Building a simple CMS with PHP and MySQL involves creating a database structure to store content, then writing PHP code to manage database operations through a user interface. At its core, you’ll use MySQL to store pages, posts, and metadata, while PHP handles the server-side logic that retrieves that data, processes user submissions, and generates the HTML that visitors see in their browsers. A basic CMS might include functionality for creating and editing pages, managing a simple blog, and controlling published content—essentially replicating what WordPress or Drupal do, but as a custom-built system tailored to your specific needs.
The process doesn’t require mastery of advanced frameworks or complex architecture. With foundational knowledge of SQL queries, PHP functions, HTML forms, and basic security practices, you can build a working system in days rather than weeks. For example, a small agency might create a lightweight CMS to manage client site updates without the overhead and feature bloat of enterprise platforms, or a developer might build one to understand how content management works under the hood.
Table of Contents
- What Database Schema Do You Need for a Basic PHP and MySQL CMS?
- Building the Database Connection and Protecting Against SQL Injection
- Creating the Admin Interface for Content Management
- Displaying Content on the Front End Without Revealing Backend Details
- Handling User Authentication and Authorization Securely
- Managing File Uploads and Media Storage
- Scaling and Modern Alternatives to Custom CMS Development
- Conclusion
What Database Schema Do You Need for a Basic PHP and MySQL CMS?
The foundation of any CMS is a well-designed database schema. At minimum, you need tables for pages or posts, users, and metadata like publication dates and author information. A simple schema might include a `pages` table with columns for `id`, `title`, `content`, `slug`, `author_id`, `created_at`, and `published`. You’ll also need a `users` table with fields for `id`, `username`, `password_hash`, and `role` to handle authentication and permissions. Many developers add a `categories` or `tags` table later when they realize the need to organize content beyond a flat list.
The relationship between tables matters significantly. The `pages` table should include a foreign key linking to the `users` table, establishing which user created or last edited each page. When designing this, think about what information you actually need to display or filter on the front end. A common mistake is over-engineering the schema upfront—adding fields for features you think you might want someday. Start with the essentials, then expand as your needs become clear. For instance, a simple blog CMS might only need pages and users initially, but later require a comments table when you decide to enable reader interaction.
Building the Database Connection and Protecting Against SQL Injection
Your PHP application needs a secure way to connect to MySQL. Using the MySQLi extension or PDO (PHP Data Objects) is essential; the older mysql extension has been removed from modern PHP versions entirely. A typical connection looks simple—a few lines creating an object that talks to your database—but the real importance lies in using prepared statements, which automatically protect your queries from SQL injection attacks where malicious users attempt to alter your SQL commands. Prepared statements separate your SQL code from user input, making injection nearly impossible.
For example, instead of directly inserting a user-submitted title into a query string, you use a placeholder in the SQL and pass the actual data separately. This is not optional if you’re handling any user input whatsoever. A developer who skips prepared statements might build a CMS that works perfectly in testing, then discovers their database was compromised after launch because someone crafted a malicious input that exposed customer data. Additionally, store passwords using a robust hashing function like bcrypt or Argon2—never store passwords in plain text or use outdated algorithms like MD5.
Creating the Admin Interface for Content Management
The admin interface is where users log in, write posts, and publish content. This typically involves html forms that submit data to PHP scripts which insert or update records in your database. A basic example workflow: a user fills out a form with a page title and content, clicks submit, and a PHP script validates the input, checks that the user is authenticated, and inserts a new row into the `pages` table.
When the form is submitted, the PHP script queries the database to confirm the operation succeeded, then redirects the user to either a confirmation page or a list of all pages they’ve created. Building this interface requires careful attention to user experience details that many first-time developers overlook. Your form should populate with existing data when editing, provide clear feedback on whether a save succeeded, and include safeguards like confirmation prompts before deleting content. A rich text editor like TinyMCE or CKEditor can make content entry easier, though integrating one adds complexity—sometimes a simple textarea is sufficient and you can always upgrade later.
