You may remember my last rant about people who have written their own CMS, in which my point was pretty much that people are copying a simple blog tutorial and saying it's a CMS.
In part two of this thrilling instalment1, I revisit the topic of the custom CMS to rant about the latest craze - which is... well... writing one's own CMS. Everyone and their dog seems to want to do it. It's the thing to do to earn cool points and tell everyone how great you are. I should know, I've done it.
But what I am seeing at the moment is people who have no idea what they're doing. People who simply want to make a CMS because it's cool. When I wrote this CMS, I did it after almost 3 years of being comfortable with the language, knowing exactly what I wanted and what each function does and why. I knew the security implications involved in it, the problems I might experience, the limitations of what I had to work with, etc. I didn't even write my first script until I'd been comfortable with the language for two years. Editing, picking apart other scripts was fine, but my own script? If you ever saw PHPAskIt v1 (it's still out there, worryingly enough) you'll know I wasn't even ready then. However, I'll still admit I only wrote this CMS because I was totally jealous of Jem it was cool. :(
As you may or may not know, I have been learning Ruby on Rails for the past 6 months or so. I am fairly familiar with it at the moment but I am freely able to admit that I am not under any circumstances ready to undertake as large a project as a CMS in it. I don't know how RoR can be exploited, I don't know what sort of problems there are by using X rather than Y - I just don't know enough at the moment. I'm comfortable hacking about existing scripts and adding on little bits and pieces, but that's it.
So my point today is this: before you decide "zomg!1 I must write a CMS!1!!", ask yourself the following questions:
If you're unsure of the answers to any of these questions, my advice would be you're not ready yet. Keep looking at existing scripts and see how they're doing things. Search the internet for vulnerabilities in those scripts and how they are exploited to ensure it doesn't happen to you. Get friends to try and break your script as much as they possibly can. I can guarantee that some things normal internet users might do, you'll never think of - for example I found people were trying to go to non-existent tags on my site or page numbers that didn't exist and it caused my site to break.
However, don't think I'm discouraging you from writing a CMS (much :P ). A CMS is the perfect way to develop confidence in a programming language and to learn more about it than you ever could have otherwise. By all means start trying to write your own CMS and learning techniques to make it work the way you want to - but here's the important part: don't put it online. Install yourself a web server (I have XAMPP - very easy to install, has everything you need and installs in a single click. Mac OS X has built-in web server features but you can get XAMPP and other similar packages for it if you're not entirely sure how to use the built-in stuff, I must admit it's always confused me) and develop your up-and-coming CMS there; learn how to interact effectively with MySQL and all that in your own time without hacker types lurking everywhere and undoing all your hard work. I made the mistake of writing the first version of PHPAskIt online and ended up with all sorts of security issues. While I was writing the CMS, it stayed offline for 8 months because I didn't feel it was secure enough to go online - would my host tell me off for too many database queries? Would my PHP version and theirs clash?
Don't think you have to write a CMS just because "everyone else is doing it". You need to feel you can do it and that there is actually a point to doing it. If WordPress or similar does everything you need, is it really necessary? There is no shame whatsoever in using WP. The only reason I stopped using it is because it started to take over my site in ways I really didn't like and I'd modified it so much in the end that every time there was an upgrade I had to update each file individually to make sure it didn't mess with my changes. You also need to make sure you know what you're doing and why you're doing it. If you don't know the slightest bit about PHP, it really isn't worth it.
1 *Cough* ^
I've seen a few of these sort of posts around lately, and because I can't think of anything original to blog about disagree with them all, I am going to list my own top 5 extensions you absolutely must have. Because I said so.
I know, I know. It "robs innocent webmasters of their income" or whatever but I never, ever click ads. I don't read them, I don't like them, I disagree with them. I don't mind a text link or something but big banners full of "ZOMG CLICK HERE!!1!1" flashing images = big no. I won't block a text ad, but I will and do block images and Flash ads. If you want me to click things, make them unobtrusive instead of blinding me with flashings from all directions.
I am far too lazy to copy and paste URLs that aren't clickable into my address bar, so this handy extension does it for me. There is a better one but as yet I've not tried it and I'm happy with the one I've got, so I don't know if I'll use it.
Because I simply must know whether your site is valid or not. No, really... The most useful thing about this extension is that when you view the source of a page you're working on, it highlights the errors in the source and tells you what's wrong. It'll even tidy the whole thing up for you with one click if you want it to (yes, that's where the extension's library gets its name from - HTML Tidy - because it tidies things up for you. Get it? :P ).
This one is probably not as essential if you don't need to do screenshots or anything like that, but basically it will take a screenshot of the entire page, not just the bit that's currently on your screen. I like it since I can screenshot a full page of content (useful for people like me whose printer doesn't work and who want to save the current page they're on - yes, you can do "save page as" or print it to a file, but I think this method is quicker and easier, so that's why I use it).
Tamper Data stopped working for me when I upgraded to Firefox 2, but it's a great extension meant for detecting vulnerabilities in scripts. It's got SQL injection and XSS stuff built in and ready to go to test your scripts to the limit. Of course, if you don't write or use scripts or anything then this extension is a bit useless to you.
Of course, there are the other extensions everyone recommends, like the Web Developer Toolbar, NoScript, IE Tab, etc., etc., which are very useful and which I have, but like I said, everyone recommends those so I thought I'd mention some of the lesser-known ones.
Regarding the last entry, yes, I had written an entry about how my house seemed to have accumulated some bedbugs. That entry decided to disappear off the face of the earth and I have no idea why. Anyway, upon closer inspection it appeared the bugs weren't bedbugs, but carpet beetles and pest control won't deal with those without charging us some hugely expensive fee so I've just gone mad with insecticide and we'll see how that turns out. Urgh.
I get asked quite a lot why my links don't open in new windows, and could I please add target="_blank" (or target="new" - which is incorrect) to them? The answer to that is no. I have never used target="_blank" on my site, except when I used popup windows (ewww, I know). And even then I wasn't happy about doing it. Especially now, when I validate to doctypes that don't support the target attribute.
Ok, I do have my Firefox settings set to ignore target="_blank", but why should I have to change my settings because of your site? I don't like being told how I'm going to go to a link. I want to choose for myself whether I am going to open a new window, a new tab, a new browser, or reuse the same page. I want links to follow what I've told my browser I want to happen. Usually, I reuse the same page. However, I never ever have more than one browser window open, and that is how I want it to stay, thank you very much. I can't stand cluttered desktops/taskbars where I don't know which window contains what. At least with tabs I can rename them and order them and whatever else (Firefox extensions FTW!1!).
This behaviour stems from the times of IE6 and other non-tabbed browsers, however is still being used today - people don't want visitors leaving their sites, so they force another browser window to open. On my old computer this was a nightmare - it couldn't cope with more than one instance of IE and opening another (by choice or otherwise) resulted in the whole thing crashing. Likewise, my current computer is getting slower and more dodgy every day, and opening an instance of Firefox/IE/anything takes it quite a while (yes, I have defragmented/taken off spyware/viruses/etc. It's just getting old). That's another reason I only have one FF window open, actually, heh. To those people (who don't want visitors leaving their sites) I say this: if your site is worth visiting, people will go back to it. You don't have to force them to stay on your site. In most cases, they will end up closing your site's window anyway.
So my point (I do have one, honest): please don't use target="_blank". It's not only inaccessible, but it's a nuisance to those of us such as myself (and it's not just me) who dislike our default settings being overridden. Let the user choose how to open links. Like I said, if your site is really worth staying on, people will stay on it. There is no need to force them to do so.