Custom Built Content Management System

Need some advice and expert opinion

Page 1 of 1

11 Replies - 1159 Views - Last Post: 15 August 2009 - 04:49 AM

#1 ayman_mastermind  Icon User is offline

  • human.setType("geek");
  • member icon

Reputation: 126
  • View blog
  • Posts: 1,860
  • Joined: 12-December 08

Custom Built Content Management System

Posted 11 August 2009 - 06:50 AM

Okay, here is the situation, I have already developed a website some time ago for a community I belong to. At that time I made a very serious mistake that I did not make it data driven, so we had to edit the html to update the website manually and this is a time consuming task and seems very unprofessional for a website that needs to be updated with content almost daily.

So we got to the decision of setting up a Content Management System for our site so that we can update it easily, more frequently and to save time so that in the mean while each concentrates on the task at hand. I will be responsible to setting up the system and what I have decided is to create a unique CMS for the site due to various reasons:

1. It would be specialy designed to fit exactly what we need and wont include functionalities we don't need.

2. More secure because well known CMSs have well known security vulnerabilities(altough ours may not be free of vulnerabilities but our CMS wont be available to the public so it wont be well known :P).

3. We would be able to keep our current website design without having to use a template that comes bundeled with an already made CMS.

4. I will be able to practice more Php and Mysql, apply them in a good way and gain more experience with these languages.

Afterall, all what we are doing on this site is to learn and apply our ideas in different feilds.

But here comes my problem:

I have started working on the CMS and I have some stuff done in it, the interface is ready, form validation is ready too, I have some mySql databases set up yet there are much more to set up, i have writen some of the Php scripts yet I have many more to finish. The problem is that we need that CMS as soon as possible, the CMS we have planned to set up is quite large yet very powerful once implemented in the mean while I am working on it very slowly due to lack of time as I have my work, college, other projects, developing a couple of other websites, and content for the site itself to get done knowing that this CMS is quite time consuming as it is not a CMS for a simple blog for example.

So I was thinking if it would be a good idea to change from building my own CMS to using an already made one such as drupal, or joomla. I dont have experience in already made CMSs and I dont know to what extent they are customizable, for instance I want the website theme to be fully customizable along with the layout etc... It would be even better if I could keep the same theme, and layout and apply upon it the chosen CMS. Furthermore, I would like to know if i could modify the functionalities of that CMS itself that is add, remove and modify features to fit our own need.

I would like to hear the opinion of you guys about my case, do you advise me to start using an already made open source CMS or just continue working with the one I just started with ? Have you ever used an already made CMS and had a good experience with it? Do you know of a CMS that is fully customizable by the developer? all your comments, ideas, thoughts, opinions and advices are welcome, thank you very much for your input :D

Is This A Good Question/Topic? 0
  • +

Replies To: Custom Built Content Management System

#2 BenignDesign  Icon User is offline

  • holy shitin shishkebobs
  • member icon




Reputation: 5750
  • View blog
  • Posts: 10,074
  • Joined: 28-September 07

Re: Custom Built Content Management System

Posted 11 August 2009 - 07:42 AM

My personal opinion is that custom built is worth the wait, but I understand your time constraint issues.

I have never tried Drupal and I despise Joomla with every ounce of my being.

I tried Joomla once in an attempt to speed things up, but only ended up making a three month project into a five month project because of time invested in learning the ins and outs of the Joomla system, how to edit and create the templates, digging through code to find one line here or one line there that needed text or color adjustments and surfing the net to find plugins to do what I needed it to do... only to have the client turn around and say the back end was too difficult... so we scrapped it and I built the whole thing over from scratch.

I kind of came to the conclusion that it's simply easier to build it all myself to begin with (this happened once before with a canned e-comm installation, too... different client though). So, aside from a random, sporadic WordPress install, I do all custom CMS work. It just makes my life easier.

Those are my thoughts on the subject... others may disagree.
Was This Post Helpful? 1
  • +
  • -

#3 gregwhitworth  Icon User is offline

  • Tired.
  • member icon

Reputation: 216
  • View blog
  • Posts: 1,602
  • Joined: 20-January 09

Re: Custom Built Content Management System

Posted 11 August 2009 - 07:47 AM

Quote

I tried Joomla once in an attempt to speed things up, but only ended up making a three month project into a five month project because of time invested in learning the ins and outs of the Joomla system,


AMEN!

I agree with Benign. And more important than time problems you have a GUI problem. Your custom design will usually be much more intuitive because it will ONLY have what the client wants and needs. Granted JOOMLA is very easily scalable and so is DRUPAL but both are programmed by other people and if you want to open the hood get ready for at least a couple of days, if not weeks trying to figure out how it runs.

