php, CMS security

I was going to start making a Content Managment System website with php and was wondering if anyone knew of some good tuorials or something.

Also I'm just guessing this is how you do it:

-Build the shell of your website which is your index
-Then write something like:

PHP Code:
<? php

$pageid = $_GET['pageid'];
$page = $pageid . "php";

include("$page.php");

?> 

But he said it would leave it vulnerable to php injection.. Just wondering what you all think

Yes it is not secure at all.

You should use something like :

Code:

<?php 

$pageid = $_GET['pageid']; 
$page = $pageid . "php"; 

include("content/" . $page . ".php"); 

?> 

because including the $page var could be used like this :

http://yoursite.com/index.php?pageid=http://uri_to_a_remote_server_manager

so the problem would be that the 'hacker' could include to your page an external php program and that's too bad....

is there a better way to check for security faults in a PHP program?

[Join us @ facebook]

is there a better way to check for security faults in a PHP program?

I am not sure if there is a way to do this, except than taking a look in your site, and make sure it is not defaced

I am kiddin. But anyway it is too hard to tell that there is a way to check the security faults of a site.

You must be allways reading articles and news regarding to the languages you use, make small or no use at all of common vurnerabal functions such as eval and exec, and check your log files on a regular base.

I am not sure if there is a way to do this, except than taking a look in your site, and make sure it is not defaced

I am kiddin. But anyway it is too hard to tell that there is a way to check the security faults of a site.

You must be allways reading articles and news regarding to the languages you use, make small or no use at all of common vurnerabal functions such as eval and exec, and check your log files on a regular base.

Thanks, Nikolas! I actually don't check my log files, except when I'm testing my scripts. But I will start doing so.

Also, since this is about CMS security, what do you think is the best way to prevent spam in comments/guestbook systems within a CMS?

[Join us @ facebook]

The first thing you have to do is puting the code rel=nofollow to the links that created from your guestbook or comment script. Then you should put a security image to your submit page, as the comment spammers are programs ( I mean that comment spamming is not generated by humans that browse your site)

An example is in the topsites directory . Browse the directory and try to submit a review for a site.

After all of these things you can also use a script to stop the referer spam like aStatSpam

Yes it is not secure at all.

You should use something like :

Code:

<?php 

$pageid = $_GET['pageid']; 
$page = $pageid . "php"; 

include("content/" . $page . ".php"); 

?> 

So this will work good then?

[Join us @ facebook]

So this will work good then?

Yes because even if there is a url in the $page variable, the script will stop because it wont find the file /content/whatever else.....

Hmm. Interesting thoughts.

I didn't knew about this vunerability

That is the method I used to code one of my websites. Very basic and easy.

That is the method I used to code one of my websites. Very basic and easy.

It is very basic and easy, but it is also the number one 'weapon' for deface hacking attacks!

You may also want to make sure the file exists before including it.
Then redirect anyone to the main page if the file is invalid.

Thing is , if you do an echo on errors  like ,
"Couldnt find $page";
Its still suscpetible to XSS , you can use HTML to include frames and things , PHP to echo config files and the like or SQL to  delete user tables or get them etc.
Its very confusing but just use stripslashes and htmlspecialchars on your echo and you should be fine.

storing pages in a mysql or postgre db is much more secure then storing file on your webserver directory alone... then echoing these values with something like this:

Code:

<?php
$homepage = mysql_query("SELECT * FROM pages WHERE id=1");
$homepage = mysql_fetch_array($homepage);
echo "<table width=\"100%\" height=\"100%\"><tr><td>";
echo stripslashes($homepage['content']);
echo "</td></tr></table>";
?>

[Join us @ facebook]

Meth0d I will not agree with you.

Database is not used because it is safer, but because it gives you the abillity to make more things like content managment, CMS upgrades, layout upgrades.

Files are much faster, but are usefull only for small static sites.

yeah that is more the point i was going with that anyway, my sites always change so i dont use static pages as much anymore

[SEO Voter]

You may also want to make sure the file exists before including it.
Then redirect anyone to the main page if the file is invalid.

I agree!

Another thought... wouldn't a mod rewrite be easier and safer still?! At the same time, your site (in the public areas) will become more SE friendly and get you higher rankings.

[Guest]

[35.712]

Baidu Spider, Yahoo crawler, adsense, Msnbot