You may remember my last rant about people who have written their own CMS, in which my point was pretty much that people are copying a simple blog tutorial and saying it's a CMS.
In part two of this thrilling instalment1, I revisit the topic of the custom CMS to rant about the latest craze - which is... well... writing one's own CMS. Everyone and their dog seems to want to do it. It's the thing to do to earn cool points and tell everyone how great you are. I should know, I've done it.
But what I am seeing at the moment is people who have no idea what they're doing. People who simply want to make a CMS because it's cool. When I wrote this CMS, I did it after almost 3 years of being comfortable with the language, knowing exactly what I wanted and what each function does and why. I knew the security implications involved in it, the problems I might experience, the limitations of what I had to work with, etc. I didn't even write my first script until I'd been comfortable with the language for two years. Editing, picking apart other scripts was fine, but my own script? If you ever saw PHPAskIt v1 (it's still out there, worryingly enough) you'll know I wasn't even ready then. However, I'll still admit I only wrote this CMS because I was totally jealous of Jem it was cool. :(
As you may or may not know, I have been learning Ruby on Rails for the past 6 months or so. I am fairly familiar with it at the moment but I am freely able to admit that I am not under any circumstances ready to undertake as large a project as a CMS in it. I don't know how RoR can be exploited, I don't know what sort of problems there are by using X rather than Y - I just don't know enough at the moment. I'm comfortable hacking about existing scripts and adding on little bits and pieces, but that's it.
So my point today is this: before you decide "zomg!1 I must write a CMS!1!!", ask yourself the following questions:
- I'm going to be using PHP and MySQL. Do I have enough knowledge in these areas to make my CMS work?
- Do I know what the limitations of my server/host/databases are?
- Will I have access to PHP4 or 5? What's the difference?
- Why am I writing a CMS in the first place? What do I need it to do that others out there can't?
- What do I know about security, particularly remote file inclusion, XSS and SQL injection? How will my CMS deal with these areas?
- I want my CMS to do X, Y and Z. Do I know how I can achieve this?
If you're unsure of the answers to any of these questions, my advice would be you're not ready yet. Keep looking at existing scripts and see how they're doing things. Search the internet for vulnerabilities in those scripts and how they are exploited to ensure it doesn't happen to you. Get friends to try and break your script as much as they possibly can. I can guarantee that some things normal internet users might do, you'll never think of - for example I found people were trying to go to non-existent tags on my site or page numbers that didn't exist and it caused my site to break.
However, don't think I'm discouraging you from writing a CMS (much :P ). A CMS is the perfect way to develop confidence in a programming language and to learn more about it than you ever could have otherwise. By all means start trying to write your own CMS and learning techniques to make it work the way you want to - but here's the important part: don't put it online. Install yourself a web server (I have XAMPP - very easy to install, has everything you need and installs in a single click. Mac OS X has built-in web server features but you can get XAMPP and other similar packages for it if you're not entirely sure how to use the built-in stuff, I must admit it's always confused me) and develop your up-and-coming CMS there; learn how to interact effectively with MySQL and all that in your own time without hacker types lurking everywhere and undoing all your hard work. I made the mistake of writing the first version of PHPAskIt online and ended up with all sorts of security issues. While I was writing the CMS, it stayed offline for 8 months because I didn't feel it was secure enough to go online - would my host tell me off for too many database queries? Would my PHP version and theirs clash?
Don't think you have to write a CMS just because "everyone else is doing it". You need to feel you can do it and that there is actually a point to doing it. If WordPress or similar does everything you need, is it really necessary? There is no shame whatsoever in using WP. The only reason I stopped using it is because it started to take over my site in ways I really didn't like and I'd modified it so much in the end that every time there was an upgrade I had to update each file individually to make sure it didn't mess with my changes. You also need to make sure you know what you're doing and why you're doing it. If you don't know the slightest bit about PHP, it really isn't worth it.
1 *Cough* ^
Niki
16/02/2008 at 23:32
Bleh. I'm too lazy to code anything and besides, I need more experience. Much more than I have right now.
I guess its just me and good ol' Wordpress. And it needs an update. Stupid 2.3.3.3.3.3.3.3.3.3s
Chien Yee
17/02/2008 at 1:16
I'm just like Niki. Too lazy, and haven't updated WordPress :P
But I do want to make my own CMS for experimental purposes.
Kaylee
17/02/2008 at 4:38
There was a time when I wanted to write my own CMS, but I quickly realized that I had no idea what PHP and MySQL really were and it wasn't as easy as coding a simple webpage.
Hanna
17/02/2008 at 11:17
If I ever make own CMS, I think I'd start from something little bit smaller project to learne basics. As you said it's good to know what you're doing. Plus currently TXP is just fine for me.
Kristina
17/02/2008 at 11:51
What Kaylee said.
I'd probably be careless enough to leave a load of holes and bugs in my script.
Jem
17/02/2008 at 13:28
Although you know I totally agree, I actually am content to sit back and watch these people put up their CMSeseses and then realise 2-3 weeks down the line that they're being spammed to shit and there isn't a damned thing they can do about it, because in reality they're working with a language they know nothing about.
