I made a CMS on http://cms.rodadewa.net feel free to download and try out the CMS, basically its free to use as long as my footer link is intact. Users can create their own theme from within the admin panel. ( css based )
This is not a blog CMS, but a normal website CMS suitable for small business, company profiles, indie bands / artists or something simmilar. Not to be compared with famous CMS like drupal, joomla or mambo, but who knows if I get enough support I might really go serious on this CMS.
I've been testing it with Flash XML gallery as well, it works hey r cool
I hope that this script somehow can help webdesigner in projects involving simple CMS ( again.. not to be compared with joomla, mambo etc..).
Had this problem once or a few times when client pending the project due to no contents which resulting my payment also pending.
Your integers still seem to be insecure, the page http://cms.rodadewa.net/indexsub.php...BY%20id%20DESC
will take you to your latest article because I rewired the query to do so. When you have an integer field you are putting in the database without quotes, typecast it to int.
This is because mysql_real_escape_string secures against ending the quote and executing commands, but does nothing against plain words because they are normally valid parts of strings. The two ways against there are putting quotes around the int field (the mysql manual recommends this) and typecasting the variable to int
//Method One $query = "SELECT * FROM table WHERE id='$id'";
//Method Two $forcedInt = (int)$_GET["id"]; query="SELECT * FROM table WHERE id=$forcedInt";
While secure, both these method leave room for harmless (but annoying) errors. I seggust you further validate that you are workng with a correct format opposed to letting the system catch it at the last second.