Horaciobra Hosting Blog

In this article I’ll try to describe how to develop a very simple Content Management System (CMS). I’ve chosen PHP as the server-side scripting language and MySQL as the database management system purely because I think they are fairly easy to use and they do the job very well.

I won’t spend any time describing CMSs, what they are, or why you should or should not use them as there are plenty of excellent articles around that describe them perfectly well. I’ll just explain one way of developing a CMS.

This CMS consists of a single web page (index.php) that can have its contents updated by use of a form (editPage.php). The contents entered via the form are stored in a database, and are accessed and displayed by the web page. Although this CMS is too simple to be of any real use, it could be used as the starting point for a real life CMS solution.

There are four files in this project:

cms.sql

editPage.php

updatePage.php

index.php

cms.sql

This file creates a database called cms, and creates a table in that database called page. It also loads some intial data into the table. You only need to use this file once.

editPage.php

This web page contains a simple form that can be used to enter (and edit) the contents displayed by index.php.

updatePage.php

This is the form handler – the script that processes the data (entered in editPage.php) and inserts it into the database table (page).

index.php

This is the web page that displays the data held in the database table.

cms.sql

1. CREATE DATABASE cms;

2. USE cms;

3. CREATE table page (

4. pageID integer auto_increment,

5. contents text,

6. primary key (pageID)

7. );

8. insert into page (pageID, contents) values (’1′, ‘dummy text’);

Line 1 creates a database called cms in the MySQL database management system.

Line 2 tells MySQL to use the database for the subsequent commands.

Line 3 creates a table in the database.

Line 4 creates a column called pageID, which will contain integers, and which will be automatically incremented as new records are added to the table. As we only have one web page (index.php) in our imaginary website, we will only have one record and therefore one integer: 1. If we added additional pages to the table, they would be automatically numbered (2, 3, 4, etc).

Line 5 creates a second column called contents, which will contain text. This is where the editable contents displayed by index.php will be stored.

Line 6 sets pageID as the primary key, which you can think of as a reference for the table. As we only have one table, which will contain only one record, we won’t make any use of the key. I’ve included it though because it’s good practice to do so.

Line 7 simply closes the bit of code that was started in line 3.

Line 8 inserts some intial data into the table: 1 as the first (and only) pageID, and ‘dummy text’ as the contents of the first record.

editPage.php

(Note that for display considerations, I’ve used square brackets ‘[' instead of angle brackets for tag names.)

1. [html]

2. [head]

3. [title]Really Simple CMS[/title]

4. [/head]

5. [body]

6. [h1]Really Simple CMS[/h1]

7. [?php

8. mysql_connect("localhost", "root", "password");

9. $result = @mysql_query("SELECT contents from cms.page");

10. while ($row = mysql_fetch_assoc($result)){

11. $contents = $row['contents']; // Do not change these to angle brackets

12. }

13. ?]

14. [form name="form1" method="post" action="updatePage.php"]

15. Enter page content:[br][textarea rows="10" cols="60" name="contents"][?php echo "$contents" ?][/textarea]

16. [input type="submit" name="Submit" value="Update Page"]

17. [/form]

18. [/body]

19. [/html]

Most of this file is fairly simple HTML that doesn’t need explaining. However, the following bits of code are probably worth discussing.

Lines 7 through to 13 contain PHP code to connect to the database and extract the contents of the web page.

Line 15 contains a tiny bit of PHP code to display the contents in the form’s textarea. This line shows how easy it is to integrate bits of PHP code into lines of HTML code.

Remember though that in order to use PHP code in an HTML page, the file has to have an extension of .php. If it does not, the PHP code will not be processed by the web server.

updatePage.php

1. [?php

2. $contents=$_REQUEST['contents']; // Do not change to angle brackets

3. mysql_connect(”localhost”, “root”, “password”);

4. $result = @mysql_query(”UPDATE cms.page SET contents=’$contents’”);

5. mysql_close();

6. ?]

This is the form handler, that’s to say, the script that processes the data entered into the form (in editPage.php).

Line 1 signifies the start of a PHP script.

Line 2 requests the contents that were posted from the form. We could have written

$contents=$_POST['contents']; instead if we had wanted to.

Line 3 connects to the MySQL database server, setting up the host name, which I’ve assumed to be localhost, the database user, which I’ve assumed to be root, and the password needed to connect to the database. Naturally, I have no idea what this would be for your system so I’ve just written the word password.

Line 4 updates the page table in the cms database with the new contents.

Line 5 closes the database connection.

