One thing I think many developers new to programming lack is a summary of
the fundamentals. The experienced developers take certain concepts for
granted - having a thorough understanding of how their systems work, they
understand implicitly how certain code affects performance and other basic
do's and don'ts. The new developer, on the other hand, may not have the
benefit of a formal programming education, and many programming tutorials
assume a basic level of knowledge.
I've written this article to emphasize the basics for the new programmer.
It applies to web development in any language, but since I do my development
work in PHP (usually building the php(Reactor)),
I'd like to share it with the PHP community.
Whenever I talk to people about web development I always lead in with the
question "What do you think is most important for building web sites?" I get a variety of answers, but 9 times out of 10 the answer is:
"It has to look good" or "Good graphic design."
At that point I take a step back and say "oh ... really?!?! Are you sure"
That usually pauses them. After that, I find my way to the closest white board and go to work. I make a list on the board like so:
and then way down at the bottom of the board I put:
Where do I get my priorities? Let me explain in detail. I'll start with security ...
When you're discussing the Internet, security should be the first thing that comes to mind. Unfortunately, security is an extremely complicated issue - even security experts cannot be 100% sure that their network is secure. At most, you can hope to reach a state where you feel comfortable about your network's security.
Now, granted that security poses a distinct challenge, it clearly becomes the priority in your network and application design. Security can be divided into three categories: 1) network, 2) server, and 3) application. For network and server security, installing a quality firewall and hiring a competent system administrator can go a long way towards making you feel comfortable.
Application security, however, is not so easy. Generally software must undergo a series of audits and "trial by fire" before it can be considered anywhere near safe. And even then, some exploits or bugs in the software may go undiscovered for years.
The point is that it takes years for application software to gain the comfortable level of security that is appointed the most secure applications. With that in mind, it makes sense to base your design on fundamental security concepts.
Some quick rules of thumb:
Always verify any data sent from a client for size and type.
Be extra careful with scripts that talk to databases - don't give the web server any more permissions that it needs.
Any file operations done by the web server are high risk. Verify that your permission structure does not grant any unnecessary permissions which could be exploited to damage the system.
Avoid executing shell commands at all costs.
Never send clear-text passwords over the network. Use encrypted connections, with ssh or ssl, whenever sending important information.
OK, more on that later, next, we'll talk about maintainability, or, where you are going to spend your time and money.
What's the number one cost in web design? Is it planning the application? Is it building the application for the first time? Is it the cost of the server or the connectivity?
Actually, it's none of these things. The highest cost will be maintaining the application. This is in contrast to traditional systems design, where a majority of expense is in the systems understanding and analysis.
Why the difference? With traditional systems, an application has a typical lifetime of 2 to 4 years. Once the application has reached a stable configuration the design effort is all but finished.
On the other hand, the dynamic aspect of the web makes most applications outdated in months rather than years. Improvements in existing applications are continuous, new content is expected, new technologies appear on a regular basis. A web application must improvise or be replaced. Another way to put it is that web software is in a continual prototyping process - user feedback and design demands are much more prevalent than in their traditional counterparts.
The fact remains that your software must be frequently modified and updated. Realizing this at an early point in the design phase is crucial to making maintenance easier in the future. Trust me, I've learned the hard way.
Build customization variables into your code. Separate code and content. Use templates. Use style sheets. Make the language of your site customizable. Develop a common coding style and stick with it. Comment your code well.
To put it simply, you can do what we do, and build everything for distribution. It may seem like an unnecessary investment of time and resources if you a designing for one customer only, but, trust me, when the client starts asking you to make changes, you'll thank me.
Next, we'll take a trip to the other side of the application: the user ...