Try out my CMS/Blogging Tool

Jack Franklin · #1 Jan 13th, 2008, 12:47

Hey all, I'm sorry if this is not allowed, but I remember someone else posting a similar thread before, asking people to try out his CMS. As my first PHP project (alongside simonb) it was quite a challenge, I think it has taken about a week overall.

You can view the front end here:
cms.penguin-cms.com
And log in here:
cms.penguin-cms.com/backend

Username: bob
Password: test

I know that when you log in it displays that crappy screen, I have not got round to doing that bit yet

Once again, if this is breaking the rules on advertising, then please just say.

JAck

alexgeek · #2 Jan 13th, 2008, 13:03

No we allow this.
I've done it too.
I'll try it for you now, I'll let you know.

Jack Franklin · #3 Jan 13th, 2008, 13:06

Ok cheers

alexgeek · #4 Jan 13th, 2008, 13:14

Feedback time!

1. Great work, I can tell you've put a lot of effort in.
2. You're CMS does not seem to vulnerable to SQL injection but I can make sure if you post your login script or send it to me.
3. It correctly filters PHP so no attacks can be made that way.
4. I was able to upload a PHP file (Bad!) but on trying to run (don't worry it was only to print "lolol") I got an internal server error. It would be better to only allow images etc. Not PHP files!
5. You can only edit one note, and editing it changes all notes to the same one.

Marc · #5 Jan 13th, 2008, 13:23

I pretty much agree with Alex...

Jack Franklin · #6 Jan 13th, 2008, 13:31

Quote:

Originally Posted by alexgeek

Feedback time!

1. Great work, I can tell you've put a lot of effort in.
2. You're CMS does not seem to vulnerable to SQL injection but I can make sure if you post your login script or send it to me.
3. It correctly filters PHP so no attacks can be made that way.
4. I was able to upload a PHP file (Bad!) but on trying to run (don't worry it was only to print "lolol") I got an internal server error. It would be better to only allow images etc. Not PHP files!
5. You can only edit one note, and editing it changes all notes to the same one.

1. Thanks

2. Good. I'll PM you the script later.
3.

4. I used a very basic script from a tutorial. I have no idea how to filter file types, if I post it can you have a look?
5. THe idea is that the notes is just literally a place for admin to write things, so they all edit one note really. It was just a quick idea I had. I'll change it so that each note is stored in a seperate row of the table.

Cheers

Jack Franklin · #7 Jan 13th, 2008, 13:35

The uploader is:

PHP: Select all


$path = "http://www.webforumz.com/images/".$HTTP_POST_FILES['ufile']['name'];
if($ufile !=none)
{
if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path))
{
echo "Successful<BR/>"; 
//$HTTP_POST_FILES['ufile']['name'] = file name
//$HTTP_POST_FILES['ufile']['size'] = file size
//$HTTP_POST_FILES['ufile']['type'] = type of file
echo "File Name :".$HTTP_POST_FILES['ufile']['name']."<BR/>"; 
echo "File Size :".$HTTP_POST_FILES['ufile']['size']."<BR/>"; 
echo "File Type :".$HTTP_POST_FILES['ufile']['type']."<BR/>"; 
echo "<img src=\"$path\" width=\"150\" height=\"150\">";
echo '<h5>File Location: images/' . $HTTP_POST_FILES['ufile']['name'] . '</h5>';
}
else
{
echo "Error";
}
}

I want it to allow most things, but block any .php files.

Would it be something like:

PHP: Select all


if ($HTTP_POST_FILES['ufile']['type']=php) {
echo '<p>NO!</p>';
} else {
upload the file...
}

alexgeek · #8 Jan 13th, 2008, 13:38

On looking at your login script I don't see any sql injection problems.
Will look at your uploader now.

alexgeek · #9 Jan 13th, 2008, 13:40

Hmm that's an old way of doing.
I use PHP5's $_FILES super global so I'm not really sure.

Jack Franklin · #10 Jan 13th, 2008, 13:44

I followed it in a tutorial. I'm looking for a better one on the web now.

Jack Franklin · #11 Jan 13th, 2008, 13:57

DID it

PHP: Select all


$path = "images/".$HTTP_POST_FILES['ufile']['name'];
if($ufile !=none)
{
if (($HTTP_POST_FILES['ufile']['type']=="image/gif") || ($HTTP_POST_FILES['ufile']['type']=="image/pjpeg") || ($HTTP_POST_FILES['ufile']['type']=="image/jpeg") || ($HTTP_POST_FILES['ufile']['type']=="image/png")) {
if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path))
{
echo "Successful<BR/>"; 
//$HTTP_POST_FILES['ufile']['name'] = file name
//$HTTP_POST_FILES['ufile']['size'] = file size
//$HTTP_POST_FILES['ufile']['type'] = type of file
echo "File Name :".$HTTP_POST_FILES['ufile']['name']."<BR/>"; 
echo "File Size :".$HTTP_POST_FILES['ufile']['size']."<BR/>"; 
echo "File Type :".$HTTP_POST_FILES['ufile']['type']."<BR/>"; 
echo "<img src=\"$path\" width=\"150\" height=\"150\">";
echo '<h5>File Location: images/' . $HTTP_POST_FILES['ufile']['name'] . '</h5>';
}
else
{
echo "Error";
}
} else {
echo "Incorrect File Type";
}
}

Now, how would I create one that did not allow PHP but allowed zip, pdf & doc?

Jack Franklin · #12 Jan 13th, 2008, 15:19

Quote:

Originally Posted by alexgeek

Feedback time!

5. You can only edit one note, and editing it changes all notes to the same one.

Quote:

Originally Posted by jackfranklin

5. THe idea is that the notes is just literally a place for admin to write things, so they all edit one note really. It was just a quick idea I had. I'll change it so that each note is stored in a seperate row of the table.

Changed. Each note now is in a seperate row of the database.

alexgeek · #13 Jan 13th, 2008, 15:22

Great. What are you plans for this project?

Jack Franklin · #14 Jan 13th, 2008, 15:27

Well I have set up an entire website and trying to get the word around that the official beta will be released today. I want people to test it, and then in 2-3 weeks, the first proper release V1.0 should be out. Then people can use it for their blogs.

At the moment the only tester is my brother :P

(If anyone wants to test it for me check out the website)

Jack

		Webforumz.com > Main Forums > Program Your Website > Scripts and Online Services
Try out my CMS/Blogging Tool