Displaying Content on the Front End Without Revealing Backend Details
Once content is stored and managed, your public-facing website needs to retrieve and display it. You’ll write PHP scripts or pages that query your database and render the stored content as HTML. For instance, a page request like `yoursite.com/about` might internally query the database for a page with slug “about,” retrieve its title and content, then display it in a template. This separation—keeping your database structure private while exposing only the content you intend—is crucial for both security and maintainability.
The tradeoff here is between simplicity and performance. A straightforward approach queries the database every time someone visits a page, which is fine for small sites with modest traffic. However, a high-traffic site with frequent page requests will benefit from caching—storing recently viewed pages in memory so the database isn’t queried repeatedly. Adding caching complicates your code and requires managing cache invalidation (updating cached content when the original is edited), so weigh the actual performance needs of your project before implementing it.
Handling User Authentication and Authorization Securely
Authentication verifies who a user is, while authorization determines what they can do. A basic CMS typically has at least two roles: admin (who can create and publish content) and viewer (who sees only public content). When a user logs in, you verify their credentials against your `users` table, create a session, and store that session state either in the server’s memory or in a database. On subsequent requests, you check whether a valid session exists before allowing access to admin functions.
A critical limitation of session-based authentication is that it’s server-dependent—if you deploy your CMS across multiple servers, you need a shared session store (like Redis or database sessions) or sessions won’t persist. Additionally, sessions can be stolen through cross-site scripting (XSS) attacks if your code doesn’t properly escape user-generated content before displaying it in HTML. Always sanitize and escape any data that came from a user or database before rendering it in a web page. Another common pitfall: developers often implement “remember me” functionality with an unencrypted cookie, allowing anyone with access to that cookie to impersonate the user indefinitely.
Managing File Uploads and Media Storage
Content often includes images and documents. Storing these in your database is inefficient—instead, save them to a directory on your server and store the file path or URL in your database. Create a dedicated upload handler that validates file types (checking both the file extension and actual content), limits file size, and stores uploads outside your web root if possible to prevent security vulnerabilities where uploaded files might be executed as scripts.
For example, a user uploads an image they claim is a JPG but is actually a PHP script. If you store it in a publicly accessible directory and an attacker can access it via a browser, they could potentially execute that PHP code. Storing uploads outside the web-accessible directory and serving them through a PHP script that only delivers the intended file types prevents this attack. As your site grows and traffic increases, you’ll likely move to cloud storage like AWS S3 rather than managing server disks yourself.
Scaling and Modern Alternatives to Custom CMS Development
A homemade CMS works well for learning and small projects, but it will eventually hit limitations as your site grows. You’ll need to implement features like user permissions, revision history, scheduling posts for future publication, and handling concurrent edits—functionality that takes weeks to build and maintain properly. At that point, reconsidering platforms like WordPress or Drupal isn’t admitting defeat; it’s recognizing that those tools exist precisely because building CMS features reliably is harder than it first appears.
That said, building a simple CMS remains an excellent educational exercise. You’ll gain deeper understanding of how databases work, how web frameworks operate, and why security matters at every level. Whether you eventually use your custom system in production or move to an established platform, the knowledge you gain is transferable and invaluable.
Conclusion
Building a simple CMS with PHP and MySQL is achievable with fundamental web development skills. Start with a straightforward database schema, use prepared statements to prevent SQL injection, build a secure admin interface for content management, and implement proper authentication and authorization. The key is prioritizing security from the beginning—especially around password storage, prepared statements, and escaping output—rather than treating it as an afterthought.
Begin with the essentials and expand only as real needs emerge. Create a basic pages table and users table, write PHP scripts to manage content, then enhance the system with features like categories, comments, or media management as your project demands. As your CMS grows and complexity increases, you’ll develop appreciation for why platforms like WordPress exist, but you’ll also have built something uniquely tailored to your needs and deepened your understanding of how the web works.
