january 31, 2009So, this post is really for myself -- as notes. But, peruse if you wish. These are things that I have learned while working on Dertyn.
- External User Input Is The Source Of All Evil. Plain and simple, if you are going to take input from anyone but yourself: Treat it like it is input aimed at destroying your tool. No external user input can be trusted, so all external user input must be scrubbed, cleaned and then scrubbed again. If you do not do this, then you put yourself at risk of some unthinkable security breach (ie. get hax0r3d).
- mysql_real_escape_string Is Your Friend. If you are taking input and shoving that input into a mysql database, do yourself a favor and escape the string before putting it into your database. Read about it here.
- Split Out SQL Statements. In order to keep yourself from forgetting to use the above function on any input, run all mysql queries through one single function that will escape all strings and also do the query. Educate yourself with this.
- func_get_args Does Arrays By Numeric Index. I was trying to build arrays like array( 'foo' => "foo", 'bah' => "bah" ) from something like function doodad ($foo, $bah). It does not work like that.
- Laying Out Things With CSS Is An Art. It really is. A hard and sometimes tiresome art to get things looking "just right". Lots of pixel pushing and lots of brainpower to imagine where divs are going to end up. Firebug helps a lot.
- Revision Control Is A Must. Even on a small project like mine, it has saved my ass a few times when I wrote myself into a corner and had to back everything out. On that note, with git, commit and commit a lot. It will help. I have used revision control before, but on large projects. I started using git when I was working on mindof. I have been using github and github rocks.
- striptags Does Not Do As Much As You Think. striptags was great until I was told that it does not strip out the attributes of allowed tags. Sigh.
- It's All About Security Stupid. It takes real skills to actually ferret out what others will do with your code. I guess this whole learning experience was about this one bullet-point: Security. If you write an tool that will be consumed and used by the general public, make sure you think through all the ways that the tool can be broken. JR puts this well: Hackers have all the time in the world. All the time to figure out how to break your precious tool. I am convinced that real webdevs (I am not one) are born criminals who did not (or have not yet) gone to the darkside.
Anyways, those are my notes. I am having a lot of fun coding and learning. This is a great experience. And I appreciate all the help, tips, and encouragement from those real webdevs who have taken time to look at my n00b code.
<< back || ultramookie >>