Jim Westergren
A blog about me, my projects, SEO, Web Development and Personal Development.
"If we did all the things we are capable of, we would literally astound ourselves." - Thomas A. Edison

Challenge In Building a CMS: Different Hosting Setups

This is the first article in a serie about the Clesto CMS – my first PHP project (I am still a kind of noob, feedback appreciated).

There is a huge difference in building something for yourself and something that you release for a lot of people to download. The Clesto CMS has now been tested in many various shared hosting companies, many having their own custom setups. It did at first not work in some of them and had to be corrected. On the way of testing and correcting I learned a great deal which I will outline in this article as I think others might also have use for it.

PHP 4 versus PHP 5

Many hosts are still running PHP 4 and so you have to make sure that your script is working as intended. The PHP Manual usually have notices on functions in what PHP version it was introduced. For example instead of file_put_contents() the functions of fopen(), fwrite() and fclose() has to be used. Or just make your own such as this one simple:

function write_to_file($file, $text, $method) {
	$fh = fopen($file, $method);
	fwrite($fh, $text);

PHP able to write to files?

Around half of the cases yes and half no. My CMS is flat file based and would not work if it cannot write to files so this is crucial. And it would be really stupid to tell the user to CHMOD some directories to 777 if it is not needed.

So I came up with this:

if ($fh = @fopen("../createdfiles/test.txt", 'w')) {
	$test = "pass";
} else {
    $test = "fail";

Then I can just use the $test variable to know if I should display a notice or not.

A word of warning! Having directories with permissions of 777 can be a security risk. In my CMS I have many protections in place, more about that later.

Safe Mode on or off

Your script has to work in both. See the article Functions restricted/disabled by safe mode from PHP.net.

cURL function turned off

Certain hosts such as Hostgator has this turned off. The solution is to not depend on it and check if it exist with a simple if:

if(function_exists("curl_init")) {
	// Do the cURL stuff here

Hosts that run PHP in CGI mode

Hostgator and the Swedish Binero does this for example. What this means is that any mention of php_flag or php_value in any .htaccess file will break the site completely and making all pages have an internal server error (500). This means that you cannot have things like php_flag display_errors off, php_flag register_globals off and php_flag magic_quotes_gpc off.

A solution for php_flag display_errors off (displaying errors on screen is a security risk) is to do it with PHP instead. My current set up looks like this:

error_reporting(E_ERROR | E_WARNING | E_PARSE);
ini_set("display_errors", "off");
ini_set("log_errors", "on");
ini_set("error_log", $path."createdfiles/error_log.txt");

Hosts that have Magic Quotes (magic_quotes_gpc) ON

When on, all ‘ (single-quote), ” (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically. This is identical to what addslashes() does. (source)

As we now don’t have a possibility of turning off Magic Quotes (see previous point) we just have to accept the possibility that it can be on. It will affect all GET, POST and COOKIE.

You can use this if:

if (get_magic_quotes_gpc()) {
	// Do stuff like stripslashes() here

Apache mod_rewrite module

Contrary as it may seem there has not been a single incident of the Apache mod_rewrite module missing. All hosts had it installed and ready – so this is not an issue. But in any case it can be tested like this:

if (function_exists('apache_get_modules') ) {
	if(!in_array('mod_rewrite',apache_get_modules())) {
	    echo "Apache mod_rewrite module is missing";

Foreign users

You will have users that write a foreign language with special characters. Those characters can be scrambled and it can be a pain in the ass trying to figure out what the problem is. The problem is a conflict with UTF-8 versus for example ISO-8859-1. I recommend using UTF-8 so make sure of the following:

  1. The physical files of your script is saved in the UTF-8 coding and not for example ANSI.
  2. You are sending the UTF-8 header on all pages of your script.
    header("Content-Type: text/html; charset=utf-8");
  3. You are displaying the Content Type meta tag with UTF-8:
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

Installation in subfolder

If you are using mod_rewrite as I do then the RewriteBase is very important. If the user is installing in a sub folder the RewriteBase have to change in the .htaccess.

As for the moment I am during the installation checking the $_SERVER["SCRIPT_NAME"] to see if the user is installing in a sub folder and if so I display a message saying that RewriteBase / have to be changed to RewriteBase /currentfolder/.

I know it is not an optimal solution and I cannot even make a check that the user has done it but it works. If someone know a better method then please comment below.

The reason I don’t want to make it dynamically is for security reasons. I even have the following in the root .htaccess:

## Protect all the .htaccess files
<Files .htaccess>
deny from all

Feedback on this article is greatly appreciated.