Good Luck, <-- I used a comma - that makes you special (I usually use --)
Greg

This post has been edited by gregwhitworth: 11 August 2009 - 07:48 AM

Was This Post Helpful? 0
  • +
  • -

#4 mocker  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 50
  • View blog
  • Posts: 466
  • Joined: 14-October 07

Re: Custom Built Content Management System

Posted 11 August 2009 - 08:33 AM

Here's a third vote for staying away from Joomla. I was in somewhat the same situation and had thought I'd 'just switch to Joomla so I wont have to manage the site'. Hah.. yea.. bad mistake. You spend more time trying to work around Joomla's system than doing anything productive.

A quick way to bootstrap your own cms is to use an existing template system. A full cms includes much more than a template system, but having one can let you fast track so you at least have something working. For PHP I'd probably recommend using Smarty
Any sort of CMS is going to need some sort of templating anyways, so might as well grab a proven one.
Was This Post Helpful? 0
  • +
  • -

#5 dsherohman  Icon User is offline

  • Perl Parson
  • member icon

Reputation: 226
  • View blog
  • Posts: 654
  • Joined: 29-March 09

Re: Custom Built Content Management System

Posted 12 August 2009 - 06:16 AM

View Postayman_mastermind, on 11 Aug, 2009 - 01:50 PM, said:

1. It would be specialy designed to fit exactly what we need and wont include functionalities we don't need.

A good CMS should allow you to easily remove (or at least hide) unneeded functionality, so it won't matter that it's there (unless you're getting usage so heavy that the extra abstraction of a generic program causes performance issues). On the flip side, it should also have a wide range of plugins available, allowing you to quickly and easily add any but the most exotic non-core functionality.

View Postayman_mastermind, on 11 Aug, 2009 - 01:50 PM, said:

2. More secure because well known CMSs have well known security vulnerabilities(altough ours may not be free of vulnerabilities but our CMS wont be available to the public so it wont be well known :P).

That's security by obscurity. If you write the code yourself, then it will be vulnerable to very basic attacks such as SQL injection, cross-site scripting, reflected javascript, etc. unless you really know what you're doing and take the time to implement the specific countermeasures needed to protect against them. If such basic vulnerabilities exist, any would-be attacker who stumbles across your site will crack it wide open within minutes.

A well-known CMS may have well-known vulnerabilities, but they won't be trivial exploits like the ones that tend to be found in new code and the CMS's security team will be actively working to deal with them. Follow the security mailing list, upgrade in a timely fashion, and you'll be far more secure on a widely-used, actively-developed open source CMS than you will be with something you wrote from scratch.

View Postayman_mastermind, on 11 Aug, 2009 - 01:50 PM, said:

3. We would be able to keep our current website design without having to use a template that comes bundeled with an already made CMS.

All the major open source CMS products are highly themeable. When I added the blog section to http://nomadnetinc.com/ I spent about a week installing, learning, and theming WordPress (I had never touched WP before). Aside from the footnote stating "Blog portion powered by WordPress and the Sandbox theme.", you'd probably never know from looking at the pages that the blog is in WordPress, while the rest of the site is static HTML.

View Postayman_mastermind, on 11 Aug, 2009 - 01:50 PM, said:

4. I will be able to practice more Php and Mysql, apply them in a good way and gain more experience with these languages.

Just MNSHO, but I expect you would probably have an easy time finding a more interesting project to practice with.

View Postayman_mastermind, on 11 Aug, 2009 - 01:50 PM, said:

So I was thinking if it would be a good idea to change from building my own CMS to using an already made one such as drupal, or joomla. I dont have experience in already made CMSs and I dont know to what extent they are customizable, for instance I want the website theme to be fully customizable along with the layout etc... It would be even better if I could keep the same theme, and layout and apply upon it the chosen CMS. Furthermore, I would like to know if i could modify the functionalities of that CMS itself that is add, remove and modify features to fit our own need.

Custom development is time-consuming and (unless done on a volunteer basis) expensive. Save it for your core competencies or places where you have a specific reason to differentiate yourself from others. (And I say this as someone who makes his living by doing custom software development.)

When I was setting up the blog on the NomadNet site, my original plan was to write my own custom blog software because, as a developer of custom software, I would then be able to use the blog as an interactive demonstration of my skills. I just set up WordPress as a stopgap so that I would have something there while I wrote my own. As things worked out, though, it's now six months later and WordPress has worked well enough that I've done very little towards writing my custom blogging software (and I've seen that I hardly blog at all anyhow), so it's probably not going anywhere anyhow.

On my personal site at http://sherohman.org/ I decided to try out Drupal instead and I have to say that I find it to be much better than WordPress as a general-purpose CMS, as well as being more-than-passable for blogging. It also appears to live up to its reputation for security.

