Advice needed on creating a bespoke CMS for static HTML websites ? 1

[c0deM0nK424]

Hi all.

I want to ask seasoned veterans and highly experienced full-stack / back-end php and asp.net programmers/coders, what advice they could give to me with regards to wanting to go all out and 'code/develop' a simple yet effective Content Management System tool for those who are proficient in developing hand coded HTML5/CSS3 Responsive Web Layouts.

My Aim is to learn on the job, meaning this is uncharted territory but something I've had a burning desire and interest in pursuing for quite a while now.

I just don't quite know where to start.

If all I wish to offer a client is the facility to 'update/add/delete' content on static web pages, can this not be achieved using native javascript ?

after all, are we not simply manipulating the dom here and nothing else ? the static html/css websites are not utilising any form of database here, therefore can client side scripting be utilised to create an entry level bare bones, 'CMS' sort of tool ?

or am i overlooking or forgetting some serious shortocmings of this approach ? or am I thinking correctly ?


Naturaly I felt I'd need to use a server side scripting langauge to hand code, from scratch a tool taht would utlimately save the web page content in DB files.

so if i went the php route, surely this means ....and forgive me for Zzz here, My Dreaded SQL ? :|

likewise, if i go the asp.net route, again surely the content that would need to be changed would need to be saved in a db of some kind ?


perhaps I'm thinking too hard here and the solution is simpler than i think, and thats where you veterans come into play.

So if anybody could advise me on the best approach, techologies to use for this venture ( creating my own bespoke CMS...) I'd appreciate it HEAPS.


thanks all.

Look forward to your prompt replies.

Warm Regards,

C0de Monk.

 

[ChrisHirst]

Oooh, oooh, me, me, now I can definitely say .... ... "Been there, done that, still have the domain name". It was/is written ASP vbscript with a bit of Jscript for some bits, MySQL for data storage (and I'm planning to rewrite in in Python).

the content that would need to be changed would need to be saved in a db of some kind ?

That is the general principle of a CMS, but a 'database' can be anything from a basic text file, XML for example, all the way up to a binary data structure handled by database server.

Flat files are fairly slow and really not particularly scalable, but if this is purely a "proof of concept" project would do perfectly well.

What do you have against MySQL? It is fast, provided you write 'proper' queries and avoid the abysmal and lazy "SELECT * FROM ...." type of construct, highly scalable and somewhat more secure than an Access datafile would be.

perhaps I'm thinking too hard here and the solution is simpler than i think

You will probably be surprised just how simple it isn't.


Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[vacunita]

Javascript can be used read whatever you are editing and create a functional representation in the browser dynamically, But not sure how this is relevant to a CMS. That would simply be the editing interface. Which may or may not require dynamic rendering.

Sure you can have an editor and have JS automatically make the browser render what you are typing in it. This not really difficult to do.

Normally when you create content for a CMS, You have an editor that handles the input, and your CMS simply handles storage and display when requested. JS here would only be used to make it visible on the fly. However, since this would be happening as you write it, you may run into issues with unclosed tags, and things like that, that cause issues in rendering.


The point of a CMS, is that it stores what you create. Yes this normally uses a DB as its easier to maintain that way.


I agree with Chris here in puzzlement, What's wrong with MYSQL? Its fast, scalable, robust, and very secure. Its also free for most personal uses. Unlike MSSQL. However MYSQL, as well as MSSQL, can be used by both ASP, and PHP. not sure what the limitation here is.

So not entirely sure what is is you are asking.

Generally, one builds with what one feels most comfortable.

I've written several CMS in my life time. Currently working on one for my own BLOG if you will. The process is pretty simple actually, and comes down to what features you want to offer.







----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Web & Tech

 

[Olaf Doschke]

First the idea of a simple CMS has already been implemented so many times, that it's questionable to do one more. More so in the light, that HTML&CSS&Javascript is uncharted territory to you.

But if I take the focus on the mere motivation to do this for fun, then first of all the trend of single page sites removes the need for a CMS, as you only maintain a single page, and thus tools targetted for single html pages, eg html editors with simple to more advanced concepts are enough for that kind of sites.

If you think about the typical business homepage just having some mainly static info, there is a very simple editor, eg Aloha

The concept is even native in HTML5/CSS3 now with the ContentEditable, eg see theory/definition at

http://www.w3.org/TR/2008/WD-html5-20080610/editing.html

and a demo at

http://html5demos.com/contenteditable

This is jumping into a very detail, but it's the feature you'd want to use for a modern HTML CMS allowing even the HTML inept user to edit his site.

