digg

Facebook Connect Join Digg About
See the original image at css-tricks.com

PHP for Beginners: Building Your First Simple CMS

css-tricks.com Tips, Tricks, and Techniques on using Cascading Style Sheets (CSS)

Who dugg this? Made popular Jan 13, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

130 Comments

show profanity settings
expand all
  • serif69, on 01/13/2009, -3/+69I love LAMP.
  • wesholing, on 01/12/2009, -3/+38PHP and MySQL are my personal Brangelina.
  • Games4Life, on 01/13/2009, -1/+20http://www.w3schools.com/
    Its really handy.
  • addiktion, on 01/13/2009, -0/+17Did anyone else notice that when you click on "View Demo" It says "Kevin Rose Loves Penis?" all the way down the page?
  • AmyVernon, on 01/13/2009, -2/+16totally teaching myself all this stuff right now; can use all the tips I can get... thanks.
  • billbugger, on 01/13/2009, -0/+11That script has some serious security vulnerabilities!!
    Pro tip: This is a good example to learn from, but never run this script in a live environment, you're just asking to be hacked!
  • wesholing, on 01/13/2009, -0/+10Do you really love LAMP, or are you just saying it because you saw it?
  • swaggadocio, on 01/13/2009, -0/+9SQL in the same function as XHTML?! Yuck! MVC, encapsulation anyone?
  • ArthurSucks, on 01/13/2009, -0/+9"Tips, Tricks, and Techniques on using Cascading Style Sheets"
    I thought this was PHP?
  • Aaryn015, on 01/13/2009, -0/+9The digg effect, which happens to sites daily, is ironic??

    It's called "bandwidth"
  • thejamesbond, on 01/13/2009, -1/+8This is just a terrible PHP tutorial. Not only is the code bad and the tutorial teaching bad coding practices, it's also very insecure (the example is currently hacked / defaced), XSS and SQL injections all over the place.
  • ohemsted, on 01/13/2009, -2/+9Just remember that this code isn't perfect.

    Even the author said "This code is written for demonstration purposes only. Several security holes have been pointed out in the comments, which I have addressed in Part Two of this tutorial series. Still, I would strongly advise not using it for production websites without further testing.

    I have covered some of the bases with security, but other issues may exist. Further reading on security risks and safe PHP code can be found here. Please read through this before implementing this code on your server to avoid potential security holes."
  • bruceandcoke, on 01/13/2009, -0/+7http://www.bash.org/?873379
  • covertbadger, on 01/14/2009, -0/+6"Agree. PHP is by no mean for mission critical or high-end websites."

    You mean like Facebook? Or Wikipedia? Or Digg?
  • cenic, on 01/13/2009, -0/+6teaching the masses how an sql injection works...
  • inactive, on 01/13/2009, -0/+6This should have like, over 9000 diggs.
  • mileswj, on 01/14/2009, -1/+7Wow your a ***** noob.

    I hope you dont get paid to do this.
  • headzoo, on 01/14/2009, -0/+6If you're new to PHP, DO NOT FOLLOW THIS ARTICLE. It's full of bad syntax, security flaws, and methodologies that haven't been used since 2001. This is one bad PHP "developer" creating a dozen more just like him.

    Who in the world still mixes HTML inside of PHP functions/classes?
  • thejamesbond, on 01/13/2009, -0/+6Also teaching how XSS works...
  • billbugger, on 01/13/2009, -0/+5no on Smarty. php can inherently be it's own template engine.
    a mention of an authentication system would've been nice too.
  • hawkeye22, on 01/14/2009, -0/+5I'm new to PHP, and have a few questions after reading these comments - if some people could help, please?

    1. What's wrong with mixing PHP and HTML code? How else would you do things without inline echoing?
    2. What are "parameterized queries and prepared statements"?
    3. Why are they "infinitely safer than quote escaping and slash stripping"?
    4. There's lots of whining about the poor writing conventions and bad security - are there GOOD tutorials which can explain this ***** further, please?

