ZoneCMS: PDO / SECURE / MODERN [PlusEMU - FULL SUPPORT]

Status
Not open for further replies.

MayoMayn

BestDev
Oct 18, 2016
1,423
683
Some fine code right there. So what is a container class really good for? Now this is some new territory, and it seems very interesting, so I would like to understand this fully. When I do understand it, then I can think about implementing the code into the CMS.
I use it for a lot of stuff like dependency injections etc.

Sent from my SM-G928F using Tapatalk
 

Zaka

Programmer
Feb 9, 2012
471
121
I use it for a lot of stuff like dependency injections etc.

Sent from my SM-G928F using Tapatalk
I read about it just a little bit at it sounds very practical, will dig into this ASAP, sounds like something I should've learned a while ago! Thank you for this code, I learn new stuff everyday, should do stuff like this more often.
 

Linkestt

Truth is treason in the empire of lies
Nov 8, 2013
375
204
I witnessed you deving this CMS a couple months back via Skype, I like it. Hope to see it released soon!
 

Zaka

Programmer
Feb 9, 2012
471
121
I witnessed you deving this CMS a couple months back via Skype, I like it. Hope to see it released soon!
Yes, I've been developing this for a while now, it didn't look like this before tho.
 

Zaka

Programmer
Feb 9, 2012
471
121
Will this CMs be released? Looks really neat!
Yes this will be 100% released, if I for some reason would stop the development of this cms, I will still release it in that state. So no matter what, this is a guaranteed release.
 
Haven't updated the thread with something new, haven't been working on it so much these two past days because of me looking for some furniture (moving to apartment soon), but I will update later today! Mostly so far has been changes in the code that isn't really visible for you. But other than that I will finish the search part and see to implement the "custom" design options.
 
I have made some progress, but mostly on the backend. I'm close but still far away, I really want this to be as good as possible. I still need to cleanup some of the code and add more validations and CSRF protection among other things. I'm also thinking about the design, what I could do with it, still haven't found a final answer to that question. However to something that you could actually see. I have completed the search function, it is limited to show 10 users per search. Basically you know the name already when you search for someone, or you know it relatively good, so that will have to do, if you want me to increase this amount, or make an option for it, tell me and I will implement it.

358c4e21e0944334924a33c1cc1e1cdf.png

 
UPDATE 2017-02-09 01:55
----------------------------------
I have now implemented CSRF protection in the CMS, both one-per-form and one used on any form.
In the global.php file we use both setCSRFToken() and setCSRFFormToken() and this can only be done once, doesn't matter how many times you have it in your code, nothing else will happen, but it needs to be in a global file that is required in every script or it needs to be added manually to every script you want CSRF protection in.

As I said earlier you can either use a global CSRF token or a specifik token for each form, this is easy done by adding an input in your form
PHP:
// For global CSRF key
echo $sys->getCSRFToken();

// For specifik form
echo $sys->getCSRFFormToken('/scriptname.php');
These values are added to the value="" field in the hidden input. And to check it on server side you simply do
PHP:
$CSRFToken = $sys->getCSRFFormToken('/scriptname.php');

if (isset($_POST['csrf_token']) && hash_equals($CSRFToken, $_POST['csrf_token'])) {
    // Run your script
} else {
    // Wrong CSRF, something fishy going on
}
for specifik form or
PHP:
$CSRFToken = $sys->getCSRFToken();

if (isset($_POST['csrf_token']) && hash_equals($CSRFToken, $_POST['csrf_token'])) {
    // Run your script
} else {
    // Wrong CSRF, something fishy going on
}
for global CSRF token. But you must remember, whatever you choose to use on the input field, must also be the one you are checking against server-side.

I also finished the general settings page with switches, it updates automatically on change with AJAX and has a small delay to avoid spam.
2107874eea354944b1888444f2f0ae43.png
 

Zaka

Programmer
Feb 9, 2012
471
121
Everything looks great so far, you should put this on git!
I've not been using git really, so I still need to learn. Haven't needed it basically. Might come up on git when it's in a state where I feel comfortable letting it out there, knowing it's fully secure and so on.
 