What you need first is a distinction between guests using the site and the owner/administrator putting it into editable state, you don't want content editable all the time for everyone, obviously. That goes to the base architecture of any site, eg one of the oldest and stable design patterns here is MVC and such architectural base knowledge is more important to know and start with, as any detail HTML or CSS or Javascript knowledge in my opinion.

In regard of storage of the content, Chris already mentioned the possible varieties from flat files to database. I would consider a database as always superior, but it's not a necessity, ie there is even a whole wiki - dokuwiki - not needing any DB at all. So you can even make complex systems in the area of content managemant database free.

Bye, Olaf.

 

[c0deM0nK424]

Sorry guys, nothing is wrong with MySQL - its a great opensource db and works like a dream on php.

I have anothing against it.

Its just Im wondering if its feasible and worth the time and effort to develop from scratch a full blown CMS tool , OR some sort of site content editor using native javascript.

thing is i dont know if using JS for simple content editing is the best approach.

 

[c0deM0nK424]

More so in the light, that HTML&CSS&Javascript is uncharted territory to you. "


what !?? lmao


I must correct you on that sir, what a silly baseless assumption from your side sir LOL

I am highly proficent with all three of those front end web technologies, Olaf.

I can hand code responsive layouts with ease, thanks to my intimate understanding of applying style to structure and as a result - can 'visualise' the code in my head for various types of weblayouts before ive even began to write code lol

So no, its not 'uncharted territory' for me.

Can't get my head around why you would tell somebody something so bizzare and stupid lol

but please do not get mad @ being wrong about what you said lol

 

[spamjim]

so if i went the php route, surely this means ....and forgive me for Zzz here, My Dreaded SQL ? :|

This is just one excerpt that makes me wonder if any part of this post is supposed to be taken seriously.

Unless you have a novel CMS concept, it is typically foolish to build a CMS on your own. Aside from the futility of reinventing the wheel, a single person is rarely qualified to fully comprehend the security implications of their own code.

You can be much more marketable by diving into co-development on an existing CMS.

 

[Olaf Doschke]

OK, then that is a misunderstanding.

But what topic were you addressing, when you said:

My Aim is to learn on the job, meaning this is uncharted territory but something I've had a burning desire and interest in pursuing for quite a while now.

Bye, Olaf.

 

[ChrisHirst]

it is typically foolish to build a CMS on your own.

Why???

Developing something that has a real use, even if only a personal one, is much better as a learning method than following disparate tutorials that have no real relevance or significance. It certainly makes anyone better at debugging code and solving problems, and you DO learn how to produce 'reusable' code.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[spamjim]

Why???

CMS is serious business. You're writing an application that can read/write to your web server. If you don't get security right, you've got a crippled site or a distribution center for malware and rogue advertising. Someone with the naivety expressed in this post (thinking client side JS can power a server-side CMS) has a long way to go to secure coding.

Like many others who started writing their own CMS, I found maintenance too costly. That's why I jumped onto Drupal. Drupal gives me a foundation to build so much further than what I could do on my own. It certainly doesn't prevent me from learning how to code. You make yourself a stronger developer when you join a project maintained by other experienced developers. A ready-made CMS framework is not a crutch. It pulls you up further than going at it alone.

Ignoring a solid CMS framework is like a JS developer ignoring jQuery. Someone will spend way too much time on basic things to ever amount to much.

 

[vacunita]

Unless you have a novel CMS concept, it is typically foolish to build a CMS on your own. Aside from the futility of reinventing the wheel, a single person is rarely qualified to fully comprehend the security implications of their own code.

You assume this would be a CMS made available to the general public from the get go.

I have to agree with Chris, as a learning exercise it is very worth while. While yes there are security implications and managerial tasks to tackle, as a learning platform which can then get refined and secured later I find your comment extremely limiting.

Also a CMS you write yourself, does not have to have a public view to the internet.

I've built CMSs that only ever have access from within a secured network, without even a public URL for content management.

If no one ever took it upon themselves to write something from scratch, but use pre developed platforms, then there would be no pre developed platforms to use. There is absolutely no reason to want to use something like DRUPAL when the entire purpose of this exercise is to learn.

