Fast Edit (edit content on the web page) My first php script!

[Beverleyh]

Hi all,

I've been dabbling in basic php for a few years but only using enough to get by, mainly integrating pre-written scripts into websites and editing code snippets to suit my needs.

Anyway, I've finally got around to writing my first simple, yet functional, mini "software".

I call it "Fast Edit" and basically it allows a site admin to edit web page content right there on the page (an "edit in place" tool).
(editable region content is stored in text files in a sub-directory)

Please have a play on this demo setup and let me know your thoughts: http://www.jemcon.org/process_scripts/fast_edit/

Thanks

[djr33]

I didn't log in because I don't know what the username and password are-- that's fine if you don't want to post them here.

From what I see it looks fine, but it's basically just another CMS. There are many reasons to write your own (especially just that you'll then have it do exactly what you want), but because of that, I don't have much feedback. Perhaps take a look at other existing CMS tools and figure out what you'd like to add later.

A couple thoughts:
1. Security is important, so the most important thing is that you are positive the username and password are required for any 'admin' action. This might not be the case if, for example, there is some form that submits to a page that doesn't check this. You'd never be able to see the FORM without being an admin, but if you are trying to hack someone's server (with a copy of this software yourself) it would be easy to just submit from your form (your server) to their server and bypass it that way. This is just one possible example, but double check. If you're checking the login (or session or whatever) each page load and each time you change/delete/add data, you should be fine.

2. One complex problem with this is that you are using PHP to create the pages and I am guessing you only allow HTML. This is the main reason I don't use CMS systems-- only a few of them allow PHP code. I have no idea if this matters to you. In many cases it won't. But if you ever need to use PHP for your content, you will need to find a way to allow that. And that's another big security issue as well, not to mention a logic problem: I suppose you can store it as an included file, but using eval() [execute a string as php code] is generally a bad idea.
Again, this is just something to think about if it's relevant to you, but it'll be a hard problem to fix if you need to.



Aside from that, looks great-- you've used PHP to save yourself work and automatically do stuff. That's what's great about it.

[Beverleyh]

Thanks for the feedback Daniel.

Yes, I agree - its another simple CMS. I made it simple, to suit my needs, without being bloated out with somebody elses requirements, but it is probably like plenty more others doing the rounds. Its was a great lesson for me though.

The login processing script checks for specific username/password inputs, and on success, sets the session which carries through the other pages - it only shows the editor window if the session is there. The session is then destroyed on logout. Its only simple but I hope thats a secure enough starting point. I'm learning more about php each day so thanks for the prompts and I'll keep revisiting the scripts and retesting once my knowledge increases.

This sccript suits my needs for this particular mini-project as I only need HTML in the editable region for a few simple sites (although I have also made an alternative version with a customised TinyMCE that allows php inputs too - this is used on sites protected by crpss-site phpBB3 login sessions and serves a more advanced TinyMCE editor to the uppermost-admin only)

BTW - the login details are in the blue box on the "home" page of the demo
Easy to miss so no worries.

[djr33]

Ok, I tried logging in now. It's very smooth and very simple. I like it.

I didn't see a way to manage pages: does it not do this yet? That would be an interesting next step. And then some sort of template manager would make it useful for others.
I could imagine this getting popular for beginning designers because it's so straightforward. It has potential, assuming they don't want anything complex.


As for security, you are probably fine. My point is that there may be security loopholes you didn't think of: the first thing you must do on EVERY page is kick them out if they are not logged in as admin. This is crucial for situations where data is being submitted and saved or anything else like that is occurring: just hiding the editor doesn't mean they can't hack you: it means they can't use the editor to hack you. If anything the editor can do can be done without logging in (for example submitted post data including fields, etc) then this will get around your security. This is probably more of a concern if you intend to release it and it's so simple that you probably did not miss anything. I'm just pointing it out. It's something that we all have to remember and when things get complex it's easy to miss.
For example, an ajax routine (grabbing some sort of secure data) must ALSO verify the session, not just the page that calls the ajax. Hope that clears up what I was talking about.

[Beverleyh]

Hi again,

I could add some sort of page manager - maybe that could lead to a "Fast Edit Plus" step in the project, with template options too - but at the moment, I'm going for the "less is more" angle with this "lite" version. Its "lite" status is limited by my pitifully fragmented php knowledge in the here and now though, but I like the idea and will certainly aim to build on the project.

In its current guise it's intended as a simple, non-bloaty, little flat-file plugin to aid the editing process directly on the page. It's minimal so it doesnt fall into the trap of having lots of functions that arn't wanted/needed, which is what I found while trying to find alternative, pre-made scripts before I decided to make "Fast Edit". If anyone wants to do more advanced updates/ammendments/make new pages, they should either do it via their webhost's control panel but they could change the TinyMCE toolbar to the full/advanced option and get more control on the HTML at least.