Line 6 closes the PHP script.

index.php

1. [html]

2. [head]

3. [title]Home Page[/title]

4. [body]

5. [h1]Home Page[/h1]

6. [?php

7. mysql_connect("localhost", "root", "password");

8. $result = mysql_query("select contents from cms.page");

9. while ($row = mysql_fetch_assoc($result)){

10. $contents = $row['contents']; // Do not change to angle brackets

11. }

12. echo $contents;

13. ?]

14. [/body]

15. [/html]

This is the web page that displays the contents from the database.

Most of the lines in this web page are pretty straight forward and don’t need explaining. Lines 6 to 13 contain the PHP script that extracts the contents from the database and displays (echos) it in the browser.

Installing/Running the CMS

To use the CMS you need to copy the files onto your web server into the area allocated for web pages. Your web server needs to support PHP and MySQL; if it doesn’t, the CMS won’t work.

You also need to use the correct database connection names and passwords (those used in the mysql_connect lines in the PHP scripts).

Exactly how you run the cms.sql file to set up the database and database table will vary from web server to web server so it’s difficult to give precise instructions here. If you have a phpMyAdmin icon or something similar in your web servers control/administration panel you should be able to use that.

Once you’ve set up the database and table, you can simply browse to the editPage.php web page and update the database contents. You can then browse to the index.php page to view the updates.

Now that you’ve decided to become an internet entrepreneur, there are score of things you have to consider.  Your first job is to decide on a domain type and name.  Because there are quite a few from which to choose, you’ll have to have in mind a) your budget and b) what’s going to get you optimal traffic  flow.

The Trifecta:  The most common, most marketable, and easiest to remember domain types are .com, .net, and .org.  Any one of these three will invite investors to your site easier and certainly ensure maximum traffic flow.

Country-Specific:  Of course, if the domain name you desire has already been taken you can register your name with a country-specific extension.  These include .uk (for the United Kingdom, of course), .jp (Japan), .fr (France), etc.  Any country you can think of has an extension that you can use to differentiate your site.

Accepted Sub-Domains: If the country-specific domain names have dried up, there are some alternative names that have been approved by ICANN:  .aero, .biz, .info, .name, .edu, etc.  Not only are they more unique, they’re extremely specific.

Not-so Great Sub-Domains:  You could always get extremely unique and add a quirky sub-domain.  For example, if the name “Food.com” is already in use, perhaps make your website more specific:  “food.enteryoursmexydomainnamehere.com” –of course shy away from using a sub-domain even remotely resembling this one.  However, because these are essentially imaginary domain extensions, the chances of anyone actually knowing where to search is very small.

Price: Now depending in with which domain name registrar you register your name, you’ll end up paying anywhere between $6.99 and $15.75 per year; however, there’s been a recent decrease in domain prices, so if you act quickly you could get your name for less than $10.

Facing the Information Security Hole in 2009:

The unacknowledged threat to our homeland and financial security

Every few days there is yet another breach of information security. And each breach seems to be The Biggest Ever, until the next one is announced.

It is now widely acknowledged by security experts from the federal government on down that the problem of data security breaches will get worse as the financial debacle worsens and companies cut spending and workers. Finally, there is growing awareness of one of the primary concerns of our team: it is inevitable that this compromised data will be used for terrorism.

As we talk with people interested in this issue, including security gurus, corporate governance and regulatory experts, privacy advocates, directors and officers, corporate lawyers, managers, and plaintiffs and class-action attorneys, we get a lot of questions about this cutting-edge subject. The answers help explain why the failure to secure information is a lurking national and global security threat, and the next shareholder derivative, director and officer liability, regulatory, consumer product safety, and class-action issue.

Why is an information security breach a potential national and global homeland security issue?

LW: Think about what data thieves do with stolen information. Data thieves drain your financial accounts, use your debit and credit cards fraudulently, use your identity and credit to open new accounts, create forged employment documents and other legal paperwork, and use your stolen identity to commit crimes and evade law enforcement. It is inevitable that some of this stolen information will be used to finance terrorism, and to create forged identities allowing terrorists to cross borders or access critical systems. This is what makes the current situation worse than even a global Enron and WorldCom fraud situation. Enron was, quote unquote, only about losing dollars. In the current meltdown, we are also losing data, on a massive scale that we have not even begun to grasp.

You said that an information security breach also creates potential class action, consumer product liability, shareholder derivative, D and O liability, and regulatory exposure. Explain.

LW: When companies have sensitive information and systems, they have certain obligations to protect that information. Those obligations are based on a variety of international, federal, and state laws; regulatory requirements and guidelines from government agencies; statements and representations made to shareholders, customers, consumers, and regulators; and agreements with customers, consumers, and other companies with which they do business.

