Richard's Linux and E-learning blog - Latest Comments in General

Re: 5 mistakes new web developers often make

Pete White — Tue, 22 Jul 2008 15:41:36 -0000

Good post, I will admit I've done a couple of them before. Fortunately I use Drupal now and it comes with Jquery which has a lot of the Javascript I need built in.

Re: 5 mistakes new web developers often make

Adam B — Sun, 13 Jul 2008 03:17:52 -0000

Nice list. There are a few things I'd recommend in addition primarily for security. I've dealt primarily with PHP, but this can be applied to other systems as well.

On production, always disable error output. Send your error messages to logs, but don't ever output them to the browser. Error messages, in addition to being unprofessional, can reveal details about your architecture that no one really needs to know.

Second, ALWAYS filter and validate input. Assume every user is trying to destroy your server. Go with a white-list approach. If an input is supposed to be a numeric ID, make sure it's numeric only. Make sure to run input through sanitizing like mysql_real_escape_string(). And if you're doing queries, make sure that your web user has ONLY the privileges it needs - don't give it drop table access or anything. If you want to go further, use two web users - one for read that only has select access, and the write, which has select, insert, update, and delete. Only use the write user when you actually need it.

Finally, when configuring your server, make the docroot as limited as possible. That is, stuff like include files and template files (if you have them) should not be accessible through the server.

Hope these tips help!

Re: 5 mistakes new web developers often make

Damien — Fri, 11 Jul 2008 14:30:57 -0000

reinventing the wheel shouldn't be a problem for a company specializing in wheel development. why should bob smith try to make the next GoodYear tire clone out of play dough and an etch-a-sketch.

Re: 5 mistakes new web developers often make

imgriff — Mon, 07 Jul 2008 23:29:35 -0000

#6. Don't forget to spell check before posting your article *nudge nudge*

Re: 5 mistakes new web developers often make

stuffigoogled — Sat, 05 Jul 2008 17:40:46 -0000

Good point with number 5. These javascript/ajax frameworks have been thoroughly tested in multiple browsers.

Re: 5 mistakes new web developers often make

Vince — Sat, 05 Jul 2008 16:08:50 -0000

#5 - so true

Re: 5 mistakes new web developers often make

Sarmad — Sat, 05 Jul 2008 13:03:10 -0000

I think it is acceptable to reinvent another model of the wheel

Re: 5 mistakes new web developers often make

Kukas — Fri, 04 Jul 2008 21:10:28 -0000

Thanks for the article!

A point though about naming of include files - the best solution is to place them in a directory that's not directly accessible to the web. Your PHP scripts will still be able to include them just fine.

If you do have to have them in a web-accessible directory for some reason, at least place them in a directory all of their own. Then place a htaccess file in there containing the following:

<Files *>

order allow,deny

deny from all

</Files>

It's a mistake to think that giving your includes .php extensions makes them entirely safe. Should anyone ever try to access them individually (which is fairly unlikely anyway) they might not see your raw PHP code, but that code would be executed, with unknown consequences.

Re: 5 mistakes new web developers often make

ktb — Fri, 04 Jul 2008 19:27:41 -0000

A thing I learned;
Use many functions instead of copy and paste, and use stlye classes instead of coyping single style attributes^^

Re: 5 mistakes new web developers often make

richbradshaw — Tue, 01 Jul 2008 15:50:59 -0000

Thanks!

Re: 5 mistakes new web developers often make

paresh — Tue, 01 Jul 2008 11:53:20 -0000

nice useful article.

Re: 5 mistakes new web developers often make

vinodpahuja — Tue, 01 Jul 2008 10:54:23 -0000

If Wheels were never reinvented
we would be still using the tyre of rock

Re: 5 mistakes new web developers often make

testerman5 — Tue, 01 Jul 2008 01:49:32 -0000

Also, avoid learning grammar from the internet.