My advice, then, would be for you to take a look at Drupal as an alternative to writing your own CMS, unless you're looking to either sell CMS development or become a recognized CMS expert. Starting from no knowledge of it, I would expect it should take between a week and a month (depending on how much time you can spend on it) for you to get up to speed, install/configure the core and any plugins you may require, and build yourself a custom theme. For the theme work, I found the Firebug plugin for Firefox to be invaluable, particularly for the "inspect" function, which lets you click an element on the page and immediately see all css that's being applied to it. Expect it to take a lot longer if you don't use that kind of tool to help with the theme css.
Was This Post Helpful? 0
  • +
  • -

#6 mocker  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 50
  • View blog
  • Posts: 466
  • Joined: 14-October 07

Re: Custom Built Content Management System

Posted 12 August 2009 - 06:49 AM

Quote

A well-known CMS may have well-known vulnerabilities, but they won't be trivial exploits like the ones that tend to be found in new code and the CMS's security team will be actively working to deal with them.

True.. BUT, once an exploit is released, it gets turned into script kiddy fodder immediately. By far most hacks are done by automatically scanning for known exploits, not by randomly getting an actual skilled security expert making a time intensive attack on your site. That means, security by obscurity is more effective.. not to mention there is no reason you can't block the common vulnerabilites, it just takes some thought.

Quote

I would then be able to use the blog as an interactive demonstration of my skills. ...... WordPress has worked well enough that I've done very little towards writing my custom blogging software

If the purpose was to demonstrate your skills, the fact that an existing piece of software you did not write works has no relevance.

Also, wordpress isn't a CMS. It's blogging software. It works fine if your site IS your blog, but otherwise you need something else.
Was This Post Helpful? 1
  • +
  • -

#7 gregwhitworth  Icon User is offline

  • Tired.
  • member icon

Reputation: 216
  • View blog
  • Posts: 1,602
  • Joined: 20-January 09

Re: Custom Built Content Management System

Posted 12 August 2009 - 10:57 AM

Nice input from the both of you, and I think that both of you are right. It just depends on what the client wants and how quickly they want it done. Usually though dsherohman I have client that wants something totally jacked up that requires me to completely hack the current system to death and spend more time hacking it than it would take to just build a decent setup myself.

Security is always an issue no matter where or what you are using. And I personally think that a proven system will be more secure, because of the amount of people working on it. But it is a pick your poison kind of thing. So in the end I think it depends on the client and the project.

--

Greg
Was This Post Helpful? 0
  • +
  • -

#8 dsherohman  Icon User is offline

  • Perl Parson
  • member icon

Reputation: 226
  • View blog
  • Posts: 654
  • Joined: 29-March 09

Re: Custom Built Content Management System

Posted 13 August 2009 - 05:14 AM

View Postmocker, on 12 Aug, 2009 - 01:49 PM, said:

Quote

A well-known CMS may have well-known vulnerabilities, but they won't be trivial exploits like the ones that tend to be found in new code and the CMS's security team will be actively working to deal with them.

True.. BUT, once an exploit is released, it gets turned into script kiddy fodder immediately.

...which is why you need to follow the security mailing list and update in a timely fashion when patches are released.

View Postmocker, on 12 Aug, 2009 - 01:49 PM, said:

By far most hacks are done by automatically scanning for known exploits, not by randomly getting an actual skilled security expert making a time intensive attack on your site.

To take one of the most common current exploits, scanning random sites for vulnerability to XSS attacks is not a difficult thing to do and doesn't require knowing the software the site is running. (Find input field. Submit response containing XSS exploit as the value for that field. Check whether response contains your exploit code anywhere in the result document.) Exploiting an XSS vulnerability with such a scanner would be just as easy against a custom site as against something running a major CMS package - but the custom code would be far more likely to have an XSS vulnerability to exploit.

Keep in mind that we're not talking about buffer overflows here. You don't need to be an expert to put "xxx%3C%2Ftitle%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3C%2Fscript%3E" into a search box and see if the search result page gives you a javascript popup. (Exploit proof-of-concept derived from http://www.twitpwn.c...-tweetgrid.html )

Also consider that, when a vulnerability is found, if you're running a major CMS with tens of thousands of users, the odds of it getting fixed before someone uses it to exploit your site are pretty small. If it's found in your custom code that only you run, then you've already been exploited. Fixing it before you get hit isn't possible unless you (or a trustworthy friend) were the one to find it in the first place.

View Postmocker, on 12 Aug, 2009 - 01:49 PM, said:

there is no reason you can't block the common vulnerabilites, it just takes some thought.

...if you know what you're doing. My impression of the OP is that he's looking at this as a possible learning project, which implies that he's not well-versed in PHP/MySQL programming in general, much less doing it securely.