Boomark This! Subscribe to the RSS feed
About the Author Jim Westergren Jim Westergren is a web entrepreneur from Sweden now living in Bolivia. He is happily married and has two lovely children. Some of his interests are web development, SEO and writing. He is the Founder and CTO of TodaysWeb and his current major project is N.nu. Read his . Follow Jim on Twitter or Google+.
  • http://bilgili.web.tr murat

    Good , really nice sharing
    E?lence :)

  • http://www.mp3dinleyin.com mp3 dinle

    thanks süper bir disney olmu? :) te?ekkürler thank you very march administrator

  • http://techcrank.com Shubham

    Well good going.! Great stuff.!

  • http://www.edgeduderocks.com/cms Aaron B

    I am liking your cms alot. is there a way to add a blog feature?

  • http://www.jimwestergren.com/about-me-jim-westergren/ Jim Westergren

    Hi Aaron,

    No, not at the moment. Check out WordPress for a good blog you could get for free. And then you could either install that in a sub directory or link to it from your page.

  • http://www.edgeduderocks.com/cms Aaron B

    Thanks. I can do that easily.

  • http://easypublicspeaking.co.uk/ Keith Davis

    Hi Jim
    Sorry that I can’t add any technical help or comments, I’m OK with html and CSS but PHP is not my strong point.
    I do however appreciate all the potential problems of different PHP versions etc.
    What I’d like to do is thank you for putting in your own time to produce this CMS.
    Plus – I can hopefully provide you with some encouragement.

    Keep up the good work…

  • http://www.jimwestergren.com/about-me-jim-westergren/ Jim Westergren

    Thank you Keith.

  • A. Bear


    You are very correct that the differences in hosting providers can cause a major headache! In my personal experience, I prefer to lay down some requirements for the software that I consider to be reasonable. For example, I require everything I write to require PHP 5. if someone wants to install something that required PHP5, then it isn’t hard to find an appropriate host.

    That way, there’s no need to maintain compatibility with both systems. Trying to maintain compatibility with PHP4 and PHP5 at the same time will require a extra maintenance and a lot of library functions. Avoid it if you can! It will make your life a lot easier.

    What I DO try to do, however, is not use features that have been introduced in recent PHP versions (5.2, 5.3) and stick with what has been around for a while (5.0, 5.1). Hosting providers are awful about keeping things up to date…

    Speaking of error handling – if you are developing software for both PHP4 and PHP5, then you may want to consider looking at how PEAR (pear.php.net) handles errors. In PHP4, Exceptions did not exist, so most things dealt with errors the same way you do in C; return 0, -1, false, or some other basic value to denote an error condition.

    What PEAR does instead is return an error object, with a message, error code, stack trace, all kinds of good things from calls that fail. So, to check for an error condition from a PEAR library, you would call:

    if (PEAR::isError($result = $object->someMethod())) {
    echo "Something broke!";

    This was a godsend back in the days of PHP4 and worked very, very well. It provided some of the benefits of exceptions (good data about an error) in an environment that didn’t support them. If course, the code ends up having a lot of PEAR::isError blocks, but being able to handle and capture errors this way is a big benefit over checking for false.

    One pitfall that I see very often is string manipulation NOT being multibyte safe. For example, substr can break a Unicode string since it works on bytes, not characters. The mb_ functions are what should be used, but I have found that not all providers have it installed. One great solution that I found was this utf8 library that uses the native mb_ functions if they exist, but if thy do not, uses a pure PHP implementation for the same effect: http://sourceforge.net/projects/phputf8/

    Something that you may find useful (I find it to be VERY useful) is the auto_prepend feature. Every page needs access to standard libraries and configuration values, and using auto_prepend means you don’t have to add it to the top of every page.

    Combine this with __autoload and you have a great way to avoid a mess of require statements on every page. This only works, however, if your hosting provider allows you to use a custom php.ini or set values in an .htaccess file.

    Hope this helps – if not you, then someone else who stumbles along. PHP is a great language, but much like Perl it gives you a lot of rope. You can tie fancy knots or end up hanging yourself!

  • http://www.sarkibul.com mp3 dinle

    Well good going.! Great stuff.!

  • http://www.sem-service.com/ Gloria

    i like cms but i can use so good but i will learn more so that i can have good like others.

  • http://www.ineedhits.com/traffic/quickhits.aspx Alex

    Really I want to appreciate your post, we can easily take idea from your code, you have done good work to describe code . I will also try for my cms base website .

  • http://total-seo.blogspot.com Omer

    I will definitely try this in my next website.

  • http://www.au-laptop-battery.com/ gatery

    Well good going.! Great stuff.!

  • http://www.rupashibanglazahirbd2000 Md.Zahirul Hoque

    I am liking your cms alot. is there a way to add a blog feature?

  • http://www.rupashibanglazahirbd2000.n.nu/home Md.Zahirul Hoque

    I am liking your cms alot. is there a way to add my website?

  • http://www.mark9.net abdul hafeez

    Thanks for giving new dimensions in php

Previous post in category:

Next post in category:

Design, text and custom cache solution by myself.

Page generated in
0.00453 sec