    Thank you for making the coding world a better place :)
  • noahhendrix, on 01/13/2009, -3/+8I found it better to fully understand PHP before delving into a framework. Otherwise you might not understand the underlying principals in the framework which allows for extending.
  • billbugger, on 01/13/2009, -1/+6I like the 4-some of LAMP myself
  • covertbadger, on 01/14/2009, -0/+5I love how no-one has stepped up to the plate to answer this. So easy to criticise, so hard to contribute :-)

    I've been programming for around 15 years or so, mostly in C++, C#, python, and Ocaml. Only in the last month or so have I picked up any PHP as I wanted to teach myself to write a simple "web 2.0" website. I tried RoR and found it obscured too much of what was going on, and was therefore a lousy learning experience. Maybe I'll come back to it once I've understood in depth the problems it tries to solve.

    So, don't take any of the following as gospel - I'm still learning too.

    1) Mixing PHP and HTML is generally bad because it is difficult to maintain code that tangles presentation and content together. You'll start finding that modifying code has unanticipated effects on how your page is laid out, and you don't want that. You can (and will) still do inline echoing, but keep it SIMPLE - any complex calculations that need to be done should be factored out, so your inline echoing is simply displaying results rather than generating them. Separating presentation and content is not a PHP-specific thing, it applies to all forms of UI development.
    2) Parameterized queries are where you specify your query with placeholders ('?'s) and then bind values to it, e.g. "select name, price from products where id = ?". In PHP, use MDB2 to handle this. I found http://www.phpied.com/db-2-mdb2/ to be a pretty good introduction.
    3) Parameterized queries are superior because they are guaranteed to correctly handle string escaping and other things necessary to protect yourself from sql injection. If you rely on PHP's own stripslashes etc, you only have to forget once and your site is vulnerable.
    4) Most tutorials on the subject are crap. There's no shortcut - you're just going to have to spend some time reading the comments on php.net and reading other people's code. Sorry. As a start, though, the fundamentals are: a) Validate ALL data before letting it into the DB; b) Protect against sql injection (see point 3); c) Be sure to HTML-encode all output (guards against XSS); d) Connect to the DB with the minimum possible privileges. Don't use a user that can enumerate or drop tables, for instance.

    Basically, be paranoid about your inputs, outputs and user privs. That's a good start. Also, learn to ignore the raving fanatics. You don't HAVE to use RoR or Cake - it's perfectly possible to write a well structured, maintainable, secure app in a short amount of time without using them. Also, watch for the OO-zealots who will tell you that procedural code is evil. For small websites (<5K lines or so) you can do just fine with a procedural design, though by all means use objects if that's what you prefer. Just don't let anyone tell you it's NECESSARY.
  • djlmnts, on 01/13/2009, -0/+4Wow... Kevin Rose likes penis... and you get Rick Roll'd.... nice touch
  • spleeyah, on 01/13/2009, -0/+4A programming article on the FRONT PAGE?!
  • whereiseljefe, on 01/13/2009, -0/+4The code isn't a security risk, its a design risk. It's a horrible design, even for a small example, and will promote bad practices that will, in the long run, help no one when they actually want to make a "larger scale" or "real" CMS or any other web app in PHP.
  • meltingcube, on 01/13/2009, -0/+4I think the site was hacked, else it was meant to Rick Roll, which by the previous comments I think the former
  • raeldc, on 01/14/2009, -1/+5I've been a PHP Programmer for 5 years now. My advice to beginners: don't waste too much time on it. Don't be a PHP expert or you'll lose precious time learning other great languages like Python and Ruby. Don't make PHP your primary programming language skill. It sucks really bad compared to other modern languages. PHP is still useful for simple, easy and fast website deployment. But as you grow with your career as a programmer, you'll find out that PHP is not good for mission critical and high-end websites. If I were to go back 5 years, I'd learn Python, and learn PHP as a secondary skill.
  • TPHigginbotham, on 01/14/2009, -0/+4I confer with covertbadger regarding the answers to your questions. I would like to elaborate on the first question you posed regarding mixing PHP and HTML, however.

