1. Don’t name your includes something.inc
Why it’s bad: Unless you specifically set .inc files to be parsed as php they are readable by just browsing to that page. Not good if we are talking about files that include the database username and password.Easy way to fix: Name your includes .inc.php or put them in a folder called includes, and name them .php
Harder way to fix: Put a file named .htaccess in the directory with your .inc files, and add this line:
AddHandler application/x-httpd-php .inc
2. Don’t assume that because your site is small, it won’t be hammered by crackers
Why it’s bad: Although being hammered by crackers would be an unusual turn of events, for a website it’s inevitable. Bots exist with the sole purpose of cracking websites in order to add redirects to malware or spam to the site.I built a small ruby site once, just as a test to see how it all worked. It had a comment form. I didn’t worry about sanatising the input, as I didn’t link to this site anywhere. Within a week there were about 4000 comments, all linking to spam. Luckily I hadn’t allowed javascript in the comments, so there wasn’t any evil redirections or anything, but the point is clear. Your site will be attacked.
How to fix: Read up on SQL injection and Cross Site Scripting (XSS). Use the PHP function mysql_real_escape_string to santise anything you are going to put into a database. Don’t allow html tags in your users input. Try to crack your site yourself - how would you do it?
3. Don’t just dump random code from tutorials into your site
Why it’s bad: I’ve seen sites before that link to 3 or 4 javascript frameworks, often to allow fancy animations and the like. This is fine, but there is a lot of crossover between them - I don’t see why you need more than one. These frameworks are pretty large - downloading even one to provide a trivial feature is questionable, but linking 3 or 4 is just madness.Also, the golden rule of programming: if you don’t understand what code does, you probably shouldn’t be using it! (Caveat: unless it’s Perl - no one understands that!)
How to fix: Learn how to use javascript properly, or just stick to one framework.
4. Don’t ignore semantic design
Why it’s bad: It makes things harder for you. Honestly.Using a semantic design means that headers are tagged using the H1, H2, H3 tags, paragraphs use p etc etc. Don’t inline style your headers with a font size and a font weight to get them larger and bold - use the way it’s designed to help you!
Use classes sensibly. Don’t put your red title in a class called redtitle - when you redesign the site that doesn’t make sense. Call it subtitle or something that describes what it is, not what it does.
Moving on from the basics, consider using technologies such as microformats to help you - these describe the information on your site more fully.
How to fix: Always separate content from presentation. Seperate CSS style sheets from HTML pages. Think about what purpose a page element serves, tag it appropriately and then use CSS to format it.
5. Don’t reinvent the wheel
Check what exists before you start. If you want to make a site, check out the existing tools: Wordpress, Joomla, Drupal etc. all have a head start on you - it might make more sense to take their code and design from there.If you are using ajax, use a javascript framework - as new browsers come out with different support you can simply upgrade the framework rather than having to deal with these inconsistancies yourself.
Of course, if you are starting something totally new, a blank slate is often the place to start, but don’t waste time on work that doesn’t need to be done.
Conclusion
So, there you go - 5 things that I have definitely done before and hopefully some sound advice for people starting out.Any further ideas, add them to the comments!
No comments:
Post a Comment