At the moment, "Fast Edit" can be added to any existing php web page, with the login include at the top, stylesheet and javascript in the head and the fast edit include right under the editable content region. The editable region content would then need to be seperated out into a text file.

I'm quite happy to release "Fast Edit" publicly (when complete) but my code at the mo is probably not the neatest, or most optimised that it could be, so if a more advanced php coder reads this thread and would like to help guide me through clean-up and security checks, I would be most greatful for the help. If so, please PM me. Bear in mind though that this is a free project and I still would like to learn things for myself, so I'm not looking for someone to rewrite and code for me - just guidance and suggestions and maybe a few code snippets if I'm really stuck (it wouldnt be a learning curve for me otherwise, eh?!)

Also, I would like to understand more about what you said here:

the first thing you must do on EVERY page is kick them out if they are not logged in as admin

so if you could point me in the right direction of a good tutorial, that would be fab.


Back to the "Fast Edit Plus" idea you mentioned -
I have muddled together a script to create new pages and insert the various php includes to build a page automatically. It just requires you to enter the page name into a form field and submit. The script is ugly though and mashed together from code snippets I found on the web so I dont want to add that option yet until I've fully pulled it apart and understood it and cleaned it up.

For a menu in another project I also use a little script which reads the php files in the root directory and sorts them alphabetically into an unordered list. Its quite limited though as I havent yet learnt enough to allow the user to specify their own button order, but I guess that could be used as a basis for a menu builder.

[djr33]

...so if you could point me in the right direction of a good tutorial, that would be fab.

I don't know of anything that exists like that. What I've said is basically all the information you need: make sure that all admin-only actions are either main actions (within the main page) or that you double check the login for any minor actions (not within the main page).
In your (current) case, I think it's just fine.
The idea is just that if you have anything that does not run through the main verification part of the script, like an ajax request, etc., that might be a possible loophole.

In other words, before you run any database queries, file manipulations, etc., make sure that at that point there's no way a user could have gotten there without first passing an admin-check. If this is all within a single page that checks for admins at the top, then you're most likely fine. This is probably more relevant if you do decide to expand it.


And yes, I completely understand your current purposes: if this does what you want, then that's great. There's no need to change it. If you do decide to release it, though, you'll probably need to add a couple more things (page manager would be nice) so that it's really easy to use. On the other hand, what you have now isn't really a "CMS" in the traditional sense, but rather just a page-section editor: and that might be useful.
For example, I can imagine that a client requests a webpage they can edit. Then you build it for them and they need to edit 3 specific parts of the site and have no idea how to use FTP, HTML, etc. In this case, then, it's easy for them: they just log in and change those parts. So, yes, it might be exactly what someone needs.

[Beverleyh]

OK - I think I'm OK with security now.

I've also done more work on a simple "Page Manager", and made a "create new page" and "delete page" listing function, along with adding some code snippets to make a dynamic <title> for every page.

I havent yet worked out how to engineer a flat-file mechanism to order pages in the menu (not with my current knowledge anyhow) - they are currently sorted alphabetically (except the home page whoch always appears first) I thought about using a number prefix on file names to allow a user to fudge the page-sort manually but I'm still um-ing and ah-ing on that. Any ideas there?

Now for templating.... What might you suggest for something like that?
At the moment, this script could be plugged into an existing site, so maybe I could just do some php stylesheets which accepts user defined colour inputs for the main styling tags, via a form? (body, h1, p, td, li, etc.)

[djr33]

Actually, if you are looking for a general simple templating method, then you don't even need to worry about PHP. Just allow the user to manage a .css file and that can handle everything needed. Just make sure that it's easy to use and that the layout is minimal in the html/php, so that the css is as effective/powerful as possible.

If you want to get more complex later, look into templating in the sense of generating html. It's not easy and I don't see any reason you need it yet. I'm sure there are lots of tutorials out there also.


Regarding the files, I can't think of an easy other way to order them. Of course you could store a list somewhere (flat file, database, etc) that allows the user to set the order, but I don't really see much of a point there. For the links that the (end) user sees, you can just have them code them into the wysiwyg content and you're fine. Maybe add a 'hard' link to the home page if that makes sense.

[fileserverdirect]

The only minor thing I could add is to make the admin action text clickable and not just the icon. You could stylize it so it was black and all and then a.Hover to underline. But you probably know how to do that. Just my 2 cents.

[djr33]

Oh, and my advice is that if you plan to make this site go live, I would suggest hiding the admin link. There are two reasons: 1. It looks cleaner if the user doesn't see it, 2. It will help make it more secure: if they user doesn't know it's there, they won't try to hack it. (Regardless of whether it's secure or not).
So basically just have a special link that the admin can go to, like /admin, and then that'll load it.
There's no reason you can't leave it there if you prefer it. And as I was describing above, if this is for a very inexperienced administrator (someone who doesn't know the first thing about ftp, etc), then it that case leaving the link there will probably make them happy.