You do have a point, however poorly written it may be. :p

Re: 5 mistakes new web developers often make

Stephen Ward — Mon, 30 Jun 2008 21:01:41 -0000

Wow. This is all excellent advice, even for us pros (who all too often forget the basics). On "Don't reinvent the wheel," it's worth mentioning that learning about pre-existing platforms is a marketable job skill in and of itself. For example, I learned WordPress because I like to blog. However, because I developed that expertise, I now do a lot of lucrative side work setting up, customizing, and debugging WordPress installations. Learning existing tools can be well worth it from more than an efficiency standpoint.

Re: 5 mistakes new web developers often make

Mon, 30 Jun 2008 18:41:37 -0000

I learned #2 the hard way. Built a site for a local dancing club in the beginning of my career, and didn't bother to worry about security.

2 months later I get a call, that their guestbook was full of spam, and that it had broken completely recently (a meta redirect inserted in the comment).

I quickly added a captcha and made sure no SQL or Javascript injection was possible etc. This is a given today, no matter how small the project.

Good read.

Re: 5 mistakes new web developers often make

richbradshaw — Mon, 30 Jun 2008 16:40:50 -0000

Edited to fix that... good thinking!

Re: 5 mistakes new web developers often make

Elaine — Mon, 30 Jun 2008 16:16:08 -0000

Shouldn't that be "Don't ignore semantic design"?

Re: 5 mistakes new web developers often make

A Suresh Kumar — Sun, 29 Jun 2008 16:40:52 -0000

Good work, But in my case, the above issues doesn't cause more problem to the website except point no 1.

Re: 5 mistakes new web developers often make

pcdinh — Sun, 29 Jun 2008 15:20:25 -0000

Drupal code is bad styled too. Dont look at Drupal code and learn from it.

Re: 5 mistakes new web developers often make

richbradshaw — Sun, 29 Jun 2008 14:17:12 -0000

Yeah - if you allow arbitrary code to run on your server, it's not your server anymore...

Re: 5 mistakes new web developers often make

ryo — Sun, 29 Jun 2008 14:04:36 -0000

Nice posting, and so true. In addition to 3, one should be warned, that if you embed javascript you should first be aware of what you doing. Not only site statistics could eventually be transfered to someone else. At worst, even things a user entered could be send out. So, use only serious sources, and try to learn as much as you can about a specific service. Especially for Web 2.0 things, and that is not easy, even for a pro.

Re: How to: Get all Facebook friends + emails into any address book!

richbradshaw — Sat, 14 Jun 2008 14:15:41 -0000

No - it seems that Microsoft stopped it a few hours after I posted this.

Re: How to: Get all Facebook friends + emails into any address book!

dan boman — Sat, 14 Jun 2008 06:49:21 -0000

this does not work anymore??

Re: Powerset: Find Factz, Get a T-shirt

Raveesh — Wed, 11 Jun 2008 12:10:59 -0000

Factz! Ahemm! Lets get it started...

1) Who came first? The chicken or the egg!

Not only I got a answer to this dilemma, but also a pragmatic explanation.
http://www.flickr.com/photos/27547438@N02/25695...

2) Who got kidnapped in Alex Haley's Roots.
The search was impressive, Kunta Knite
http://flickr.com/photos/27547438@N02/2569599603/

3) Who wrote Love in The Time of Cholera,
Didn't return the Author name, but gave the essence of the novel. Not bad!
http://flickr.com/photos/27547438@N02/2570425484/

4) Which Sect Tom Cruise believes in
This was phenomenon, Scientology
http://flickr.com/photos/27547438@N02/2569618505/

Re: — Richard’s linux, web design and e-learning collection

bradyk — Tue, 10 Jun 2008 04:44:48 -0000

Hi Brad,

I saw your comment on RW/W about my idAuth concept, and couldn't find any easy way to contact you, so thought I'd do it through this.

I'm aware of MicroID, but the concept of idAuth is much more than that... and it's why it's more complicated. idAuth is three different things rolled into one:
-a low-level user authentication (prior to data posting)
-a "data push" to source of user's choice (during data posting)
-a passive and machine-verifiable method of identity (after data posting)

I'd be more than happy to talk with you about this... I'm setting up a working group, and want ideas from people that care about this. Check out our new (and still developing) site: www.idauth.org, and feel free to email me: brady.k@gmail.com

Thanks
--Kyle