When companies do not meet the requirements for information security, whether that shortcoming is willful or negligent, they have failed in their obligations to many stakeholders. Also, many of the statements made to these many stakeholders are Simply Not True.

You can think of a similar situation with an airline that has multiple safety requirements, and that represents to many stakeholders that it does certain things to meet these safety requirements. If that airline fails to meet the safety standards, whether through deliberate circumventing of the safety standards, or through carelessness, that company has a big problem with law enforcement, regulators, customers, shareholders, and class action plaintiffs. The individuals who flout those safety controls also have a big problem as far as their personal liability. That company and those individuals have an even bigger problem if the plane actually crashes.

I think of an information security breach as a plane that has crashed.

What are the implications for investors?

LW: The implications for investors include a loss of shareholder value if the company has an information security breach. The companies themselves acknowledge, including in industry standards and in company disclosures filed with the SEC, that a data security breach affects the brand, requires huge financial resources for incident response, remediation, audit, and legal expenditures, and increases insurance costs. So an information security breach obviously means that, despite spending hundreds of millions trying to manage security and risk, the system failed somewhere. The follow-on implications depend on whether the company met its own security obligations, or whether the company failed to meet those obligations.

If the company blew right on by the controls, it means that, in essence, the company did not tell the truth to the many stakeholders involved. Misrepresentation on these issues may mean that insurance coverage is voided, that legal and regulatory requirements, including Sarbanes-Oxley, were not met, and that the exposure of the company and the individuals who ignored the safety requirements is much larger than if the company had appropriately met its security obligations. This is a situation ripe for regulatory actions, shareholder derivative suits, claims against individual directors, officers, and managers, consumer and shareholder class-action suits, and criminal sanctions.

Why is the consumer the one on the hook when their personal and financial information is breached?

LW: My experience is that, regrettably, right now the financial industry tries to push all risk, and the consequences of an information security breach, onto the individual consumer, or onto the other companies with which it does business. I believe that to be wrong – if the financial company failed to meet its requirements, it bears at least part of the blame – the individual data thief, does not, of course, get off the hook.

Also, if it failed to meet its security requirements, the financial company should bear the costs of recovering from the breach, rather than passing that cost and inconvenience on to the consumer or customer.

I also believe that a financial company that does not meet security standards has a very dubious position in trying to impose unreasonable interest rates, late fees and other penalties, and aggressive collection practices on its customers.

I’ve heard a lot about criminal hackers who break into systems, or criminal data thieves who steal, for example, a laptop or a flash drive. Is that the kind of information security gap you’re talking about?

LW: Not exactly. The piece of the problem that I am describing, based on real-life experience, is how many in the financial industry ignore or bypass the safety standards, with the companies still claiming that they have done everything they possibly can, and are not responsible when there is an information security breach.

It’s easy for companies to blame the mean old computer hackers who break into the systems and steal the data. But that’s only part of the problem. Yes, the data thieves have committed criminal acts, and it’s appropriate that data thieves be held responsible for their actions.

The companies also like to blame careless vendors who provide unreliable products or services – that is a problem, as well.

But the financial companies also have multiple obligations to do their part to protect the information and systems. The financial industry itself acknowledges the obligation of the companies to conduct appropriate due diligence and security reviews before allowing other companies or individuals to access this data.

For financial companies to claim that they’re doing the very best they can is like a storage company that tells its customers that it has a secure fence, security alarms, and 24-hour on-site guards, but has a break-in because the guard left to go the neighborhood pub, and left the gate open and the alarm off. If your stuff is stolen, the individual burglar is at fault, but the company and the security-violating guard are also in trouble.

Aren’t the financial companies that have this data and systems legally required to ensure its security?

LW: Yes, the f
inancial companies are legally required to protect this information. There are many laws and regulations that impose these requirements. (The particular laws and regulations will vary, according to the industry, the type of company, and the type of information.) But the gap that I’m describing arises because many companies, and other stakeholders, assume that the companies are meeting the safety standards because they spend a lot of shareholder money on security.

The companies themselves, not to mention the regulators and the other parties concerned, do not understand that these gaps exist, or how to find and fix them. It has not been well explained because, until very recently, almost nobody connected with the financial industry had any appetite for refusing to greenlight risky deals – they concentrated on volume and speed of the deal transactions. This approach has created the ‘credit default swap’ of sensitive information.

How does this gap happen?

LW: Many of these gaps happen in the deal-making and deal-managing process. The financial industry is well aware of the many laws, regulations, and safety standards, and has been for years. The industry trade groups, and the companies themselves, specify that the safety reviews are supposed to be completed before any deal is done, if that deal involves any access to sensitive systems and data. Think of this as a requirement in the aviation industry that safety checks are supposed to be completed before a plane takes off. That does not mean that the crew does not keep an eye on things during the flight, but the plane is not supposed to leave the ground until it’s been checked and cleared by experts.