I say code your own CMS.. go forth and prove to the world that what you have to offer is better than WordPress or Textpattern or whatever - but you best get it right offline first because you'll be suffering if you don't.
Jenny
17/02/2008 at 13:43
Hehe at Snark. :P
To be honest, I've only ever coded "one" CMS but that was for an entirely different thing. It wasn't for me, or it wasn't mainly focused on the journal — it manages the content of the site, which is why I label it as a "CMS". It took the piss, too, which is — I believe — one of the primary reasons I label it a "CMS". :P
I'm not sure I like the blog->CMS idea. It's kind of like grouping everything that can update/edit/delete together and 'tis slightly misguided.
Vera
17/02/2008 at 14:17
I did briefly entertain the idea of coding my own CMS, but I don't find anything wrong with WordPress... well aside the long loading time of the admin panel (and even that not always).
I always thought of the spam, where I couldn't really find any set algorithm, plus... all that comment moderation and...
OK, I'm lazy and WP is just fine for me. The only thing I changed were the theme files and the functions (for the smileys).
Christine
17/02/2008 at 18:35
I'm constantly trying to learn new things, but oh boy, i'm worlds away from even attempting something like that. It might be fun to play around w/ it one day, cause I use my site for a webcomic. And to manage it, I use a comic press theme via wordpress.. so it's like.. twice as hard to update change ~_~ but yah. prolly never. i definitley admire those who can tho.
Matt
19/02/2008 at 21:21
I agree with this x73836383 :P I just don't see the point.
I have a love/hate relationship with Wordpress at the moment and *eventually* I do want to code my own CMS (I wouldn't have learnt CSS or anything if I had just carried on using Frontpage forever... I like learning new things :P) however this won't be for many, many years! I've "played" with PHP before - editing scripts, modifying/hacking forums etc. but nothing major. I've read a couple of tutorials and all that jazz but honestly I don't know anywhere near enough to be able to code ANY script at the moment.
People should stick with the safe alternatives.
Annie
20/02/2008 at 22:39
I agree with you. I doubt I'd ever attempt to write my own CMS because WordPress does the job, and I probably wouldn't dedicate the time and effort to write one. :D
Stephen
21/02/2008 at 1:22
I think you come across too negatively in your post, dissuading people from something which could teach them a lot. As a way to learn a language, a CMS is a great project! You do say:
A CMS is the perfect way to develop confidence in a programming language and to learn more about it than you ever could have otherwise
but you kind of stress that writing a CMS in general is a bad idea.
The best way to learn anything is to sit down and actually try to use it. Simply reading a book just isn't going to do it. As a project which spans a fairly thorough use of PhP and MySQL, it's a great thing to dive into and learn those things.
A lot of the comments are along the lines of "WP is good enough for me" or "I'd do a bad job anyway", but you should look at such a project as a learning experience, rather than actually trying to replace a major 3rd-party CMS system.
Of course, there are those who write their own and stick it online, convinced that it's better, and perhaps that's a type of learning experience too ;) The bit which really matters is your point:
here's the important part: don't put it online
Melissa
29/02/2008 at 21:41
Excellent points, Amelie. I definitely agree with you and you give some great advice as well.
I never thought that writing a script (anything, not just a CMS) would be insanely easy but I've definitely become more realistic lately about just how much work goes into it.
I've been dabbling in writing a flat file fanlisting collective over the past couple of weeks and zomg, while it's been one of the best times I've ever had writing code, it's been one big pain in the ass at the same time, lol. :P
The reason why I don't think I fall into the "zomg, I'm leet I ritez php n' stuff!!1one!" category is because I very much respect and believe in the advice given by you and others who HAVE the experience in these things. I have no shame in admitting that I'm a complete nooblet and that it will take me a loooong time to be as savvy as you all. :P
The stuff that you (ok and Jem, hehe) write about the realities of creating a script stick in the back of my mind ALL the time as I've been coding my collective. So much so that I'm always going back over bits and functions thinking "zomg what have I missed, will they tear this apart, what can be broken" because I really do understand the importance of security, etc, from how often it's been stressed in your/their articles.
I would like to eventually take on writing CMS...or rather just a blog, I guess. But not to be part of a leet crew, like is apparently the goal of a lot of hopefuls, lol. But mostly because I've realized, while writing this collective, just how much fun it is and how much I enjoy being able to manipulate my own content. That will probably be a long time coming though, as I have lots more research to do and things to figure out.
Omg, I've almost written a blog entry. XD Forgive meeee! Bottom line, again, I agree with you. :)
Have a lovely weekend, Amelie!
Rilla
6/03/2008 at 21:43
I don't think I ever really sat down and asked myself any of those questions. I blogged using WP initially (elsewhere) and my only problem with it was that I didn't know how to create pages with WP that requires implementing some PHP coding so I just plunged into coding something else. I still don't know what security precautions I should have on my CMS so um... Wait till everything breaks down someday. :P
And like Vera, I still don't know any spam blocking algorithm blah. The one time I tried taking my code verification down for 5 minutes I got some 20 spam comments. T_T