Our CMS project - no longer on Indiegogo.

[IanMacdonald]

A while back I put our own little inhouse CMS project on Indiegogo. Didn't get enough backers to be worth continuing the campaign unfortunately, so dropped it.

We basically wrote Mara CMS for our own use after bad experiences with Joomla, and decided that it would be worth taking further as it actually works quite well. Coding these sorts of things takes an awful lot of time though. So, the idea was to find a backer or two.

Really not sure why there was so little interest. I know that there seems to be a love affair with Wordpress these days, almost to the exclusion of all else, but that wasn't so much the case when we started the project. At least, unlike most Indiegogo snake oil we had a working product to demonstrate.

I'd thought it was because it was a software project, but other software projects have done quite well. So, I dunno. Maybe we just didn't get the marketing spiel right. 

The idea is/was to provide a full online editing experience, but using a file based backend, no database and therefore no SQL injection worries. Which eliminates  the No1 security issue with most CMS. There are plenty other file-based CMS but they mostly use BBS-code style editing. This has the full Monty, with CKEditor. It could have drag and drop image and video insertion too, if I ever get a round tuit.

http://maracms.com

[m98]

Without having checked out the backend or anything, but the site looks like it came straight out of 2005. The usability also isn't that great.
If you wanted to try change to a modern, shiny flat-file cms that's easily extendable, has already basic themes and plugins available and at least some kind of community, which one of the following would you choose after visiting their web page?

http://maracms.com
https://getgrav.org

[sleemanj]

The idea is/was to provide a full online editing experience, but using a file based backend, no database and therefore no SQL injection worries. Which eliminates  the No1 security issue with most CMS.

(...) with most stupidly written CMS.  A properly designed system, even a not-braindead-designed system has no trouble preventing SQL injection, or XSS injection, as a fundamental principle of it's operation.  It's just the handicapped cut-n-paste developers with no concept of... I'll stop talking now before I go off on a pointless rant.

Anyway, the "CMS" (a term I hate myself and don't use) market is sewn up, forget it, Wordpress, as god-awful as it is (it should have stuck to being a simple blog system, no need for becoming bloat city), has the momentum, and the few runners up like Silverstripe have the rest, anybody not using one of those, like me for example, uses their own in-house developed framework of some description which is, like yours, developed to suit their own needs.

I'll also agree with m98, that your site looks about 10-15 years out of date sorry, it indeed makes me think of Joomla, Mambo and even Horde from those early 00's, these are not good things to remind me of.

[IanMacdonald]

To reply to both - If SQL injection is so easliy prevented, why does Wordpress suffer so many code injection exploits? It would seem to me that with the size of coding team they have, any such issues should have been dealt with years ago. If, it was so easy to prevent. Of course, it is not, and that is the problem.

The only sure way to prevent it is to use T-SQL, but basing a product on T-SQL syntax would mean it being incompatible with the majority of hosting accounts. Which is why that won't happen any time soon.

What you actually mean by 'Straight out of 2005' isn't clear. Do you refer to the styling of the instruction site, the styling of other sites we've built with Mara, or the way it works? Not sure. 

Maracms.com is an instruction manual site. That is its purpose. It is laid out that way to provide readable instructions. Such would not be achieved by using a mega-banner style or the like.  It is however responsive, and can be read on a phone with 400px screen or larger.

Grav, I have no experience of but I'll take a look and see. The kind of styling used on the Grav site is trivially easy to produce in Mara. If, you think that looks modern. Though it reminded me of Windows 8  - a product which I'd rather forget.

Though, if the consensus is that the styling of the informational site is offputting, that can easily be changed.

[MK14]

using a file based backend, no database and therefore no SQL injection worries. Which eliminates  the No1 security issue with most CMS.

But surely the concept behind that is flawed.

Analogy/Example:
Pretend that most home burglaries, were by forcing open or defeating the front door Yale lock. (I.e. SQL injection).

Solution:
Get rid of all Yale front door locks and replace with 5 lever mortice locks.

But if everyone did that, then the home burglars, would just find other means, of breaking into peoples homes. In time it might involve defeating the 5 lever mortice locks.

Your new system, would be likely to have its own flaws.

E.g. Your new catcha system.
Currently says (when i just tried it):
"seven   t housa n d   t hree  hun d red   a n d   fift y - t wo  poin t   t hree  t hree"

It would appear that, a program could somewhat easily be written, which changes that into a description of a number in words. Hence a number in words to number converter can be written. Hence your captcha has been defeated ...
I doubt a good programmer would take too long to write something to defeat that.

[IanMacdonald]

OK so I installed Grav, and the installation went OK.

Then, I looked for how to edit a page, and it said:

Edit this Page

To edit this page, simply navigate to the folder you installed Grav into, and then browse to the user/pages/01.home folder and open the default.md file in your editor of choice. You will see the content of this page in Markdown format.

