DISQUS

Hello! Richard's Linux and E-learning blog is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

bradshawenterprises.com/blog Jump to website »

Subscribe
- New Comments
Community
Top Commenters
- Richard Bradshaw
  12 comments · 1 points
- Facebook User
  2 comments · 1 points
- matsie
  1 comment · 3 points
- Rishabh Mishra (possible248)
  1 comment · 4 points
- Ryo
  1 comment · 7 points
Popular Threads
Recent Comments
- You're a great man, I love you
  4 days ago by Thomas McGrath
  
  in Links
- Really, you are
  5 days ago by James
  
  in Links
- YOU ARE AMAZING!
  5 days ago by James
  
  in Links
- You may add color to your shell , configure aliases , configure autorun bash logon scripts ,you can search through the history using ^r , you can type !! to be automatically replaced by the last...
  2 weeks ago by Khalil
  
  in 5 ways to make using bash more productive
- Windows 7 is my favorite OS. I wait for it long time. And I think so much and decide to install http://rapid4me.com/?q=Windows+7+Build
  2 months ago by redioa
  
  in 7 differences between Linux and Windows

Richard's Linux and E-learning blog

Jump to original thread »

5 mistakes new web developers often make

Started by Richard Bradshaw · 1 year ago

Image via Wikipedia
Having talked to some university students who had taken computer science/IT degrees, I was amazed by how little they seemed to know about making anything that’s secure or even remotely logical. The group I met with primarily had been taught PHP. Having looked at some sites they were designing I realised 5 things [...] ... Continue reading »

25 comments

Adam B
11 months ago

Nice list. There are a few things I'd recommend in addition primarily for security. I've dealt primarily with PHP, but this can be applied to other systems as well.

On production, always disable error output. Send your error messages to logs, but don't ever output them to the browser. Error messages, in addition to being unprofessional, can reveal details about your architecture that no one really needs to know.

Second, ALWAYS filter and validate input. Assume every user is trying to destroy your server. Go with a white-list approach. If an input is supposed to be a numeric ID, make sure it's numeric only. Make sure to run input through sanitizing like mysql_real_escape_string(). And if you're doing queries, make sure that your web user has ONLY the privileges it needs - don't give it drop table access or anything. If you want to go further, use two web users - one for read that only has select access, and the write, which has select, insert, update, and delete. Only use the write user when you actually need it.

Finally, when configuring your server, make the docroot as limited as possible. That is, stuff like include files and template files (if you have them) should not be accessible through the server.

Hope these tips help!

reply

stuffigoogled
12 months ago

Good point with number 5. These javascript/ajax frameworks have been thoroughly tested in multiple browsers.

reply

D
1 year ago

I learned #2 the hard way. Built a site for a local dancing club in the beginning of my career, and didn't bother to worry about security.

2 months later I get a call, that their guestbook was full of spam, and that it had broken completely recently (a meta redirect inserted in the comment).

I quickly added a captcha and made sure no SQL or Javascript injection was possible etc. This is a given today, no matter how small the project.

Good read.

reply

Elaine
1 year ago

Shouldn't that be "Don't ignore semantic design"?

reply

Richard Bradshaw
1 year ago

Edited to fix that... good thinking!

reply

Ryo
1 year ago

Nice posting, and so true. In addition to 3, one should be warned, that if you embed javascript you should first be aware of what you doing. Not only site statistics could eventually be transfered to someone else. At worst, even things a user entered could be send out. So, use only serious sources, and try to learn as much as you can about a specific service. Especially for Web 2.0 things, and that is not easy, even for a pro.

reply

Richard Bradshaw
1 year ago

Yeah - if you allow arbitrary code to run on your server, it's not your server anymore...

reply

pcdinh
1 year ago

Drupal code is bad styled too. Dont look at Drupal code and learn from it.

reply

testerman5
1 year ago

Also, avoid learning grammar from the internet.

You do have a point, however poorly written it may be. :p

reply

A Suresh Kumar
1 year ago

Good work, But in my case, the above issues doesn't cause more problem to the website except point no 1.

reply

Stephen Ward
1 year ago

Wow. This is all excellent advice, even for us pros (who all too often forget the basics). On "Don't reinvent the wheel," it's worth mentioning that learning about pre-existing platforms is a marketable job skill in and of itself. For example, I learned WordPress because I like to blog. However, because I developed that expertise, I now do a lot of lucrative side work setting up, customizing, and debugging WordPress installations. Learning existing tools can be well worth it from more than an efficiency standpoint.

reply

vinodpahuja
1 year ago

If Wheels were never reinvented
we would be still using the tyre of rock

reply

Sarmad
12 months ago

I think it is acceptable to reinvent another model of the wheel

reply

Damien
11 months ago

reinventing the wheel shouldn't be a problem for a company specializing in wheel development. why should bob smith try to make the next GoodYear tire clone out of play dough and an etch-a-sketch.

reply

paresh
1 year ago

nice useful article.

reply

Richard Bradshaw
1 year ago

Thanks!

reply

ktb
12 months ago

A thing I learned;
Use many functions instead of copy and paste, and use stlye classes instead of coyping single style attributes^^

reply

Kukas
12 months ago

Thanks for the article!

A point though about naming of include files - the best solution is to place them in a directory that's not directly accessible to the web. Your PHP scripts will still be able to include them just fine.

If you do have to have them in a web-accessible directory for some reason, at least place them in a directory all of their own. Then place a htaccess file in there containing the following:

<Files *>

order allow,deny

deny from all

</Files>

It's a mistake to think that giving your includes .php extensions makes them entirely safe. Should anyone ever try to access them individually (which is fairly unlikely anyway) they might not see your raw PHP code, but that code would be executed, with unknown consequences.

reply

Vince
12 months ago

#5 - so true

reply

imgriff
12 months ago

#6. Don't forget to spell check before posting your article *nudge nudge*

reply

Pete White
11 months ago

Good post, I will admit I've done a couple of them before. Fortunately I use Drupal now and it comes with Jquery which has a lot of the Javascript I need built in.

reply

Poppo
10 months ago

1 Mistake You Made:

Don't make your section headers smaller and less bold than your section content.

Why it's bad;

Because it's very hard to skim your page for the start of the next section.

reply

Webdesign Meppel
9 months ago

Mentioning some details about mysql_real_escape_string won't be a bad thing I guess...

reply

Carlos @ VPSmedia
8 months ago

Make sure your server is well secured, here's one of our guides: http://vpsmedia.com/articles/?p=25
its specific for Centos 5.2 but it should give anyone a pretty good idea.

reply