Posted by Umberto Salsi on 09/16/05 13:04

"Mike Novecento" <mike.novecento@gmail.com> wrote:

> I am going to start a big project like blogger.com, flickr.com,
> cragilists or something like that. The fact that the project will be
> (hopefully) popular implies security issues and application
> stress/scaling issues as well.
> [...]
> My aim is SPEED OF DEVELOPMENT, LOW TIME TO LEARN THE TECHNOLOGY and
> APPLICATION STRENGHT (to security and to scalability issues).

Contrary to the popular believe, the PHP language is a perfect choice
either for small and for large projects, provided that you follow some
guidelines:

- Prevent collisions between constants, global variables, functions and
classes adopting the naming schema MODULE_NAME.

- Security: build your set of validation routines. All the input from
the user must be validated by these functions. Every function should
return the error message or the empty string:

function Validate_TYPE($name_of_the_field, $value_of_the_field)

- Security: never send to the client informations about the internal
status of the WEB application. Always store them in the user session.

- Security/Rapid development: use a framework to build WEB applications
that support call-forward functions, call-backward functions and that
implement a stack of function calls. A "call-forward" is the function to
be called when the user click an anchor or a button of the current
page. The call-backward is the function that will be inserted into the
stack if the corresponding call-forward is called. The stack implements
the same concept of a processor stack of data and return address.
Just an example:

function Data_Confirm($data)
{
PageHeader();
echo "You entered '". Text2Html($data) ."'. Confirm?";
Form();
# Set a button associated to the call-forward bt_return():
bt_button("No", "bt_return");
# Set a button associated to the call-forward Data_Save($data):
bt_button("Yes", "Data_Save", $data);
Form_();
PageFooter();
}

The HTML code generated by this function might be like this:

<HTML><BODY>You entered 'xxxx'. Confirm?
<FORM method=post action=your_web_appl>
<INPUT type=submit name=button_1 value="No">
<INPUT type=submit name=button_2 value="Yes">
</FORM>
</BODY></HTML>

function Data_Save($data)
{
/* ...save $data... */
# back to the caller:
bt_return();
}

Note that every function generate a WEB page. Note that all the
informations about the internal status of the application are never sent
to the client, indeed they are stored inside the user session. The only
things we expect from the client are: a session cookie, the values of
the form fields, the button pressed.

- Regularly check your WEB application with a source validator. I
developed my own source validator, PHPLint, just to this pourpuse and,
although not finished yet, it promote a good programming style similar
to the Java language.

Regards,
___
/_|_\ Umberto Salsi
\/_\/ www.icosaedro.it

• Next in forum: Vedere se due array sono lo stesso array
• Prev in forum: Re: fopen failed
• Thread view: Re: A big project

[Reply to this message]