Archive for the ‘Web Apps’ Category

Top 5 Open Source PHP Content Management Systems

Friday, August 13th, 2010
Posted in Web Apps · Tags:

I wouldn’t consider this list to be the best, just the ones that have become the most popular. Some of these CMSes became popular because they were good, but many overtime have become pretty bloated. However, since people know them, they are highly customizable, and very powerful they have huge communities behind them. But as you know, what’s popular today on the internet will soon change. Afterall, back in the early 00’s PHP-Nuke was the most popular open source PHP CMS.

  1. Drupal – Even though it’s very popular, Drupal has a slightly steep learning curve and it’s usability isn’t what it could be. However, you don’t need to know how to code to get things done. There are a lot of plugins to do almost everything you want, however since they aren’t official plugins, you are at the mercy of the developer (if they break or if you need a feature added to them, unless you know how to modify the code). It’s possible to make your own plugins if you like as well.
  2. Joomla! – Like Drupal you won’t need to know how to code to use Joomla, but you can make your own plugins if you want to get in and code. There are a lot of plugins, however many of them cost money. The interface is a little more intuitive than Drupal, but not exactly elegant.
  3. WordPress – Although it’s primarily used as a blogging platform the custom fields, custom posts types and custom taxonomies features allow you to use it like a CMS. Plenty of great free plugins and themes exist out there. Plus if you want to get into the code you can build your own plugins as well or just modify your templates. WordPress is a personal favorite of mine. 😉
  4. XOOPS – Another popular CMS, however the themes aren’t as customizable as I would like. Still it’s got a lot of features and the admin is easy to use.
  5. MediaWiki – Even though it’s really a wiki, many sites have used it like a CMS. When Webmonkey relaunched their site, it was built in MediaWiki.

Most of these CMSes I believe are popular because they are very flexible. With a little training a non-technical user can create content like blogs, site news, an online book, FAQ, RSS feeds and more. Along with that some feature standard community based features such as forums and comments. With a little coding, the developers that set them up can extend the functionality beyond what they was intended. The ones on the list above have been the most popular since 2006 and have maintained their popularity since then. But I don’t believe all of them will remain in the top 5 in another 5 years.

Honorable Mentions

List of Reserved Login or Bad Usernames

Tuesday, May 18th, 2010
Posted in Web Apps

The following are names you might want to prevent form being used not only by users, but also anyone that uses the admin to your site.

about, aboutus, admin, administer, administor, administrater, administrator, anonymous, auther, author, blogger, contact, contactus, contributer, contributor, cpanel, delete, directer, director, editer, editor, email, emailus, guest, info, loggedin, loggedout, login, logout, moderater, moderator, mysql, nobody, operater, operator, oracle, owner, postmaster, president, registar, register, registrar, root, signout, test, user, vicepresident, webmaster

A few of them are misspelled, typos, common login names, names hackers usually try to use to break in, and other names that regular users probably shouldn’t use as they would pretend to be someone they are not. Of course you may want to add the ability to prevent any starting with or ending with admin or moderator.

This is a good list to start with, share any others if you like. I didn’t include any cusswords, but it’s a good idea to add those into another table and make sure people don’t use those for usernames or just for part of it. Also this list took into consideration that the shortest username would be 4 characters long and only allowed letters and numbers.

WordPress Email Exposure

Tuesday, November 3rd, 2009
Posted in Web Apps · Tags: ,

I’ve noticed WordPress’s blog by email feature has the possibility of allowing anyone to see other email addresses. This feature can be turned on in the Admin in Settings->Writings and then Post via e-mail. Let’s say you set that email address as wordpressposts@example.com, that address will stay hidden. However anyone that emails that address will can have their address exposed on your blog by going to http://example.com/wp-mail.php (assuming that’s where you have WordPress installed at http://example.com). Chances are most people will have this set to a cron job and have it check it every so often, but it might be possible for others to request the page beforehand. And when you do go to that page, it shows something like this:

Author is myworkaddress@example.net

Author: 1

Posted title: Some Blog Post Title

Mission complete. Message 1 deleted.

Thus, if you are using your a email address you’d like to keep private and you are emailing wordpressposts@example.com, that email address has the possibility of showing up to people. Which is not good if you email from the same email address that checks the posts. And even worse if you email from a email address for a user in WordPress and has the rights to post contents because the email will get “publish” status rather than “pending” and will go live on the site. And if someone has the email address that is a user and has posting rights, they can easily send fake emails from that address, because all WordPress checks is the From or Reply-To line (whichever it finds first).

It’s easy to prevent it from showing email addresses by opening up wp-mail.php and looking for this line of code

echo '<p>' . sprintf(__('Author is %s'), $author) . '</p>';

And this line of code

echo "\n<p>" . sprintf(__('<strong>Author:</strong> %s'), esc_html($post_author)) . '</p>';

And then you could comment those lines out by putting // in front of both of them.

I understand WordPress outputs this information so you can see logged from any cron jobs you have setup or if you visit the page manually, as a way of just knowing whats going on. However, it could be done better to prevent the addresses from being shown to everyone. A simple solution is to setup a query string and have a secretkey (don’t make this your blog’s password however). For example, lets say your blog is installed at http://example.com/, we are going to know require the following URL to check Posts via e-mail http://example.com/wp-mail.php?secretkey=abc123. And if someone doesn’t send the right secretkey, it won’t check the email address or echo anything out.

