I need simple CMS sistem that I could use as a staring point (to save some
time in setting up the structure) in developing my own CMS. The code
should be simple to understand so that I can easily get on and start
building on it. It would be of great help if it already had features like
statistics, rss feeds, and multi-language support (visitors can click on
the flag at the top of the page and have the pages display the content in
that particular language), but if it doesn't it's okay I would build them.

For example Joomla seems to be too powerfull, and pretty diffucult to
understand at the coding level in order to customize it to serve my
specific needs.

Does anyone know of any promising open source CMS project that I could use
in this respect?


I have a rather low opinion of most CMS apps out there.

I can't recommend one - but I would recommend whatever you do, if you are starting from scratch, use the php xml DOMDocument class to build your pages.

So many of the content management systems out there have XSS exploit after XSS exploit after XSS exploit.

By using DOMDocument, a script node can not be created unless you create it in your code, making insertion of XSS code into your site a lot more difficult.

Also, I highly recommend you use a server that has php hardened by suhosin.

A lot of the exploits (IE from sloppiness with globals) that are found in php apps would not work on servers that are protected by suhosin.

Speaking of globals, there seems to be a bad habit amongst many developers to overuse them.

IE with DOMDocument, they will set their document as a global for use in functions when what they should do is simply add the document as the first parameter to the function thus avoiding the need to use a global. For example -

function spanText($document,$class,$string) {
   $span = $document->createElement("span",$string);

If my DOMDocument is, say, $myxhtml - to create a bit of text I want to apply my red class to -

$someNode = spanText($myxhtml,"red","This string will be in the red span");

Another thing the common CMS tools frequently do - they want a configuration file that the web server has write permission to that is parsed as php by almost every page the app displays. Big mistake - if you want a web interface to change settings, store the settings in a database table, don't have the web app write them to a file that other pages include.

Finally, another thing they often do is to have a directory the web server has write permission to in the web root. Big mistake, you don't want apache to have write permission to any directories (or files) that it serves, you want to keep those outside the web root and use php to grab what needs to grabbed (IE a php wrapper to fetch images that users have uploaded).

Have fun, but if looking at other apps to figure out how to do things, just remember that many of the webapps out there are not examples of good code and remember that most php books are not written by security gurus (I'm not a security guru, and even I've found insecure practices in several books).

Unfortunately a lot of jerks exist who want to own your server and use it to spam the world (or attack other servers).

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to