Eymen

New Member
Jan 24, 2012
26
7
Zaka gave me an early beta version of this CMS. It was very stable. If you don't like the colors or the theme of the CMS you can edit it very easily, the great thing about this CMS is its engine. I truly hope that Zaka will implement some kind of template system or some sort of customisation features. he has been spending countless amount of hours coding the engine for perfection.
 

Zaka

Programmer
Feb 9, 2012
471
121
Zaka gave me an early beta version of this CMS. It was very stable. If you don't like the colors or the theme of the CMS you can edit it very easily, the great thing about this CMS is its engine. I truly hope that Zaka will implement some kind of template system or some sort of customisation features. he has been spending countless amount of hours coding the engine for perfection.
There will be an "easier" way of implementing themes, but not really a template system. My thought is that it should be easy to install and use, but you gotta know some to actually create new themes. For now I'm thinking that "themes" will only change images and CSS and not really any functionality or structure. I would like som feedback on this, like what do you guys want to actually be possible to do? I mean, like revcms you have to re-code all files for a theme, but I guess if you really want to change the whole structure of the cms you can just do that and release it under a new name based on ZoneCMS etc. Otherwise just visual changes as themes
 
[UPDATE 2017-02-11 06:40]
I have now implemented the "custom theme" possibility letting hotel owners simply create their own css designs and use own images of sorts. As I said earlier if someone wants to make a heavy edit they can just do that and release it under a new name as long as they give proper credits, that is mentioning what the cms is based on. Ex: HeavyCMS based on ZoneCMS or something like that.

I've also been cleaning up a bit and streamlining the code. Still some streamlining and cleaning up to do, but thats not for now. I've atleast reached to a point where I actually have a list of things to do before being able to release the first version of this cms. It's about 30 things to fix for now, some are small, some bigger, but if I continue in this phase I should be able to take on that list pretty quickly!

The cms is also gonna go through some changes when it comes to the design, this will be the last step before the release. The defaul theme will be fully responsive. I have no new prints at this moment since all the progress has been backend. ZoneCMS was said to be supporting AzureSharp with PlusEMU as a question mark at the beginning, but the CMS has been made fully compatible with PlusEMU, and this is the ONLY emulator that ZoneCMS will have full support for.

This CMS is made with you guys in mind, simplicity is a keyword here, so there will be an easy install folder when setting up the hotel where you only go through the install section without the need of editing in any files. Ofcourse this will also be easy to do manual in case of you not being able to set the right permissions and so on. There will also be some kind of version control and every update will be made as simple as possible to implement with following SQL's and a changelog. I hope you guys look forward to this release as much as I do!

[UPDATE 2017-02-14 07:35]
I was toying around and while thinking the "theme" system was only gonna be based on CSS files and images, I came to change my mind. Basically I thought that people also wanna change the structure of the website, move around HTML divs and so on. It would be messy if everyone had to upload a whole cms just because some divs were moved instead of just uploading a theme folder. I didn't want to make it so complex in the way that I totally seperate PHP from HTML and so on, so I played around with some functions, and I think I will go with something like this.
75ea851240194bacb409a21ae60e7463.png

This allows me to use parameters like [@username], but it also lets me to run PHP code right away in the same file, and then when I call on the file, I just replace the parameters with the actual data, and the rest runs like it should. Any thoughts about this?
 
Last edited:

MayoMayn

BestDev
Oct 18, 2016
1,423
683
[UPDATE 2017-02-14 07:35]
I was toying around and while thinking the "theme" system was only gonna be based on CSS files and images, I came to change my mind. Basically I thought that people also wanna change the structure of the website, move around HTML divs and so on. It would be messy if everyone had to upload a whole cms just because some divs were moved instead of just uploading a theme folder. I didn't want to make it so complex in the way that I totally seperate PHP from HTML and so on, so I played around with some functions, and I think I will go with something like this.
75ea851240194bacb409a21ae60e7463.png

This allows me to use parameters like [@username], but it also lets me to run PHP code right away in the same file, and then when I call on the file, I just replace the parameters with the actual data, and the rest runs like it should. Any thoughts about this?
Kinda how I did it, and in my opinion it's a good call. But I did give this a thought, and like I use this for calling php functions, so the templates only exist of pure html. There can be an exploit issue with this, for example, let's say you show some private server info using the filter params, and the user then writes a comment or something with "[@server_ip]" and the IP gets shown. I did this, so it works for mysql data, because there's certain columns in there that uses the same data, etc the hotel url, but in the end kinda stupid.