So before this line of code

/** Make sure that the WordPress bootstrap has run before continuing. */

Let’s add

if ($_GET['secretkey'] != 'abc123')
exit();

Feel free to change the secretkey to whatever you wish. You can also change it to be called something other than secretkey. If you have a cron job, you’ll have to point to that new URL as well http://example.com/wp-mail.php?secretkey=abc123. If you use the secretkey method you can leave the lines where it echoes out the email address if you like (the 2 lines I showed you could comment out).

phpBB 3.x RSS Hack

Monday, February 2nd, 2009
Posted in Web Apps · Tags: , ,

Where I work we use phpBB and I was surprised to see version 3 didn’t have built in RSS support. I found a mod, but it contained several files and required modifying several more files. I put together a hack that will pull the latest posts that are approved and non-reported; However, it will keep them unique to a topic. So if the last 5 posts are for a topic called “That is awesome”, it will only show a link to the last post on that topic and will look for the other latest posts from other topics.

It’s configurable with a item_limit (number of posts to pull) and word_limit (how long the description is). However the description is just the title for the last post, so it will most often be “RE: original post title” unless the user changes it when posting. I could of done another query in a loop to the table phpbb_posts and pulled out the corresponding post_text, but didn’t want to have the overhead. Although you could easily modify that in and cache the file for say 5 or 15 minutes. Think of this as a head start to get the feeds from your forum for whatever you plan to do with them. 😉

(more…)

A More Useful WordPress 404

Sunday, November 23rd, 2008
Posted in Web Apps · Tags:

Recently A List Apart had an article by Dean Frickey titled A More Useful 404. It was a good article about making a more useful 404 page that attempts to figure out what went wrong and it will email you some information. I modified the code from Perl to PHP for WordPress and figured I’d save people time from building it themselves by posting it here. Feel free to edit what you need to. The code goes inside your 404.php template.


<?php
//based on http://www.alistapart.com/articles/amoreuseful404
//just to break any email addresses or spam that might get spoofed in falsed headers, might just use a regex later
$disallowed_strings = array('@', '\t', '\r', '\n', '\v', '\f', '<', '>');
$clean_server_name = preg_replace('/[^a-zA-Z0-9\-\.]/', '', $_SERVER['SERVER_NAME']);
$clean_http_referer = str_ireplace($disallowed_strings, '', $_SERVER['HTTP_REFERER']);
$clean_request_uri = str_ireplace($disallowed_strings, '', $_SERVER['REQUEST_URI']);
$search_engine_domains = array('google.com', 'images.google.com', 'translate.google.com', 'yahoo.com', 'ask.com', 'live.com', 'aol.com', 'search.msn.com');//add more if you want
$search_message = '<p>You may want to try searching this site or using our <a href="' . get_bloginfo('url') . '/sitemap/">sitemap</a> to find what you were looking for.</p>';//if you have a sitemap
?>
<p>Sorry, but the page you were trying to get to <!--http:// ,--> does not exist.</p>
<?php
if ($_SERVER['HTTP_REFERER'] == '')
{
?>
<p>It looks like this was the result of either</p>
<ul>
<li>a mistyped address</li>
<li>or an out-of-date bookmark in your web browser.</li>
</ul>
<?php
echo $search_message;
}
else
{
//make it easier to search referer
$disallowed_url_strings = array('http://', 'https://', 'www.');//filter out https:// anyway
$referer = str_ireplace($disallowed_url_strings, '', $_SERVER['HTTP_REFERER']);
$referer_array = explode('/', $referer);
$referer = $referer_array[0];
$myblog_url = get_bloginfo('url');
$myblog_url = str_ireplace($disallowed_url_strings, '', $myblog_url);
$myblog_url_array = explode('/', $myblog_url);
$myblog_url = $myblog_url_array[0];
if ($referer == $myblog_url)
{
?>
<p>Apparently, we have a broken link on our page. An e-mail has just been sent to the person who can fix this and it should be corrected shortly. No further action is required on your part.</p>
<?php
$email_subject = 'Broken link on my site, ' . $clean_server_name;
$email_message = 'BROKEN LINK ON MY SITE' . "\r\n\r\n" . 'There appears to be a broken link on my page, ' . $clean_http_referer . " \r\n\r\n" . ' Someone was trying to get to ' . $clean_request_uri . ' from that page.';
$email_message .= "\r\n\r\n" . 'Why don\'t you take a look at it and see what\'s wrong?';
mail(get_bloginfo('admin_email'), $email_subject, $email_message, 'FROM: 404@example.com');
}
else
{
//see if it was a search engine
$domains_matched = 0;
$total_domains = count($search_engine_domains);
for ($x = 0; $x < $total_domains; $x++)
{
if ($referer == $search_engine_domains[$x])
$domains_matched++;
}
if ($domains_matched != 0)
{
?>
<p>It looks like the search engine has returned a link to an old page. These old links should eventually be removed from their indexes but since these are automatically generated there is no one to contact to try to correct the problem.</p>
<?php
echo $search_message;
}
else
{
?>
<p>Apparently, there is a broken link on the page you just came from. We have been notified and will attempt to contact the owner of that page and let them know about it.</p>
<?php
echo $search_message;
$email_subject = 'Broken link on somebody else\'s site.';
$email_message = 'BROKEN LINK ON SOMEBODY ELSE\'S SITE' . "\r\n\r\n" . 'There appears to be a broken link on the page, ' . $clean_http_referer . " \r\n\r\n" . ' Someone was trying to get to ' . $clean_request_uri . ' from that page.';
$email_message .= "\r\n\r\n" . 'Why don\'t you take a look at it and see if you can contact the page owner and let them know about it?';
mail(get_bloginfo('admin_email'), $email_subject, $email_message, 'FROM: 404@example.com');
}
}
}
?>