Now, what happens a lot in the financial industry is that a project is pushed along, and a deal is approved, giving another company access to sensitive data, before the safety reviews are completed and the shortcomings addressed. That is like putting a plane in the air before completing the safety checks, for no reason other than ‘we need to meet a schedule’ or ‘the safety checks take too much time’.

The deal-making and contract function should be one of the strongest and most effective control points for the industry – it is the last best chance to meet these safety standards before the ‘deal plane’ takes off. Unfortunately, because the financial industry has focused on volume and speed of deals, it is, in my experience, one of the weakest, with the deals frequently done by teams who do not understand the safety standards, or even the verbiage of the contracts.

Many in the financial industry treated this due diligence and deal function as a paperpushing drill to be done as cheaply and quickly as possible. That’s like having a plane checked out by an inspector who not only is not qualified to verify aircraft safety, but literally does not know what the words on the safety checklist mean.

How do you know about this?

LW: I managed deals, involving sensitive systems and data, for three international financial organizations. The subsidiaries of these global organizations included banks, mortgage companies, insurance, financial advisors, and credit cards. I also have many colleagues with experience in other global financial companies. This is an enormous and industry-wide problem that demands attention.

Well, if you worked in the financial industry, and now you’re saying the industry is not doing its job, aren’t you changing sides?

LW: I have always worked to secure sensitive information and systems, including in my work with three large international financial companies. That work involved knowing how to find and fix these problems, which was not a common skill in an industry that was paid on volume and speed of its deals. Sometimes it also involved refusing to greenlight projects until the appropriate security protections were in place. While that work was much appreciated by the control teams, like information security, compliance, and corporate governance experts, it was sometimes not popular with teams that wanted to rush projects through without taking time for the necessary precautions.

So I now work to educate the multiple stakeholders that this is a huge security hole, but it’s fixable – I’ve done it.

Why do you care so much about this? What’s in it for you?

LW: As it turns out, my entire career, beginning with my first U.S. Army job in Military Intelligence, has been about the protection and appropriate distribution of sensitive data. In my units, people were prepared to die to protect highly sensitive systems, the compromise of which could cause grave harm to our security and our people. It was unbelievable to me that some in the financial industry failed to protect sensitive information, just because they found it inconvenient, or because extra time and due diligence on a project might delay a promotion or payment of a bonus.

Given a choice between signing off on reckless manager decisions, or protecting our sensitive information, which means protecting our security, our customers and our shareholders, I have to side with protecting this data.

When you describe these gaps and how they happen, is this real-world information?

LW: The descriptions of these gaps are based on real-world, hands-on experience, not theory. I am not interested in enabling new data thieves; I want to help educate, so that the security holes can be found and fixed before there’s a security breach. If I know of specific weaknesses in a company’s system, I believe that it’s appropriate to first notify that company so that they can take proactive protective measures, whether with our team or with someone else. But even when I publicly discuss typical scenarios at an extrapolated level without naming the company, these examples are based on facts that I and my colleagues have witnessed first-hand.

What advice can you give companies that aren’t sure whether they are exposed?

LW: Many companies think that they have everything covered, because they have internal or external auditors, or big consulting companies, or other teams that have been trying for years to address security. But my colleagues and I have identified these gaps, even in some of the largest companies in the world that spend enormous amounts of shareholder money on security. In fact, the problem is probably worse in a larger company, because it’s more difficult for various teams to coordinate information and react quickly to address gaps. I can attest that we have identified significant security gaps that had been missed for years, even a decade or longer, by the internal and external teams at some of the largest companies in the industry.

What advice can you give companies that are sure they have this problem handled?

LW: Firstly, many financial companies assume that, because they spend a lot of time and money on security, they must have it covered. That assumption may prove fatal.

For companies that choose to assume that they have this covered, even after this widespread but unrecognized risk has been explained, my only advice is: Don’t have a breach.

Don’t have an unhappy worker with a flash drive; don’t have a contractor or subcontractor who wants to use this data for harmful purposes; don’t have your data being accessed by anyone that you don’t know; don’t have anyone working in your data centers or accessing them remotely unless you know about and monitor it; don’t have any gaps in any of the products or services anywhere in your data chain. Don’t make any mistakes in what you say to consumers, customers, regulators, investors, or companies with whom you do business.

If you’re still sure you have it covered – Don’t Have A Breach.

The author gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and Information-Security-Resources.com.