Secure PHP Development- P19

Secure PHP Development- P19: Welcome to Secure PHP Development: Building 50 Practical Applications. PHPhas come a long way since its first incarnation as a Perl script. Now PHP is a powerfulWeb scripting language with object-oriented programming support. Slowlybut steadily it has entered the non-Web scripting arena often reserved for Perl andother shell scripting languages. Arguably, PHP is one of the most popular Web platforms.
Nội dung trích xuất từ tài liệu:
Secure PHP Development- P19 Chapter 3: PHP Best Practices 61See your errors before someone else doesOften malicious hackers use debugging or error information to take advantage of abroken application. This is why it is critical that you perform extensive tests onyour Web applications before you deploy it on production servers. The best way to test and find problems is to have all levels of error reportingenabled using the error_reporting(E_ALL) function. This function should beused as the very first line in your application code. For example: During development you should set error_reporting() to E_ALL, which enablesall types of errors to be reported. There are many error reporting levels. You canfind all about these error reporting levels in http://www.php.net/manual/en/ref.errorfunc.php#errorfunc.constants Once you have thoroughly tested your application, you can reduce the errorreporting level or even disable it. However, if you do the latter, make sure youenable error logging using the error_log() function. You can learn about thisfunction at http://www.php.net/manual/en/function.error-log.php.Restrict access to sensitive applicationsWhen you have an application that should be used by only a restricted set of users,you need to control access to the application from either PHP code or using Webserver access control mechanism. This is covered in great detail in Chapter 22.Best Practices for SourceConfiguration ManagementWhen developing any software, use a version-control system to manage changes.We used Concurrent Version System (CVS) when developing applications discussedin this book. CVS allows you to create versions of your software by creating asource repository from which you check out and check in code changes. CVS main-tains all version information automatically so that you can retrieve an older62 Part I: Designing PHP Applications version with a single command. It is also the de-facto version control mechanism for many large-scale Open Source software. You can learn more about CVS at www.gnu.org/software/cvs or at http://www.cvshome.org. Summary In this chapter I have discussed various best practices for functions/methods, data- base, user interface, documentation, security, and version control. Getting used to these best practices is often very difficult since many programmers are often under great time pressure to produce workable applications. However, it is very important to get started with these practices as early in the development as possible so that they become second nature in future projects. This is particularly true for getting used to version control tools such as CVS. Many developers find version control as an “additional task” that does not relate directly to the deadline and simply wait till the very end to place code in version control. This type of practices often leads to big code maintenance problem in the long run. The key issue is early adoption of best practices so that you get used to it from the beginning. Part IIDeveloping Intranet Solutions CHAPTER 4 Architecture of an Intranet Application CHAPTER 5 Central Authentication System CHAPTER 6 Central User Management System CHAPTER 7 Intranet System CHAPTER 8 Intranet Simple Document Publisher CHAPTER 9 Intranet Contact Manager CHAPTER 10 Intranet Calendar Manager CHAPTER 11 Internet Resource Manager CHAPTER 12 Online Help SystemChapter 4Architecture of an IntranetApplicationINTRANET APPLICATIONS ARE PRIMARILY focused on automating an organization’sdaily business processes. A modern company has many intranet applications thatare available to its employees to help them be more productive and efficient. Forexample, a group calendar system or task-tracking system can save a great deal oftime and resources for most companies with more than five employees. This chap-ter focuses on the underlying architecture of intranet applications and discusses anopen-source framework that enables you to develop intranet PHP applications in arapid manner.Understanding IntranetRequirementsTo develop intranet applications, you need to understand how a typical intranet isdeployed. A company with two employees can have an intranet, but the averageintranet application is deployed in an organization with tens to hundreds of users.Figure 4-1 shows how an intranet “connects” employees in multiple departments ofa company that uses an intranet application server to manage its daily internalbusiness functions. A company generally uses its intranet server to automate interdepartment com-munication activities such as a shared calendar, shared contact database, documentmanagement, project/task tracking, and so forth. Before you develop the framework that will enable you to create intranet appli-cations in PHP, you need to understand the intranet user requirements. Figure 4-2shows how a single department within an organization appears from an intranet-requirements point of view. Users in organizations work in teams. A team usually has a team leader and aproject assignment. The projects are managed by the department head. This type ofhierarchical user base is very common in modern organizations. 65