Darren Peter Smith's Web Development Lab

Custom CMS

I am in the process of programming a custom CMS using PHP and MySQL in order to learn more about CMS systems and the issues that such a project involves. I'm finding it very educational especially with regards to security issues which are very important for a CMS.

Currently the application has a functioning database which allows an administrator to add, delete and edit pages which are then displayed to a visitor inside a template. It's possible to have multiple templates available and currently these can be switched by changing a single varialbe inside a config file.

Each page has its own url which is stored in the database tagged as a 'shorturl'. Upon visiting the page the address entered by the user is re-written using Apache's ModRewrite module using the following code:

RewriteEngine On
RewriteCond   %{REQUEST_URI} \/([0-9a-z]+)$ [NC]
RewriteRule   ^(.*) index.php?shorturl=%1 [L]

Since the rewrite is internal the user believes the page they are visiting is http://www.domain.com/page while this has been invisibly rewritten to http://www.domain.com/index.php?shorturl=page.

The PHP page at index.php then grabs the shorturl variable from the HTTP request (escapes it to prevent against SQL injection attacks) and performs a database query for pages (stored in the database) tagged with this 'shorturl'. If a matching page is found its 'page' field (containing the html content for the page) is loaded into a variable and displayed at the appropriate point in the template.

The administrative pages are loaded in the same way, however, these pages are hard-coded in php and then stored in the database using an install script during the initial configuration of the CMS.