Things to consider while implementing an original website architecture

Question

Things you should know know about my disposition -
1. My First Time building a "big" site.
2. Working on PHP
3. Have no idea about how scalable the site can be, though i've been reading up quite a bit about that.
4. Willing to use a framework if it gives me a LOT of flexibility in architecture while still providing me the advantages like security, performance etc.

The main question being -
Suppose you were in my place and wanted to implement your original architecture, what are the things you'd be careful about?
How will you go about implementing security? Anyway you can import and integrate third party security modules into your website?
I know i'm making flaws... just wanting to know what they are primarily..solving them will come next. Thank you :].

Answer 1

You should start by reading and testing Zend Framework. As this is really just a framework and a collection of libraries and experiences of long-time devellopers.

Somes says you should try to build your own framework before, then throw it in the basket and get back to ZF (Zend Framework). It depends how much time (years) you have. But that's right it's easier to understand good choices when you've mad bad ones before :-)

Nobody in this world can build a good architecture on his own, you'll need the experience of others to make your own new errors and not the old ones. No one was smart enough in the past to prevent us from all theses CMS (phpNuke, and a lot more but I don't want to hurt some people working on big CMS which are still there today).

So use ZF MVC model, do read (really) ZF documentation (even if you won't use it). Understand why some of theses tools are very important for security.

Big things to note for a good PHP app:

share nothing: by default PHP as no way to store data between the user requests. So mid-term storage/long-term storage/session storage things will have to be stored somewhere:

• cookie (like session ID)
• session files or session records in database or session records in a cache
• application levels cache (like memcached)
• database (and why no throwing MySQl for PostgreSQL, test the difference!)
• pre-application levels cache (revers proxy cache, varnish and such, browser cache)

filter inputs/escape outputs: If you make a good use of Zend_Form, Zend_Filter, Zend_Validators and if you always use escape() in your views this part of the security should be ok (and this is a big big big problem in most PHP apps out there). See your database as one of the output, html page as another, json as another, etc. Your inputs as well are numerous, user inputs, cookies, maybe some other databases, external websites, etc.

avoid absolute url: try to always use relative url. At least always use url helpers given by the framework to build your urls.

get nice url map: if you can cut your application in different parts by simply reading the url you will help yourself for the day you'll need to build a more complex hardware platform for your application. Admins will need to set some configuration files for reverse proxy cache in front of your app. Will they be able to detect the https-needed parts? does all your static files are available via a specific path? Can we define a cache-time policy based on the url?

design patterns: nobody is smart enough to understand all the consequences of his coding choices and the way this code will have to evolve. Design patterns are there to collect good pratices. If your problem have no design pattern solution, then maybe you do not understand your problem :-). To be honest there's maybe a simplier and faster way sometimes, but you should know the patterns before deciding not to use them.

A lot of PHP experts have done their code without using frameworks (as most frameworks was not very good in fact). But code quality in the PHP world is bad, really, it's still so easy to make an XSS injection on a lot of websites. It's time to get something better, do not trust the hello world examples, building a good webapp is hard :-).

Answer 2

Whenever I start any new website project (especially ones using PHP), I plan it out on paper. In order to keep your files neat and organized (architecture) it is wise to follow an MVC format. Read more about MVC This is the kind of organizational system I used and that many professionals use.

This will make it far easier to scale your web site, and add more pages and functions because your functions will be independent of the pages that your users are looking at and entering information (UI).

Also, commenting in your code is VERY important, you can never have enough commenting and that is even more true when you are coding a large web site, because you cannot possibly remember it all, and it will help you very much while making changes and scaling your web site.

As far as security, there are methods that you can use to prevent security threats, I have read some good articles on security when it comes to PHP applications. Here is one.

I can't stress enough that you should plan out how you intend the website to work and lay out the file organization before you start coding, it will save you tons of work and stress in the long run.

I have coded large PHP/MYSQL driven web sites before, and I have fallen victim to a lot of errors, please learn from my mistakes, plan out your file structure and how you plan on specific user based interactions to be executed.

As for a framework, i've never used one, but i've done the research and they use the MVC format. I like to do it all on my own instead of having to learn a framework. Frameworks are good if you are doing repetitive coding, but even on that note, I use functions for that.

Hope this helps! If you have any questions feel free to ask.

• Chris