Student project aiming to develop a secure PHP application (blog), developed with Roman MKRTCHIAN as part of the WASP (Web Application Security) course at Polytech Nice Sophia (5th year, 2012-2013).
The project is written using HTML5 and CSS3 so be sure to use a recent web browser for the best experience.
The project makes use of:
- Disqus for comments
- ReCaptcha to prevent robots from spamming the blog with unwanted comments
- Redbean for Object-Relational Mapping
- CKEditor for WYSIWYG edition of blog entries
- HTML Purifier for malicious code filtering
- Bootstrap for the layout
For detailed information (in French), you can read this document.
All the configuration is done by editing the file named setup.php in the
includes directory.
First, you need to create a database. By default, this is a MySQL database,
though you can change this by editing the DB_DSN_PDO variable. Edit the
DB_HOST, DB_NAME, DB_USER and DB_PASSWORD variables to match your
configuration.
The project comes with a wasp.sql sample database dump which you can import using
a tool such as PHPMyAdmin or by running a command such as
mysql -p -u root database_name < wasp.sql.
This dump contains a test user (login: user@yopmail.com, password: password)
and a few post so that you can quickly see what the blog posts look like.
Create a ReCaptcha account and update the RECAPTCHA_PUBLICKEY and
RECAPTCHA_PRIVATEKEY variables with the public and private key provided by
the ReCaptcha service.
By default, the comments you will see are those associated with the Disqus
shortname 'waspblog'. You can change this by creating an account on Disqus
and setting your own shortname in the DISQUS_SHORTNAME variable. Please note
that Disqus comments will not appear when running locally.
You must then configure the SMTP server that will be used to send emails to
the users of the blog. The default setup.php file is configured to use a GMail
account but you will need to update the SMTP_LOGIN and SMTP_PASSWORD
variables with your GMail login and password.
You will probably need to update the DOMAIN and ROOTPATH variables. For
instance if you wish to make the project available at http://domain.com/blog/,
set DOMAIN to 'http://domain.com' and ROOTPATH to '/blog/'.
If you want this blog to really be secure, you need to change the SALT
variable since the default one is published publicly. However, if you do
this, previously created account will become invalid, including the one
from the sample database.
François CHAPUIS - Afnarel
Roman MKRTCHIAN - nam0r
This project is distributed under the terms of the Creative Commons CC-BY-SA license.
If you wish to contribute some code, you are welcome to submit pull requests.