[idea]

About a year ago i looked at the WordPress code. My PHP knowledge is limited, but it was easy to see that the code was not very good. Perhaps it has improved, but i personally wouldn't use it, especially on a server that runs important services.

[apgwoz]

Even worse is chyrp. For reasons unbeknownst to me, they designed it in such a way that it ends up making 55 queries to render http://chyrp.net/blog/. This only increases when more content is added (so my assumption is that the authors don't know what a join is). Also, the last time I looked, it took your password, md5'd it (without a salt) and put it in a cookie for authentication to the admin. WordPress looks amazing compared to that.

[alexsuraci]

Disclaimer: I'm the dumbass developer of Chyrp. I was pointed here by a follower. :P

55 queries? I see 18, and 20 when logged in. Something's weird there. Admittedly, it used to be quite high (116, nervous chuckle), but nowadays it hovers below WordPress' query count.

I don't know where you're getting that whole admin authentication thing from. Nowhere in the code does it do anything remotely similar to what you said. The cookies simply hold the browsing user's ID and md5ed password (the md5 is the only information on the password that is stored), which is then authenticated. It's not a username and password for the admin area. It's just the information of the user who's logged in. Nothing new.

There's no single "is_admin" check or anything of the sort. There's no "authentication to the admin". It's not an all-powerful section that checks for a single thing before giving you access to every function. The group that the browsing user is associated with must have the proper privileges to perform the various functionality that is checked throughout the administration section.

As for using salts on the md5 encryptions, I don't see anywhere in WordPress's code does that either (I just downloaded the latest copy). I might add it in to 2.0, though. Should be a fairly easy change.

If you want the software to improve (which doesn't exactly seem to be the case), I just think you should either file tickets or confront the developer (me, and a couple contributors in the IRC channel) instead of spouting off misinformation on other sites.

[raganwald]

"If you want the software to improve (which doesn't exactly seem to be the case), I just think you should either file tickets or confront the developer"

Consider removing the parenthetical remark and adding a period after a statement like this and leaving it there. Simple, powerful, and makes your point:

"If you want the software to improve, I just think you should either file tickets or confront the developer."

[plinkplonk]

"If you want the software to improve, I just think you should either file tickets or confront the developer."

You could remove a few more words and make it

"If you want the software to improve, file tickets or confront the developer."

;-)

[alexsuraci]

OK, OK, you can be my editor. Just stop following me everywhere and correcting my statements. Sheesh. Normal people just turn in a resumé or something.

[apgwoz]

Let me be perfectly clear. I have not investigated the code of Chyrp, primarily because I was turned off right away by a) the number of queries made, b) unsalted-hashed password in cookies (not that salted-hashed password in cookies is any better) and c) the fact that I dislike PHP. I should also mention, that I'm NOT an advocate of WordPress either.

I didn't say that there's an is_admin thing, just that the password is stored in a cookie, seemingly for the purposes of authentication. Storing a hashed password like that is probably a bad idea, and perhaps even worse is storing the associated user id with it. Logging into the demo and looking at my cookies shows both of these things. This does nothing to prevent session hijacking, at all. In fact it doesn't even make an attempt.

In regards to queries, I should point out this screenshot taken a few minutes ago: http://apgwoz.com/images/chyrp-85.png in which you'll notice, 85 queries, a bit worse than the 55 I saw before. It was probably my mistake for linking to the homepage, which shows 18 queries, rather than an inner page with other content. I apologize for that lack in judgement.

As for wanting the software to improve, you're right--I don't care. It's not solving a problem that hasn't been solved many times before, and aside from looking pretty I don't really see the need for a new blog platform. Just my 2 cents. Good luck in your efforts to release a version 2.0.

EDIT: I wanted to commend you on your sense of style. I really like the Chyrp homepage's design.

[alexsuraci]

Strange, I've never had that many queries show up in testing the comments module, but now I see it too. I'll look into it.

Thanks for the design compliment. :) I might be changing it soon though, since white-on-black doesn't really work well for other sections of the site, like the documentation and forums.

[cstejerean]

Storing the password in the cookie? What possible reason could you have to do this? Storing the MD5 isn't much better than storing the plain text. And anyone that doesnt use a salted hash when keeping passwords in a database should not be allowed to program. Then again rampant security problems is a big reason why I don't use PHP apps.

[mtts]

With due respect, but I don't think storing an MD5-ed password in a user cookie is a smart thing to do. It's probably safer to store a session id or somesuch.

[mtts]

I've looked at it on occasion as well, and while it's not exactly a work of art, it's not exactly terrible either, especially for an open source blogging product.

If you really want terrible code, take a look at Pivot. That's awful. WP is just, well, spaghetti-ish, I guess, but not terribly so.