Insight on normalization and "proper" coding

[Rohlan]

Hi everyone.

 

first, TL;DR:

 

What are some good examples of applications that you found especially well-written or what would you recommend me to read to get a good feel of what a secure and robust looks like?

 

Long boring version:

 

I'll start by noting that all and any coding that I know has been self-taught by reading tutorials and endless trial-and-error experiences and thusly I am afraid I might have drifted a bit away from what the community understands as "normalization" and "proper" coding. That being said, in a crude way one could say I have "my own" way of doing things. Because of that I often run into a more efficient way to achieve something, or someone looks at my code and thoroughly explains to me it might need optimization and tweaking. I didn't attend college and many terms are also new to me, I've worked as a freelance programmer for a little more than 5 years now and I've been doing so-so. I sort of want to step away from that now, I'd like to get in touch with what is considered a secure normalized way of programming.

 

I know this might sound like I've gone too far for too long but that isn't really the case. I just feel like my coding is a bit dodgy sometimes and that someone else that might be interested in my projects might go "wtf" and turn a cold back on it due to it looking like a mangled confusing wall of code.

 

With that in mind...

 

I have been working on this web application I've been calling "taskgrammer", the name comes from "Task Programmer". What it did at first was allow someone to create tasks. That was it. But it grew. Right now there's a Contacts and Customers center with CRM-like functions, Task types, User management, Robust scheduling, Payment management, Team management (currently working on internal human resources system for salaries, holidays, etc) Alerts system... with many functions that allows any small company that provides any kind of service to manage their whole activities and get reports on finances with detailed per-customer debt reports and profit margins and what-have-you.

 

Due to my "type" of programming, I've left some things behind that need optimizing, be it cleaning some code or making sure that the application is functioning the way I want instead of leaving things "working fine so I'll leave it", rushing things always feels wrong and I tend to do it when I'm having a crap day (lol) or just need to do something real quick... but then I can't help but feel worried that that's not what I wanted to have done and it needs future "healing". I hate that feeling of helplessness when you're not sure that bit of code should be left like that... as it might interfere with future plans or it might actually re-define your work-flow without you ever planning to do so.

 

The main thing that worries me in this application is the security aspect. It runs on the web and is prone to attacks and ill-intended shenanigans. So I went ahead and devised some amateur security "systems" (that's what I call them in my mind), one of them is for preventing direct access to include files and other files, I make a check for a defined variable on the config file, if the check is true then the file can be accessed, this means that you have no way of accessing any of the files without going through proper routes, but is that really true? Is it really safe? I have my doubts because I don't really know what tools folks can use to hack into things and break everything. Pure lack of information.

 

My config file is a bit big, it has a lot of includes for all my functions and that is another thing that worries me, I have around 10 function library files ( i decided to divide them into various files just for easier editing ), I am loading those functions each time even if they are not necessary... is that OK? is there an influence in my application's performance? Everything seems speedy to me so that makes me believe its ok to do that... but is it taxing my server's resources? ... lack of information again, I suppose.

 

Then there is my "template" system where I have each page in a function like contact_list(), that function simply calls the template file contact_list.php and in certain cases might provide some needed parameters. What I do then is I call each function in GET variables like

index.php?action=contact_list

 

and then have this in my main template file:

 

 $_GET["action"](); 

 

I could probably come up with some other way of doing these things nowadays that I'm a bit more knowledgeable but I don't want to have to rewrite everything so soon as I've put a lot of work into this already.

 

I've already said a mouthful and I'm thankful that you read it, so ... what are some good examples of applications that you found especially well-written or what would you recommend me to read to get a good feel of what a secure and robust looks like?

 

Thanks, and hugs for everyone.

[Namtip]

Yeah, I'd like to see some some pro php programing web apps and compare it to my code too! I'm new though and wouldn't be much use.

 

This is a pretty good website to help you realise why you should fear for your website.

http://www.scribd.com/doc/2189835/9-Ways-to-Hack-a-Web-App

 

Why don't the kids just go make some damn money!