Let's assume we lived in a world with no Facebook, MySpace, or other social networking sites. Someone comes along and tells you about a site they want to make called (coincidentally) "MySpace". They describe how it works -- specifically user-specific pages, user-specific content uploading (video primarily) , messaging between users. Could you make a MySpace site?
I am (among other things) looking for feedback about the difficulty of implementing specific features mentioned above. I mean, looking at MySpace, or even YouTube, the basic functionality (sans style-related bells and whistles) does not seem very difficult to implement. But I want to hear from the gurus.
theres nothing immensely complex about myspace, in fact myspace is pretty badly done imo and could be substantially improved upon. it'd take about 6 months to construct and test the thing, biggest problem would be a hosting solution capable of dealing with the potential traffic.
Now? No. But if I got paid for it I could probably learn. There's a good chance you wouldn't even have to start from scratch but could [-]steal[/-] borrow from other sites or use open source - the Flash music player from here, the message system from there... The major problem I'd have would be that I'd fiddle around with aestethics forever. MySpace is ugly, and the user pages are even uglier for the most part. It's corporate tastelessness married to user incompetence and both cheating the other with Medusa's mother.
Yeah, Myspace is pretty much the epitome of bad web page design. Everything is NOT supposed to be on only one web page... That being said, the linking capability between user pages is the real genius behind it. Before that, Geocities was king, but Geocities didn't have such a capability and thus has fallen by the wayside.
In a sense, MySpace works kind of like a message board, with users being able to comment in threads about a specific user and start their own threads. Except it's all crammed into their user profile page.
They didn't at Facebook for quite a while either. Until I pointed it out to them in email and IM with a developer there (which they didn't take seriously), passwords were transmitted as POST variables in cleartext. So anyone with Ethereal could sniff anyone on the same subnet logging in to Facebook, especially on wireless. Even after that, it took them forever to redo their login page.
I'm not very knowledgable when it comes to the tech end of webpages but I remember the old facebook had a ton of little bugs that I found. One of the most obvious ones was that if a person commented on your wall you could go through their comment and link into anyone on their buddy list's profile. Even if they were in a different network or were set to private. It was like that for quite a while and I guess sometime in the last year they fixed it. Myspace just doesn't seem that complicated to me. It's a generic issued about me page with links and a mini message board for people to comment on. Cass said above that borrowing the video and music stuff wouldn't be that hard either, so what is so difficult about it? User registers, user is given a place to fill in all the info about themself that they wish, myspace generates the code. User hit's save and the page is produced. What am I forgetting about? I know there is more to it than that. You guys all are way out of my league in this department anyway, I'm just tired and bored.
There's nothing at all that is complicated about Myspace. However, even if you copied or improved upon each and every feature of Myspace, well, good luck with trying to get people to join that network. Myspace is here to stay for the foreseeable future, no matter what better social networks come around. Same reason everyone uses Windows, even though there are better OS's out there.
myspace has a lot of churn, and of you build something people will prefer they'll leave it. places like tribe and friendster started off quite popular, but myspace took away many of their users, and at some point in the future, someone will take away myspaces users.
I agree, but it won't be for a few years. Myspace continues to attract more people than leave it, by far. The growth on it is phenomenal. And every time someone asks, "Do you have a myspace?", they end up getting free advertising and another potential user. I know I've attracted many ppl to Myspace with that very question...damn, the company should be paying me for that. Actually, they already are, considering I own News Corp stock...
We should write one called "Wordforgespace" and make it so cool and elite that only a few people are on it.
Yeah I could make myspace from scratch.. dunno if I could secure it well enough, though. Ecky, do you have some reading suggestions for that safety bit? I'm working on a site now for which I'm also writing a small CMS, and I don't particularly enjoy the idea that someone at some point will try to hack the site.. I know not to send passwords in urls, or even as unencoded session variable, but haven't given the encoding a try yet. MD5 or an alternative is easy enough to use, but I wonder if it is enough. (well that and stripping all input to bare text). Not that I imagine being able to keep the site completely secure, but I want to at least discourage the average joe to try. If they succeed anyway, well, there's always the backup.
Enforce a long minimum password length, and don't store the passwords anywhere, only the hashes. Also, be sure to escape any forms that will be used as inputs for an SQL database. Injection attacks suck. Also consider, assuming you don't need to have modifiable fields, having your database user only allowed to run SELECT statements.
the documentation at php.net is a good start, and security focus has a guide. PHP is the most exploited scripting language, but thats mainly due to coders not locking it down properly. with mysql, ensure it can't be accessed remotely so only the server its sat on, or the network the servers on if necessary, can connect to it. don't secure the admin section using cookies or session variables, give them an account on the server limited to the relevant directories and use integrated security. i'm not sure how to do that on a LAMP box, but that takes care of the password hashing for you. with the CMS, ensure all updates are done via a POST and check what page the data's coming from, check data input on the client and the server and i'd suggest moving a lot of the logic into stored procedures.