Friday, July 23, 2010

Best Code Development Practices-V

Further continuing with the common PHP software development guidelines. We discussed
USAGE INSTRUCTIONS/TIPS and SECURITY. Let us now discuss some of the other guidelines.

1) MYSQL ADMINISTRATION (RECOMMENDED): Following guidelines may help secure your application further

a) Avoid using root user for database administration as well as programming. Instead for every new database, create 2 or more users with specific permissions. For example

i) One user with only SELECT permissions to the database if no modification activity is planned. Add other privileges as required.

ii)If your project has Admin are then create another user with SELECT, UPDATE,INSERT, etc privileges.

b) The password for any of the users MUST NOT be easy to remember. These must have alphanumeric and at least 8 character long.

c) Password field in any of your table should not store password as clean text. Instead encrypt the data.

Some of the important points to remember are

a) CONFIG: Every project has the requirement to use global variables or configuration settings to be used in one or more files. For example, database connection, file upload folder path, etc or anything that has to be used in more than one file.

Use a config file to store all such information. Also to be noted that front-end and admin config files MUST be maintained separately.The name of the config file should be either config.php or configuration.php

b) README: Each project should maintain a README file (README.txt) containing various instructions including installation/ deployment, third-party tool dependencies,special instructions, file/folder permissions, cron configurations, etc.

c) CHANGE LOG: All projects should maintain a history file (CHANGE_LOG.txt) containing alterations done after deployment/installations or across different versions. The format should be as below yyyy-mm-dd developer_name - File Name.ext:
change description containing change made along with approx. location of change
in file - another_file.ext: approx location should not indicate line number instead function name, declaration, condition, etc. yyyy-mm-dd another developer - yet_another_file.ext: latest change comments should be towards bottom of the file

d) Folder structure: Each project must have some bare minimum folders namely

i) images folder to store pictures, logos, icons, etc.
ii) styles folder to keep project CSS files
iii) script folder to keep you JavaScript files

iv) includes folder to keep all included files
Also, do not keep all files in a project in a single folder, instead create
folders/subfolders based on their character,section or module as applicable.

e) Security by obscurity: Remember as long as a file is obscure, it is secure.

i)If there is Admin area in your project, avoid naming the admin folder as admin.
Instead use a more complex name.Most hackers locate admin folder first to start hacking activity.
ii)Avoid naming files such as change_password.php, connection.php, conn.php,edit_profile.php, delete.php, etc. These are highly predictable filenames
allowing hackers to try and locate these files on your server and start with them to find security holes.

iii)Do not use .inc extensions for any PHP files whether static in nature. Instead, all files MUST have .php extensions.

iv) Also, do not include/use files from admin folder into front applications not even the connection string.

v) Do not give any of the webroot folder or file with WRITE permission. Any WRITE permissions MUST be to a folder only with difficult to guess name.

vi) Do not upload any temporary/back-up files to the server.

vii) Each application MUST have a 500-INTERNAL SERVER ERROR page to hide error details to website visitor.

viii) For websites there may be a custom PAGE NOT FOUND error page.

ix) Optional custom error pages can trigger emails when an error occurs.

Please visit Software Outsourcing
iPhone Application Development