what are the common mistakes developers/architechs do when developing a portal/web application... what should we avoid or take care of when we are developing a web application.
+3
A:
Security issues mainly.
- Not escaping (user submitted) content
- SQL injection (still see it around unfortunately)
- XSS / CSRF
- Trusting the client data - things like putting the amount for an order in a 'read only' text box and just expecting users not to tamper with it
- Emailing credit card details (most cases they shouldn't be stored anyway).
- Storing passwords in plain text.
Rescuing a custom e-commerce project at the moment - where a malicious user could simply send a form post to the 'thank you' page to have their order confirmed, skipping the payment gateway entirely.
DaRKoN_
2009-12-18 04:47:15
A lot of people make these mistakes, and it's frustrating because there are so many tools out there to help you prevent them (like templating systems that do auto-escaping, and libraries for account management).
Annie
2009-12-18 05:21:55
I would add: Trusting users to use the URLs they should. Your login code means nothing if all I have to do is go straight to http://example.com/LoginGood.php. And speaking of logins: authenticating a password with JavaScript.
Mike D.
2009-12-18 06:00:37
A:
Wow this could get huge:
- Security (as DaRKoN suggested)
- Inadequate planning for load and scaling (too many/few users for the hardware used)
- Internationalization, and issues related to it
- Site Indexing, navigation and user experience
- eCommerce and handling local taxes/laws
- Caching and Persistence of data
- Assuming that Web is Stateful vs Stateless
- Client bandwidth issues
- Client browser and browser preferences (do they have javascript enabled, is it firefox, etc)
- Data storage and management, especially when planning for multi site installation
- Managing a service infrastructure vs an application infrastructure (upgrading multiple machines, and varied equipment).
The list goes on...
GrayWizardx
2009-12-18 05:01:10
+2
A:
Thinking too much about mistakes ahead of time, instead of just building the damn thing as quickly and simply as possible, and figuring it out as you go, with occasional refactorings.
Avi Flax
2009-12-18 05:11:52
A:
There are a whole class of mistakes related to lack of adequate compatibility testing:
- Site looks nice in IE, but how does it handle in Firefox, Chrome, Safari, Opera, etc? See BrowserShots.org.
- Have you tested it on multiple screen sizes? 800x600? 1024x1080? 480x500 as commonly seen on mobile devices? Use Conditional CSS for screen resolutions.
- Never assume fonts are always rendered black, Times New Roman, 10pt unless otherwise specified. Always use a Base Style Sheet in case users have tweaked their default styles to something crazy.
- Using ActiveX on a public website? I spit on you.
- Have you tested your client-side script in multiple browsers?
- Are you sure those partial transparency PNGs render consistently across all browsers?
You could probably write a book on everything you'd need to check just getting cross-browser compatibility right alone.
Juliet
2009-12-18 05:14:39
A:
- Modifying server state with
GETrequests - I've had to explain to veterans of almost 10 years why this is bad. - Making a mess of everything client-side: invalid HTML with inline CSS and JavaScript. Like any other code, client side markup/scripts should be easy to read an maintain.
- Assuming that web development is exclusively devoted to the browser environment.
LeguRi
2010-08-04 00:16:16