I've given a thought about a template system, but decided to ditch it, due to people not really being knowledgeable with jquery ajax, since that's what I use.
 

Zaka

Programmer
Feb 9, 2012
471
121
Kinda how I did it, and in my opinion it's a good call. But I did give this a thought, and like I use this for calling php functions, so the templates only exist of pure html. There can be an exploit issue with this, for example, let's say you show some private server info using the filter params, and the user then writes a comment or something with "[@server_ip]" and the IP gets shown. I did this, so it works for mysql data, because there's certain columns in there that uses the same data, etc the hotel url, but in the end kinda stupid.

I've given a thought about a template system, but decided to ditch it, due to people not really being knowledgeable with jquery ajax, since that's what I use.
Yes I'm aware of that fact, and thats why I decided to create a function to escape the parameters from other sources like comments and such so that when they use it in the template it writes out the correct data, but when used in inputs it just outputs the parameters name instead.
 

MayoMayn

BestDev
Oct 18, 2016
1,423
683
Yes I'm aware of that fact, and thats why I decided to create a function to escape the parameters from other sources like comments and such so that when they use it in the template it writes out the correct data, but when used in inputs it just outputs the parameters name instead.
Yeah, I just fixed this, so it only works for the content that has been cached. No function data, callbacks, mysql data or nothing gets filtered by that, makes it a bit more complicated to code in installation, but worth it to prevent exploits.

Sent from my SM-G928F using Tapatalk
 

Zaka

Programmer
Feb 9, 2012
471
121
Yeah, I just fixed this, so it only works for the content that has been cached. No function data, callbacks, mysql data or nothing gets filtered by that, makes it a bit more complicated to code in installation, but worth it to prevent exploits.

Sent from my SM-G928F using Tapatalk
Would you care to show me your solution to this? I haven't coded that function yet but I have an idéa of how I would do it
 

MayoMayn

BestDev
Oct 18, 2016
1,423
683
Would you care to show me your solution to this? I haven't coded that function yet but I have an idéa of how I would do it
Basically the same filter function, my classes are just structured another way, but this might give you an idea:
PHP:
use Acclimate\Container\CompositeContainer as Container;
class ContentController {

    protected $config, $page, $storage;

    protected static $html = [];

    public function setContainer(Container $container) {
        $this->config  = $container->get('Config');
        $this->page    = $container->get('PageController');
        $this->storage = $container->get('Storage');
    }

    protected function cache() {
        $page = $this->page;
        ob_start();

        $start = microtime(true);
        print("<!-- Licensed to https://nextzone.ga/u/Sentinel author of LucidCMS -->\r\n");

        if($page->current['header'] == 1) {
            include __DIR__ . "/../../html/header.html";
        }

        include __DIR__ . "/../../html/{$page->url}.html";

        if($page->current['footer'] == 1) {
            include __DIR__ . "/../../html/footer.html";
        }

        $end = microtime(true);
        printf("\r\n<!-- This page was rendered in %.6f seconds -->", ($end - $start));

        self::$html[$page->url] .= ob_get_contents(); //$this->page->filterParams();

        ob_end_clean();
    }

    public function output() {
        $this->cache();
        print($this->page->filterParams(self::$html[$this->page->url]));
    }

}
If it doesn't work, it might be because, I call all my functions on the page, after the system knows what page to show, so basically if I wanted it to filter all elements as we discussed, I just wrapped ob_get_contents() too with the filter function.
 

LeChris

github.com/habbo-hotel
Sep 30, 2013
2,725
1,307
You should give full trust to the end-developer when developing systems.

Template Engines
That being said, when you code in features with user-interaction (Take a comment widget on the news for example), it's also important to provide a way to output that user data while filtering it. A really good example on handling template engines, while being secure and producing readable views is .

if you need any more ideas, it's also a good idea to code in view caching within your template engine to decrease the CPU load - and increase the out speed.