    Of course, you will inevitably *have* to mix PHP and HTML, but that shouldn't be done at the class level. A class should be reusable, and if it includes design-related code (as this tutorial does), you make it difficult to manage or transfer to other projects.
  • Fixthemedia, on 01/13/2009, -0/+4I saw goatse and rickroll. Beautiful CMS. : ...(
  • handsomeBastard, on 01/13/2009, -0/+4indeed. SQL injection should at least be mentioned in this tutorial.
  • shrapnel09, on 01/13/2009, -0/+4I love Marvel Vs. Capcom!
  • phpscriptcoder, on 01/13/2009, -0/+4Buried for LULZ, Goatse, and Rick Astley all in one link...
  • billbugger, on 01/13/2009, -1/+4True, but frameworks can teach someone who is trying to teach themselves some valuable lessons like DRY, templating, locale handling, structure, coding standards, etc.

    PHP is a great first language to learn, but it's very easy to get very messy with it if you don't know the proper underlying principles to a well written application.

    // LAMP developer, myself
  • neilo, on 01/13/2009, -0/+3Ugh, generic site-wide "description" meta tag is the reason the Digg summary is incorrect ...

    meta name="description" content="Tips, Tricks, and Techniques on using Cascading Style Sheets (CSS)"

    Summary confused me, not sure about anyone else.
  • whereiseljefe, on 01/13/2009, -2/+5Your advice is fail.

    Frameworks are designed FOR newbs. It is the experts that start to deviate from using frameworks and into custom coding because they have developed sound practices and standards by using something enforces a certain amount of rigidity (which is what a newb needs).
  • Gforce20, on 01/14/2009, -0/+3I know this doesn't go along with the joke, but I prefer XAMPP.
  • billbugger, on 01/13/2009, -1/+4whats up.
  • glomph, on 01/13/2009, -0/+3I Recommend this list of tutorials.
    http://www.newgrounds.com/bbs/topic/372890/20
    Very helpful for beginners.
  • jamshid, on 01/14/2009, -0/+3No surprise that the author "has a fetish for building custom applications from scratch".

    Buried, there are enough crap tutorials like this on the internet. Security, like good error handling and memory usage, must be taught on day one if you're coding for the world wide web.
  • mileswj, on 01/14/2009, -0/+3WHAT THE HELL.

    What horrible code this is, how the hell did this make front page news.
  • TPHigginbotham, on 01/14/2009, -0/+3FTA: mysql_select_db($this->table) [...]

    Hmmm... I wasn't aware that you could connect to a database *table*. Poor naming conventions. Many other problems have been pointed out as well. This tutorial is too advanced for a beginner and too unprofessional for someone with adequate knowledge of PHP/MySQL.
  • amoeba, on 01/14/2009, -0/+3Why build your own CMS when there are plenty of awesome PHP-based open-source content management systems?

    online demos:
    http://opensourcecms.com
    recommended:
    http://drupal.org
  • covertbadger, on 01/16/2009, -0/+3"No, none of them is mission critical."

    How well do you think Facebook the corporation or Digg the corporation would do if facebook.com or digg.com became unviable as applications? I put it it you that without facebook.com, Facebook as a company would be screwed, and therefore facebook.com is mission critical TO FACEBOOK. I think you misunderstand the term 'mission critical'.

    http://en.wikipedia.org/wiki/Mission_critical

    "Facebook may be a high-end website, but Wikipedia and Digg, no"

    Wikipedia handles about 177m requests per day. That's over 2000 per second on average - peak rates will be much higher. How is that not a 'high-end' website?

    http://wikistics.falsikon.de/latest/
  • hawkeye22, on 01/14/2009, -0/+3I'm not attempting to be deliberately facetious, but what's so impressive about that screenshot (debugger.png)?
  • pnpbios, on 01/14/2009, -0/+3mysqli has been around since PHP 5. I can't believe people are still TEACHING raw queries. parameterized queries and prepared statements are infinitely safer than quote escaping and slash stripping.

    PHP has a legacy of horrible security vulnerabilities. This 'tutorial' merely enforces that.
  • billbugger, on 01/13/2009, -7/+9google "cakephp"
    best framework, IMO
  • namaku0, on 01/14/2009, -0/+2I love FAPP.

    No, really. This is not a comment for trying to be funny.
    FreeBSD, Apache, PostgreSQL, Python/PHP.
  • Danltn, on 01/13/2009, -0/+2This makes front page now-a-days?
  • Fetching more discussions...
    Show 51 - 100 of 130 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.