Try out my first PHP web app!

[Alen]

I suggest you watch following

http://vimeo.com/97318823

[nixnerd]

I suggest you watch following

This is a pretty good video. Very helpful OP.

[__]

I really wanted to make this site useable to people

don’t take this the wrong way:

start over.

I think I mentioned somewhere earlier in this thread that, when you’re learning, it’s not uncommon to reach a point where you realize that the way you started doesn’t work with the way you learned, so you’ve got to scrap it and rewrite. This might happen several times. I scrapped my first CMS-like project four times (and it came out “okay” …nothing like it would be if I wrote it now). That’s okay.

If you decide to “go for it,” I’d recommend designing (in the “engineering” sense) your site at a fairly high level first: without writing any code, get as specific as possible describing what features you want, how they interact, how they work, and so forth. The more stuff you can plan for, the better it will all work off-the-bat.

When you do start writing code, start with “general” code instead of specific things. A lot of tasks you do will need to be done in several places (e.g., reading query results, staging content for templates, etc.), so try to write that code in a general way that you can re-use, instead of writing similar code over and over.

[__]

It wasn’t a full-on CMS, but it had a lot of CMS-like functionality. It’s not online anymore. I’ll see if I can find any of it (and if I can post anything without breaching NDA).

More recently, I’ve been working on a framework, which I will probably be rewriting after I’m done with my current node project.

[__]

Not exactly. “CMS” implies a degree of flexibility and general-purposeness that you’re not really (or, don’t seem to be) aiming for. Page creation/management, for example; full front-end administration, and so forth.

Which is not to say that I think it is lacking. What you’re building now is plenty to keep you occupied.

[Soronbe]

Is this something that would work effectively?

Yes, and it is what you should do. Be aware however that htmlentities will solve a lot of security issues on it’s own already.

[__]

In general, I prefer the philosophy of escaping on display: leave everything literal until right before it needs to be escaped/encoded.

This gives you more flexibility with usage (for example, if you use htmlspecialchars and then store that result in the DB, you won’t be able to use that bit of content in plain-text environments like text email or JSON).

It also tends to put the escape/encode function closer to the spot where the output is used, which can help you keep track of what is “safe” and what isn’t.

You should also consider using some sort of naming convention for variables that hold content: for example, when I have content that might include HTML, I use a html suffix on the variable name. Content that should not be html must be escaped before being combined with content that does. Basically, it helps you keep track of things.

$article = 'This is some text that talks about <html>.';
$articleHTML = '<article>'.htmlspecialchars( $article ).'</article>';

[Soronbe]

That’s quite correct, although you will have to consider stuff like SQL injections.

[__]

That’s quite correct, although you will have to consider stuff like SQL injections.

Yes; didn’t mean to gloss over that. Prepared statements FTW!

[chrisburton]

http://mattbango.com/notebook/code/prepared-statements-in-php-and-mysqli/

[__]

Could someone tell me why prepared statements are so much better?

http://mattbango.com/notebook/code/prepared-statements-in-php-and-mysqli/

tl;dr: the database knows better than you do.

[chrisburton]

@traq Can you elaborate? I don’t think @drose379 will have a clue in what it is that you mean (nor do I).

[__]

Well, that article mentions three main advantages:

• Prepared statements are more secure.
• Prepared statements have better performance.
• Prepared statements are more convenient to write.

Security:
Prepared statements allow you to send your SQL instructions in one part, and the data in another. SQL injection attacks are all about tricking the DB into doing something by confusing data with instructions. Using prepared statements makes this impossible.

Performance:
Using prepared statements allow the DB to analyse your SQL and build an execution plan for it before actually doing it. This has the advantage of only happening once, even if you execute the statement many times. The separation of data and instructions can sometimes even allows better performance with single-use statements.

Convenience:
You can write your statements more clearly, without worrying about having to use double-quotes vs. single-quotes or concatenate the SQL around calls to escape functions and “imagine” what the finished query will look like. Easier to read = easier to understand, fewer mistakes.

[chrisburton]

Gotcha. I wasn’t sure exactly what you were referencing. Thank you.

[__]

Do prepared statements cover things like htmlenteties() and striptags()? Or only protect from SQL attacks?

Prepared statements are for the database. They take the place of trying to escape all your inputs manually (e.g., real_escape_string, etc.). You still need to validate that the data is what you expected.

It has nothing to do with how you display info to the webpage, so htmlspecialchars and friends are still needed.

[Author]

Posts