Other Things
If you're worried about exploits in general, you should code a database wrapper to handle any db queries you make - while adding in a function to automatically secure strings. This would also greatly benefit code readability.
 

MayoMayn

BestDev
Oct 18, 2016
1,423
683
You should give full trust to the end-developer when developing systems.

Template Engines
That being said, when you code in features with user-interaction (Take a comment widget on the news for example), it's also important to provide a way to output that user data while filtering it. A really good example on handling template engines, while being secure and producing readable views is .

if you need any more ideas, it's also a good idea to code in view caching within your template engine to decrease the CPU load - and increase the out speed.

Other Things
If you're worried about exploits in general, you should code a database wrapper to handle any db queries you make - while adding in a function to automatically secure strings. This would also greatly benefit code readability.
To be honest, you're not really going to learn shit when using frameworks. If you got no idea how the back-end works, there's really no point in using a system, which you basically don't have a single clue in how works. I'm not saying you're wrong, I've used Blade Templating before, and it works great, but if you're here to learn how to code, you ain't gonna learn much from using a framework (except if you decided to go throughout the whole coding).

That's the same, I only use ajax jQuery because it provides me a faster and easier way to do ajax calls. I didn't use ajax jQuery, before I learned how ajax was coded in pure javascript.

Nonetheless, he's already using a PDO wrapper, and there's not really any way to secure the input more than PDO is already doing to prevent SQLi.
 

LeChris

github.com/habbo-hotel
Sep 30, 2013
2,725
1,307
To be honest, you're not really going to learn shit when using frameworks. If you got no idea how the back-end works, there's really no point in using a system, which you basically don't have a single clue in how works. I'm not saying you're wrong, I've used Blade Templating before, and it works great, but if you're here to learn how to code, you ain't gonna learn much from using a framework (except if you decided to go throughout the whole coding).
That's the same, I only use jQuery because it provides me a faster and easier way to do ajax calls.
Not one time, did I suggest to use a framework - but rather gain ideas on how to handle a template engine by looking at what Blade provides and does. My time spent using Laravel was easily well worth it, and has allowed me to rapidly build prototype frameworks replicating my favorite features (including Blade, and Routing) while extending my knowledge in back-end system.

Not to mention, if you lack understanding of a back-end a framework is an amazing place to start as it provides not only the tools to learn, but a professional structure to learn from.

(Jquery doesn't provide a faster way to do calls, it just provides a way to do calls without spending as much effort coding it - It's actually quite a ridiculous thing to use for one feature)
 
Last edited by a moderator:

LeChris

github.com/habbo-hotel
Sep 30, 2013
2,725
1,307
To be honest, you're not really going to learn shit when using frameworks. If you got no idea how the back-end works, there's really no point in using a system, which you basically don't have a single clue in how works.
  • Nobody stated to use a framework
  • I'm quite sure the guy developing this has fairly more experience then you, or his professionalism at least shows a higher ability to understand.
 
Last edited by a moderator:

Zaka

Programmer
Feb 9, 2012
471
121
Not one time, did I suggest to use a framework - but rather gain ideas on how to handle a template engine by looking at what Blade provides and does. My time spent using Laravel was easily well worth it, and has allowed me to rapidly build prototype frameworks replicating my favorite features (including Blade, and Routing) while extending my knowledge in back-end system.

Not to mention, if you lack understanding of a back-end a framework is an amazing place to start as it provides not only the tools to learn, but a professional structure to learn from.

(Jquery doesn't provide a faster way to do calls, it just provides a way to do calls without spending as much effort coding it - It's actually quite a ridiculous thing to use for one feature)
You haven't checked out the thread tho, since I do have a database wrapper, and the sort of "template" I'm gonna implement is not so that anyone can create themes here and there, it's just basically to make it a bit easier for developers to just create small packs which the end-user then can implement easily. So this is not gonna have some tpl system that follows all the standards that a tpl system does.
 
Last edited by a moderator:
Status
Not open for further replies.

Users who are viewing this thread

Top