Msg#: 4132780 posted 4:47 pm on May 14, 2010 (gmt 0)
I am putting together a site for multiple clients. These will consist of their own custom named folder on the root of the site. For example www.domain.co.uk/clientname
These slots will be pre built and sold by a sales team in the field. The folders will be numbered when built and this number will be retained for CMS MYSQL purposes only. The folder needs renaming when sold.
Example www.domain.co.uk/301 becomes www.domain.co.uk/clientname I would very much like the sales person to have a secure Admin area (but not full FTP access) where they can rename folder /301 to /clientname I can make the Admin area secure with normal Password protected directory function.
My questions are: Will this be secure enough ? How do I make a web based facility to accomplish this ?
I am using php with MYSQL on a Unix VPS with Cpanel facilities accompanied by patchy skills.
Any suggestions will be very much appreciated and by the way, please keep it in simple terms for me if you can.
Msg#: 4132780 posted 6:57 am on May 15, 2010 (gmt 0)
The easiest way to do this is with the PHP rename() function. You can create an HTML form page with two input values, the number and the new name of the directory. This form then calls a second PHP script which executes the PHP rename() function. You should do some input validation to be sure that the directory exists, only valid characters, no "/" which should make it possible to rename files in other directories etc.
Having a simple password protected admin area may not be a good idea in your situation. The sales team in the field will probably use public Wifi networks to connect to your server. These networks are easily sniffed. Using an SSL certificate and creating an encrypted website is therefore a better option.
You should also be aware that in this setup the password is always entered in a "hostile" environment in offices of customers where people can easily see what the sales person is typing. Regular password changing is therefore adviced.
Msg#: 4132780 posted 9:33 am on May 16, 2010 (gmt 0)
I am sure you have good reasons for doing things this way, but it feels all wrong to me. Specifically:
1) Renaming with PHP means that your web server needs write permission on the containing directory. I hope your server config ensures it cannot contain executables. 2) How do you prevent accidental or malicious renaming of already sold directories by your sales people? It would also be preferable to be able to track who renamed/changed what.
You can certainly get around 1) and code to deal with 2), but you will need to be sure that your code is bug-free and can deal with all the edge cases (for example if clientname is a number).
If I found myself doing this, I would ask myself:
1) Is the pre-building of the directories necessary? Why can you not copy from a skeleton directory as and when needed? 2) Why is the renaming needed? Can you not map the path to the directory name in your CMS?
Msg#: 4132780 posted 4:30 am on May 22, 2010 (gmt 0)
It is not necessary that the path in the URI www.domain.co.uk/clientname has a 1:1 match with a physical path on your server. You can create numerical directories on your server and use rewrite rules in an .htaccess file to map the customer name directory to a numerical directory.
The small piece of code you have to provide to the salesmen in the field should add a rewrite rule to the .htaccess file.
A more complex method is to create a MySQL table where each record has two fields: the numerical directory name and the customer name. In your .htaccess file you add the following code:
(copied from the default WordPress .htaccess file)
This code redirects all URIs which are not available as an existing directory or file to the /index.php file. In that file you can add a MySQL lookup of the numerical directory matching the customer name in the URI and perform all necessary path translations. This is not an easy job because you have to account for all files in the directory structure including images etc, but with this solution you don't have to rename directories on the system level and there is optimal flexibility to map URIs to physical files. You need some solid programming skills for this solution.
Msg#: 4132780 posted 8:32 am on May 22, 2010 (gmt 0)
Thanks lammert My coding knowledge is about good enough to appreciate the methods that you suggest. However I don't have sufficient skills to implement your ideas.
In addition, each individual folder is quite extensive carrying a self contained CMS complete with image upload and resize and so on. I am terrified as to what might happen with this lot if I got it wrong, which is far from a remote possibility.
I have made each folders contents customise itself by having a set of strings in an imported file configured from a MYSQL Table. That is all within my capabilities.
At kick off, I had expected to be able to either pre-name folders or be at my desk to rename on demand when sales spot an opportunity while they are out and about. Now circumstances have changed which mean I will at times need to let this run for periods without my availability to carry out this renaming.
The sales renaming function seemed to be a quite straightforward solution at first, but is emerging as anything but.
I hope this further clarification helps to appreciate where I'm at.
Msg#: 4132780 posted 12:59 am on May 24, 2010 (gmt 0)
You could, next time you are available, manually change the permissions on the folders that have been sold and renamed so their contents are then safe from being altered by a server/CMS exploit.
You could also run the renaming script as a CGI, which most servers allow to run as a different user, so that the server (I am assuming you are using Apache with mod_php) never has write permissions on them.
Are you copying the same CMS into each folder? Actually copying of symlinking?
The right solution would be to use a CMS that understands different groups of users managing different sub-sites, or to write (or get someone else to write) an extension to your CMS to handle that.