\n";
				break;
			}
			else
			{
				print "Select an event with matches";
			}

			break;
		case "menu":

			menusystem($menuid);

			break;
			
		case "arenas":
				print "<select name=arenaid class=dropdown><option value=0>- Select -";
				$query = "SELECT
								ela.id as getarenaid,
								ela.city as getarenacity,
								ela.arena as getarenaname,
								ela.capacity as getcapacity
							FROM
								efed_list_arenas as ela
							WHERE
								ela.country_id = '$countryid'
							ORDER BY
								ela.arena";
				$result = mysql_query ($query); 
				while ($row = mysql_fetch_assoc($result))
				{
					$fieldarray=array('getarenaid','getarenacity','getarenaname','getcapacity');
					foreach ($fieldarray as $fieldlabel)
					{
						if (isset($row[$fieldlabel])) 
						{ 
							$$fieldlabel=$row[$fieldlabel];
							$$fieldlabel=htmlentities($$fieldlabel);
						}
					}
					
					print "<option value=\"".$getarenaid."\">".$getarenaname." - ".$getarenacity;
				}					
				print "</select>\n";
		
			break;

		case "getmatch":
			displaymatch($matchid,$dirpath,$resultsheadshots);
			displaycredits($matchid);
			break;
			
		case "appearances":
			$appearances=explode(":", $bioids);
			$appearances=array_unique($appearances);
			print "<ul>\n";
			foreach($appearances as $bioid)
			{
				if ((isset($remove)) && ($remove == $bioid)) { continue; }
				if ($bioid > "0") 
				{
					if ($type == "1")
					{
						print "<li><a href=\"#\" onClick=\"setCompetitor('".$bioid."'); return false;\">Remove</a> : ".getcharactername($bioid)."</li>\n";
					}
					elseif ($type == "2")
					{
						print "<li><a href=\"#\" onClick=\"setInterferences('".$bioid."'); return false;\">Remove</a> : ".getcharactername($bioid)."</li>\n";
					}
				}
			}
			print "</ul>\n";
			break;
			
		case "featuring":
			$featuring=explode(":", $bioids);
			$featuring=array_unique($featuring);
			print "<ul>\n";
			foreach($featuring as $bioid)
			{
				if ((isset($remove)) && ($remove == $bioid)) { continue; }
				if ($bioid > "0") 
				{
					print "<li><a href=\"#\" onClick=\"setFeaturing('".$bioid."'); return false;\">Remove</a> : ".getcharactername($bioid)."</li>\n";
				}
			}
			print "</ul>\n";
			break;

		case "fieldenable":
			if ((isset($_COOKIE['uname'])) && (isset($_COOKIE['pword'])))
			{
				$uname=$_COOKIE["uname"];
				$pword=$_COOKIE["pword"];
				validate($fedid, $uname, $pword, 0, 0, $cookiedomain, $cookiepath, $admincssfile);
			}
			else
			{
				die;
			}		

			$query = "UPDATE
					efed_list_fields 
				SET
					enabled = '$getenabled'
				WHERE
					id = '$fieldid' and
					fed_id = '$fedid'"; 
			mysql_db_query($dbname, $query) or Die (mysql_error());

			if ($getenabled == "1")
			{
				print "<a href=\"#\" onClick=\"ajaxpage('backstageajax.php?random=".rand()."&routine=fieldenable&fieldid=".$fieldid."&getenabled=2','".$fieldid."');return false;\">Yes</a>";
			}
			elseif ($getenabled == "2")
			{
				print "<a href=\"#\" onClick=\"ajaxpage('backstageajax.php?random=".rand()."&routine=fieldenable&fieldid=".$fieldid."&getenabled=1','".$fieldid."');return false;\">No</a>";
			}
			
			break;
	}
	exit;
?>

Re: Custom Made CMS

Posted: Tue Sep 21, 2010 2:38 pm
by MichaelR
Just a couple of things regarding the first code.

Firstly, perhaps you could cut down on a lot of the brackets? For example, change:

Code: Select all

elseif ((!(isset($_COOKIE['uname']))) && (!(isset($_COOKIE['pword']))))
to

Code: Select all

elseif (!isset($_COOKIE['uname']) && !isset($_COOKIE['pword']))
Secondly, use an encryption other than MD5 for the password:

Code: Select all

$pword = hash('sha256', $_POST['pword']);

Re: Custom Made CMS

Posted: Tue Sep 21, 2010 2:44 pm
by CoolAsCarlito
That is some great stuff. Anything not neccessarily problematic but would be more efficient on loading time or just straight up proper coding?

Re: Custom Made CMS

Posted: Tue Sep 21, 2010 5:53 pm
by alex.barylski
What kind of critique are you looking for?

Looks like you may have SQL injection exploits, hard to tell without being able to step through the code line for line. There doesn't appear to be any seperation of conerns, have you considered looking into using a framework such as codeignitor, cakephp or zend to assist you architecting software according to some standard?

Cheers,
Alex

Re: Custom Made CMS

Posted: Tue Sep 21, 2010 6:10 pm
by CoolAsCarlito
What do you suggest?

Re: Custom Made CMS

Posted: Thu Sep 23, 2010 12:02 pm
by CoolAsCarlito
Anybody want to mention anything else that I should do differently in my code?

Re: Custom Made CMS

Posted: Thu Sep 23, 2010 7:54 pm
by alex.barylski
What do you suggest?
Using a different CMS? :)

If that is not an option, or you are looking to learn, then I suggest using PDO and prepared statements and parameter binding so you do not have to worry about SQL injection. Google it, it'll take a while to learn.

Cheers,
Alex