Ohh, and I take personal offense to:

like a JS developer ignoring jQuery

I routinely ignore jQuery, unless there's something very specific I need from it. I've been writing code for long enough t have my own tried and tested library of methods, and most of the time, I can accomplish things easier and quicker with my Js code than I can with jQuery.

Total reliance on pre-built frameworks can end up being a crutch. Its better to know how to do it first, than to have something else do it for you without understanding what it is doing.









----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Web & Tech

 

[ChrisHirst]

CMS is serious business. You're writing an application that can read/write to your web server

But here you are presuming that this is going to be a project that is "out in the wild" from 'day one'. While writing mine I learnt far more about ensuring that your coding is 'secure' and stable, because you often find the flaws yourself. Also a custom written CMS is intrinsically more 'secure' because no one else can examine the code for any 'weak points'

I routinely ignore jQuery,

I can honestly that I haven't written a single line of code that uses jQuery, mooTools or any other 'framework', similarly to Phil, I have my own set of library functions that I can use and only have to load what is necessary rather than having to include a whole "black box" of code with it's attendant overhead.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[spamjim]

I'm not disagreeing that writing one's own CMS is a useful way to learn. It is just not the most productive way to serve a client, especially if C0de Monk is expecting their client to pay for on-the-job-learning. The client would pay much less to a WordPress developer ($500 for a quick site setup) or to a monthly service like Squarespace.

I'm not sure how you can perceive my comment as "limiting" when I suggest an option that provides a new CMS developer with the power of thousands of fellow developers.

The secure, private network excuse for an amateur CMS is silly. A private CMS can still be harmed by malicious or inadvertent tampering from within that closed network.

I routinely ignore jQuery, unless there's something very specific I need from it.

I believe the statement you meant to write to support your argument for learning to do everything on your own is that "I never, ever use jQuery or any other prepared library".

Also a custom written CMS is intrinsically more 'secure' because no one else can examine the code for any 'weak points'

That is hilarious. The same faulty logic makes Windows intrinsically more secure than Linux.

 

[ChrisHirst]

That is hilarious. The same faulty logic makes Windows intrinsically more secure than Linux.

You obviously miss my point, a single developer working on a single project such as this one that is not intended to be extensible, so has no 'publicly' exposed 'hooks' IS by it's very nature more difficult to 'hack into'.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[spamjim]

Chris, I fully understood your point. That is why I explained the fault to it.

You're making assumptions that c0de M0nk never presented. Unless explicitly stated otherwise, web design/development is intended to appear on the public WWW.

EDIT: Sorry, I am conflating Phil's comments about an internal CMS not exposed to the public. I lost focus on the point about open source vs a custom CMS built on your own. There is no evidence that closed source is more secure. There's no reason to compare closed vs open source. The important comparison is the massive development experience in an existing OSS (or even closed source) project vs just starting to learn.

Learning to develop an unsecured CMS is not really learning to develop.

 

[ChrisHirst]

Well I'll give you why I KNOW that 'custom solutions' ARE more secure even if it is only through through 'obscurity'.

In the seven years that my CMS was running several websites that were hosted on our Windows server(s), none of them were ever hacked or infiltrated, there were plenty of attempts but none succeeded, I only wish I could say the same about the same sites now they are using Joomla!, Drupal or WordPress on Linux servers.
One WP site (using a commercially available theme) gets cracked every few days, fortunately [or unfortunately] it's not my responsibility to maintain that particular website, though I do have several scripts in place to limit the damage that can be done. While on the other hand, a Wordpress site on the same server, where I developed the theme from the ground up has NOT been 'broken' in the four years it has been on WP.

I also manage a VM (Linux) for a client who has two site that were running Magento and were getting 'cracked' a couple of times a month. They took my advice and paid for bespoke systems, still on the same server, with each site being slightly different in 'architecture', and since then, they have not been 'hacked' once. The attacks still come in thick and fast, which when analysed are ALL targeted at "well known" e-commerce systems file and folder names.

In bespoke software there are NO 'foot prints' in the HTML source that can lead the crackers and script-kiddies as to what the site is using as a 'back-end', file and folder permissions can be tightened down to limit the scope of code injection attacks, and if you are smart enough there does not even need to be a single physical file or folder name exposed in the HTML source, so there is no "attack vector", then they HAVE to 'break' the database names, user and password to hack anything.

You guys can can believe whatever it is you think. Me; ... Well, I prefer to trust the evidence I have in front of me, and I WILL take a bespoke system over a "well known" product any day of the week.


Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[spamjim]

Chris, I appreciate and understand your perspective but you haven't looked at c0de m0nk's code (yet to be written) to be able to assert that it has more security than a more developed system.

CSS-tricks.com is a great resource and there is a tutorial about making your own bespoke CMS:

https://css-tricks.com/php-for-beginners-building-your-first-simple-cms/

But be sure to scroll down to the bottom of the article to read the "Important Note".

Only through the benefit of multiple eyes can you have some confidence in the security of your creation. This article's comments not only point out security issues in the provided code samples, the comments also mention a JS injection flaw on the css-tricks.com site. The author of the tutorial and the owner of the web site (both skilled in what they do) made security mistakes.

The CMS 'foot prints' you mention are not really relevant to crackers. We all see exploit attempts in our logs for things that do not run on our servers. The scripts don't care; they just cast a wide net. And SQL injection tools are rarely limited to a particular CMS...they just try to force queries. So it does not matter if you've made a custom CMS or if the source is openly distributed for the world to see.

 

[Olaf Doschke]

c0deM0nK424 seems to have left this discussion.

What I do is have my content management offline, as a desktop application and online code is just a "player" of the content, the most interaction I have is a feedback form, but whatever comes in there is not published automatically. This alone prevents many hacks and security issues I could have and is totally sufficient to provide some pages of info.

I don't even have used the database available. The main PHP ingredients I use is the [tt]require[/tt] command from a controller.php to pull a template.php, which itself pulls some header.php, nav.php, detail.php and footer.php and these php files mainly contain HTML, which in turn may pull in some css and js for screen "magic", eg webfonts. Only nav has the small task to highlight the active page, other parts are static. They are the puzzle pieces putting together a site page and this way I separated the different parts of the page to follow the most important DRY principle. This isn't even comprehensively OOP, but a thing most people ignore: good enough. It could be advanced to not repeatedly load static parts of a page, simply update the active page in the nav section and otherwise change the page detail part in using an ajax js component, but the Google PageSpeed Insights testify a good speed, so I don't care to optimize that.

The other main ingredient is not even PHP related, but .htaccess entries for URL rewrites and cache control. The url pattern I use is domain/language/pagename and that could be extended with actions, if I ever wanted to make this more than a readonly system.

Bye, Olaf.

 

[ChrisHirst]

The actual code that this CMS uses is NOT of any real interest at this point in time

but you haven't looked at c0de m0nk's code

And by the same token, neither have you, but when you added this;

Unless you have a novel CMS concept, it is typically foolish to build a CMS on your own. Aside from the futility of reinventing the wheel, a single person is rarely qualified to fully comprehend the security implications of their own code.

You brought in an 'in principle' aspect to the thread, by basically advocating the use of an "off the shelf" product rather than a bespoke solution, and it is in that 'in principle' vein that I asserted that bespoke software is intrinsically, that's intrinsically NOT absolutely, going to be more secure than software that is available for examination.

The comparison of closed source Windows and Open Source Linux is rather fatuous in this discussion, simply because the compiled code of Windows is easily obtainable for 'reverse engineering' and testing for exploitable code segments with the 'cracker' not even leaving the comfort of their bedroom. PHP or any server-side code that is not 'Open Source' has to be tested in-situ, and provided that 'half-decent server security is in place, the 'brute-force' testing should be blocked before any weakness is identified. Open Source is a 'double edged sword' where software security flaws are concerned, on the one hand the malcontent's CAN find flaws and test them with relative ease whilst on the other hand the 'good guys' CAN also find, test and warn (or 'patch') these flaws with the same relative ease.

And yes I agree wholeheartedly that the justification or evidential points for my statement are [from your point of view] anecdotal, but they are my experiential evidence or anecdotes if you prefer and I am willing to stand by them.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[spamjim]

You brought in an 'in principle' aspect to the thread, by basically advocating the use of an "off the shelf" product rather than a bespoke solution, and it is in that 'in principle' vein that I asserted that bespoke software is intrinsically, that's intrinsically NOT absolutely, going to be more secure than software that is available for examination.

Aha. I see the communication problem. My initial post did not advocate any particular off the shelf product. My initial post pointed out the benefit of multiple sets of eyes on the development. A bespoke CMS can have multiple sets of eyes as well. Anyone learning to create their own CMS is going to be looking at the code of existing CMS or following some sort of training/tutorial. None of us develop in a vacuum. If we do, our work likely sucks.