A very simple CMS for a website

[Kezzer]

Basically i'm doing a band website and as many of you know I seem to have the inability to program competently in PHP with MySQL. All this CMS will do is have the ability to add / edit / delete news posts and gig dates. I want to expand it in the future so all pages are editable throughout the whole site.

Now, there will be 4 band members using it only to update, instead of faffing around with a table in a database to retrieve the usernames and passwords is it ok to simply store the usernames and passwords in a file on the webserver and just compare values that way?

This thread will get lengthy as i'll be asking questions over the next few days

Cheers all

[Iain]

No, as soon as someone guesses the URL of the text file you're screwed, even if you encrypt it they'll get hold of it sooner or later, especially since you've just announced your intention

[Agent]

You could do it that way, but its just more work than doing it from the DB itself.
If your going to be using a DB, use it fully.

Adding / editing / ect. users to the CMS would not be very different from inserting an article. You have the basic fields, which you just pull out when somone log's in and compare the values.
Remember to use hashing too, MD5 will be the one you want.

[Dav0s]

storing them in a table really wont be that much more effort, since your website has a databse neway.

tbh i find working with files horrible in php, i wd much rather use mysql

[Agent]

No, as soon as someone guesses the URL of the text file you're screwed, even if you encrypt it they'll get hold of it sooner or later, especially since you've just announced your intention

He could set up the permissions to disallow web access, but as you say, its just not a good way to do it.

[DavidM]

If you use a proper CMS - just set up a login area, which need not even be visible - just a url ... then you'll have no issues.

Also then you have the possibility of expanding it later to add a forum or whatever if required.

[Kezzer]

Yeh i'll be adding a forum etc. Yeh I know it's not hard to do it with a table, in fact my current admin pages use a table.

I'll be doing some more coding tomorrow, the website design is finished though (funnily enough I haven't checked it to see if it meets standards *hides in shame*)

Gah, it's going to take so long to make sure it's protected against SQL injection and that other one cross something something

[DavidM]

Thats why using a standard cms is sometimes safer -as the problems are spotted quite quickly and patched

[Kezzer]

I'd like to incorporate a simple CMS but WP is too advanced for the kind of thing i'm doing, I just need a simple news posting CMS henceforth i'm just doing it myself

[dawson]

Write yourself a simple user authentication class. Mine is ~200 lines long, which covers logging in, logging out, creating cookies, hashing values, creating/validating digests, getting permissioins etc. All fairly basic stuff... but self contained. Benefit of this is that I can use it all over the place, and never need to worry about having to code user authentication stuff again. Makes for very easy maintenance.

For SQL Injections... escape everything, and put everything inside quotes. Control the input as much as you can, check values, again and again to make sure they're of the length you expect, type you expect, and within the ranges expected (database value ranges, or plain mix max values). Covering this should stop any rubbish being added to your database to keep everything nice and tight*.

* made up term, but it sounds nice.

[DR]

why not look at Mambo?

[DavidM]

Not the easiest to use by far. (And it's Jamoola now btw - as they've recently had a split with Miro ... who wanted to turn the system from open source to commercial)

In my spare time I deal with a couple of CMS coding teams - so have experience of a few cms systems... PM me and i'll speak about this further.

[Kezzer]

I had considered writing an authentication class as it would be easier to use for future reference, for now i'll just do it procedurally and see what I can come up with

[Kezzer]

Code:

<?php
    session_start();
?>

<html>
<head>
</head>

<body>

<?php

if(!isset($username) || !isset($password)) {
     include('includes/login.php');
     exit();
}
   
session_register("username");
session_register("password");

$conn = mysql_connect('localhost', 'xxx, 'xxx');
if(!$conn) {
    session_unset();
    session_destroy();
	
    echo 'Unable to connect to db';
    include('includes/login.php');
    exit();
}

mysql_select_db('xxx');

$sql = mysql_query('SELECT user_table WHERE username =="' . strip_tags(mysql_real_escape_string('$username')).'"') or die('Couldnt find table');
$fetch = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);

if($numrows != "0" && ($password == $fetch["password"])) {
   $valid_user = 1;
}
else
{
   $valid_user = 0;
}

if(!($valid_user)) {
   session_unset();
   session_destroy();

   include('includes/login.php');
   exit();
}
else {
   include('includes/content.php');
}
?>

</body>
</html>

That's the index.php for admin stuff, it's not working yet as it's saying it can't connect to the database, just checking through it now. Thoughts?

[TonyBurn]

click here

Nice little tutorial to assist you making a php cms.

[Kezzer]

Oooh nifty, Cheers Tony