View Postmocker, on 12 Aug, 2009 - 01:49 PM, said:

Quote

I would then be able to use the blog as an interactive demonstration of my skills. ...... WordPress has worked well enough that I've done very little towards writing my custom blogging software

If the purpose was to demonstrate your skills, the fact that an existing piece of software you did not write works has no relevance.

I guess I could have phrased that more clearly... WordPress is working well enough on that site as a blog that I don't feel a strong need to replace it, even though it is not providing a demonstration of my skills. There are other, more productive (and more interesting) things I can work on instead.

View Postmocker, on 12 Aug, 2009 - 01:49 PM, said:

Also, wordpress isn't a CMS. It's blogging software. It works fine if your site IS your blog, but otherwise you need something else.

Indeed. Which is why, in my earlier post, I ultimately suggested Drupal to the OP as a CMS to consider and did not suggest WordPress.
Was This Post Helpful? 1
  • +
  • -

#9 ayman_mastermind  Icon User is offline

  • human.setType("geek");
  • member icon

Reputation: 126
  • View blog
  • Posts: 1,860
  • Joined: 12-December 08

Re: Custom Built Content Management System

Posted 14 August 2009 - 11:02 AM

First of I would like to thank you all for your valuable input, advice, and time spent on this topic, I downloaded Drupal and took a quick look and then started working on a sample(adding content, modules, editing the php, CSS etc... ), it seems to be a very good CMS but since I am new to using it, and due to my special case it will need lots of modification to make it work the way I want, and I wont be using an already made theme so I will have to spend time in creating my own theme and try to make it as similar as possible to the current one on the site too.

So I came up to the conclusion that working with Drupal or any CMS for my current case may take much more time than continuing writing my own CMS for the site. Because In my own CMS I will be concentrating more on the functionality of updating the content and the site's theme is planned to stay the same.

So I will be going with BenignDesign's, greg's , and mocker's advice although I found Drupal very useful for basic site's and blogs yet I will always prefer creating custom themes for it, maybe some time in the future I will use it for another site :)

Special thanks for dsherohman for you advising me to take a look at Drupal and mentioning your ideas and opinion ;)

Have a good day and hope to see you around :)
Was This Post Helpful? 0
  • +
  • -

#10 gregwhitworth  Icon User is offline

  • Tired.
  • member icon

Reputation: 216
  • View blog
  • Posts: 1,602
  • Joined: 20-January 09

Re: Custom Built Content Management System

Posted 14 August 2009 - 11:34 AM

You may also want to look into using a PHP framework such as the zend framework, which is basically tons of classes that you can call up and add to, allowing you to build your own intuitive CMS but also have a tested, proven and more secure program.

--

Greg
Was This Post Helpful? 1
  • +
  • -

#11 ayman_mastermind  Icon User is offline

  • human.setType("geek");
  • member icon

Reputation: 126
  • View blog
  • Posts: 1,860
  • Joined: 12-December 08

Re: Custom Built Content Management System

Posted 14 August 2009 - 10:57 PM

Quote

You may also want to look into using a PHP framework such as the zend framework, which is basically tons of classes that you can call up and add to, allowing you to build your own intuitive CMS but also have a tested, proven and more secure program.

That is a good idea, I will check out which Php framework best suites my needs. :)
Was This Post Helpful? 0
  • +
  • -

#12 mocker  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 50
  • View blog
  • Posts: 466
  • Joined: 14-October 07

Re: Custom Built Content Management System

Posted 15 August 2009 - 04:49 AM

Quote

To take one of the most common current exploits, scanning random sites for vulnerability to XSS attacks is not a difficult thing to do and doesn't require knowing the software the site is running.


I agree. IF you don't know very much about building a secure app, than well-tested and popular apps are probably going to be more secure than anything you build. However a couple things:
1- probably is bold for a reason. There are many popular apps that are a mess. You have to pay attention to all the mailing lists and security sites and update IMMEDIATELY, in order for that to give you an advantage.
2- If you want to learn about making a secure app, then you have to start somewhere. The vulnerabilities that are easy to scan for are also easy to protect against.

Quote

If it's found in your custom code that only you run, then you've already been exploited.

This is pretty misleading, it doesn't really matter if the code is open source or not , it just depends if the person that is trying to exploit your site is doing it to see if they can, or for malicious reasons. Many exploits of popular software is only found out about AFTER it is used against a site running that software. You have less chance of being one of the handful of sites targeted by a zero day exploit, but it is by no means a given that you won't be.

Of course there are many other reasons to decide to go for an existing app, or build your own, but existing software does not always have security on its side.

Quote

You may also want to look into using a PHP framework

:^:
No need to completely re-invent the wheel

This post has been edited by mocker: 15 August 2009 - 04:51 AM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1