Our product old fashioned?      At least we have a builtin editor.  A good one, at that.

Edit: To be fair, Grav does have a page editor. It's only available if you install the Admin module. It's extremely basic though, and the devs seem to have devoted more effort to 'micromanagement' features like recording categorization,  dates and times of editing and so on than on providing actual editing capability.
 
"It would appear that, a program could somewhat easily be written, which changes that into a description of a number in words. Hence a number in words to number converter can be written. Hence your captcha has been defeated ..."
You are relying on surface appearances. Have you looked at the page source?

[MK14]

"It would appear that, a program could somewhat easily be written, which changes that into a description of a number in words. Hence a number in words to number converter can be written. Hence your captcha has been defeated ..."
You are relying on surface appearances. Have you looked at the page source?

At the time of writing my post, NO, I had not seen the page source. Although I may have seen it on your Captcha guides page. Which seems to go into a fair amount of detail about it.

My understanding is that the graphical pictures (used by some of them, although sometimes a REAL pain to do, even when you are a REAL human  ), are to make it very difficult to defeat by using a robot (programming).

Googles later one(s), where a very quick mouse click, is enough to sort the captcha out. Is (in my opinion) VERY clever, and a brilliant solution to captcha.

I.e. This:
https://www.wired.com/2014/12/google-one-click-recaptcha/



So it can be done, WITHOUT highly annoying/fiddly pictures to click or convert to words/numbers etc.

[IanMacdonald]

A bit offtopic as the captcha is just one small feature, but the reason is was made numeric is because we definitely didn't want to use the ReCaptcha type. The picture ones are even worse than the distorted text. "Click all pictures with street signs" -OK, is a house number a street sign, or not? Hard to say. Or, "Click all store fronts" -Is a street cafe classed as a store? Dunno.

[MK14]

A bit offtopic as the captcha is just one small feature, but the reason is was made numeric is because we definitely didn't want to use the ReCaptcha type. The picture ones are even worse than the distorted text. "Click all pictures with street signs" -OK, is a house number a street sign, or not? Hard to say. Or, "Click all store fronts" -Is a street cafe classed as a store? Dunno.

I agree.
Captchas are both partly off-topic, and an unfair early way of analyzing the quality of your work.
They are also a contentious subject area.

But anyway (as other(s) have already said), SQL-injection should be protect-able against, by quality, well written software.

[sleemanj]

To reply to both - If SQL injection is so easliy prevented, why does Wordpress suffer so many code injection exploits? It would seem to me that with the size of coding team they have, any such issues should have been dealt with years ago. If, it was so easy to prevent. Of course, it is not, and that is the problem.

Wordpress is shit because it is shit (and to an extent because of my not-invented-here-syndrome to be fair) not because it could not have been good.

Preventing sql injection, follow the rule, never trust anything from the user.

If you are passing an integer to the database, make sure it's an integer, if you are passing a string make sure it's a string and escape it, if it's a date make sure it's a date and format it... these are things done in your abstraction layer only. 

Data is never embedded directly into the sql outside of the abstraction layer class' methods.  You pass data into your abstraction, the abstraction verifies the data is of the correct type, does the escaping necessary and puts it into the appropriate places (variable substitution, or using paramertised sql).

[IanMacdonald]

Wordpress isn't shit. It's one of the best blogging platforms. To say that it's not so good for building websites with -if that is what you are saying- is like saying that a spanner doesn't make a very good chisel. If you use a tool for a purpose other than the intended one, expect suboptimal results.

SQL is shit. It is shit, because even if you as a project admin take great care to avoid code injection scenarios, there is no way of preventing a contributor to your project's code from using the odd unprotected query or two. That is usually how these vulns arise, through plugins rather than through the core code.

Actually, even T-SQL is still shit, because there is nothing in it which enforces the use of transactional queries. So in principle if there are careless coders around it's still just as vulnerable.

[krho]

Wordpress + its numerous pligins are shit. I just spent 2 days debugging and proving to the authors of OS and paid plugins that  that they completely fuck-up the order when all you want to do it just update the status via API. Every freaking update something is broken. When we were running inhouse code it has been stable for years.

[IanMacdonald]

"Every freaking update something is broken."

That was our experience of Mambo/Joomla, and the main reason we ditched it. Gained a fair degree of expertise in writing templates, only to have the whole lot made useless by an update.

Probably the biggest mistake was in using Kunena Forum. Now, Kunena is an excellent forum app, but it's tied to Joomla so ditching Joomla meant losing the forum as as well.

I don't feel quite so badly about WP, but recently and for the above reasons I was trying to persuade my webdev colleague not to use a forum which is a WP plugin. Use phpBB, Simple Machines or the like, I said. Keep it separate and keep your options open.