Development Guidelines
From Contrexx Wiki (English)
Contents |
[edit] Coding Standards
Contrexx should be developed according to the Pear Coding Standards.
[edit] Images/Icons
[edit] Relativ and absolut paths
You must always use relative paths for content stuff such as images and JavaSciprt- or StyleSheet inclusions.
// right $output = '<img src="'.ASCMS_PATH_OFFSET.'images/modules/access/edit.gif">'; // wrong $output = '<img src="/images/modules/access/edit.gif">';
You must always use absolute paths for script or file inclusions in the PHP code due to security restrictions that could be set.
// right require_once ASCMS_CORE_MODULE_PATH.'/access/lib/AccessLib.class.php'; // wrong require_once 'lib/AccessLib.class.php';
[edit] String Handling
[edit] Input POST/GET
// Fetch data from POST and GET // Assuming that $_POST['foo'] is a string and $_GET['bar'] is numeric $foo = $_POST['foo']; $bar = $_GET['bar']; // contrexx_stripslashes() will remove backslashes that have been automatically added by magic_quotes_gpc $foo = contrexx_stripslashes($foo); // intval() will make sure that $bar is an integer an nothing else $bar = intval($bar);
[edit] Output DATABASE
// We need to use addslashes() on $foo to escape special characters. This is required to prevent any SQL-Injections.
// But it is not required on $bar, because $bar is an integer and can't therefore do any harm to the database.
$objDatabase->Execute("INSERT INTO `".DBPREFIX."test` SET `foo` = '".addslashes($foo)."', `bar` = ".$bar);
[edit] Output HTML
// we must to transform every special character of $foo into its according HTML representation to prevent a Cross-Site Scripting (XSS) attack // Note: the constant CONTREXX_CHARSET holds the character set definition 'UTF-8' in it print htmlentities($foo, ENT_QUOTES, CONTREXX_CHARSET); // we don't have to encode $bar due its simplicity of an integer print $bar;
[edit] Database
Contrexx uses the ADOdb database abstraction layer.
[edit] SQL Statements
- You must use the constant DBPREFIX as a table prefix in all of your queries.
$objDatabase->Execute('SELECT 1 FROM `'.DBPREFIX.'access_users`');- Never select all columns of a table using the asterisk wildcard. Instead list explicit every column that you need to select (also if you need all columns of a table to be returned). Using an asterisk slows down the database needlessly, because it first has to look up what columns are present.
[edit] Templates and HTML-Output
All HTML output must be XHTML1.0 Transitional validated. There are many browser extensions available that provide an in browser HTML validator. E.g. HTML Validator for Firefox and Mozilla.
[edit] Browser Compatibility
The Front- and Backend layout must be compatible with Firefox, Internet Explorer 6/7/8 and Safari. Due that it is not possible to have installed several versions of IE installed at the same time on a Windows host, Microsoft provides several Virtual PC images for every of these versions.
[edit] Security
[edit] Cross-site scripting (XSS)
Get sure you know everything about Cross-site scripting (XSS) and how to avoid it.
That for, you must always use htmlentities() or htmlspecialchars() where it is appropriate to avoid an XSS attack.
// Prepare $string for output $string = htmlentities($string, ENT_QUOTES, CONTREXX_CHARSET);
[edit] SQL Injection
Get sure you know everything about SQL Injections (SQL Injection in PHP) and how to avoid it.
The Contrexx framework provides some functions to prevent an SQL injection attack. These are
- contrexx_strip_tags()
- contrexx_addslashes()
- contrexx_stripslashes()
// Prepare input before putting it into the database $string = contrexx_addslashes($_POST['input']);
