Check the quality of the site
So, let's say you are a project manager, you have a team (programmer, layout designer, designer, someone else) and you create websites. The problem is that the project manager needs to know absolutely all aspects of the creation of the site, starting from design, and ending with security, more often than not - this does not happen. If the project manager is a former designer, he will deal with such aspects as design and usability, but technically he (you) will have problems. It also happens that a manager becomes a manager, of course, he superbly manages people, he has pronounced leadership skills ... but in technical aspect he has to rely on his team, that’s good, if the team are real professionals, and if not, the demand not from the team, but from its leader. In this article, I will try to describe a few points that will help you assess the quality of the sites you create (your team).
We will test the following points:
1. True site display in different browsers
It so happens that different browsers display the same html code in different ways. This is sad, and this is the headache of all the makers. However, this headache is paid for and paid for by you. So it’s worth checking how exactly your site is displayed in different browsers, and checking it out doesn’t mean opening the main page of the site, it’s better to check all the pages. Here I would highlight five browsers:
Well, you can also check in:
If you are too lazy to load browsers and poke through links, then you can automate this action, for this there are special services:
In general, there are a lot of such services in the network, one has only to ask Google ...
2. The validity of the layout.
Now they talk a lot about whether you need a valid layout. Basically, they cite as an example google, such as “If Google’s website is oversized by scoring on validity, then what remains to us is mere mortals ...”. If you take a closer look at the google.com code, then ... you know, I would not take such a typesetter ... design and markup - mixed, the document type is not specified, the style sheet is not rendered into a separate file .... On the FrontPage, they make up something ... In general, this is all with a minus sign, but you shouldn’t even out on the minuses. About the importance of validation, you can talk a lot, and you can bring a bunch of arguments showing the importance of validation, and all these arguments can be challenged, except one:
A professional coder will never allow himself a non-valid code, and a good studio will not take a coder who imposes "just about anything."
Check the validity of the site layout can be here:
http://validator.w3.org/
To evaluate the work of a programmer, a programmer is not being, to put it mildly, difficult, and yet I will give some advice so that you could have some idea of ​​the level of a programmer working with your project.
1. CNC
Or Man Understandable URL. Look carefully at the address bar of the browser, there should not be any “?”, “=”, “&” And other garbage, only letters! That is, for example, if you have news on your site, then the address on the news page should be different.
your_site.ru/news.php? cat = last & id = 451 ,
and something like:
your_site.ru / news / last / 451
Agree, the second option, at least, is more pleasant for the eyes, and I think any good programmer, if he is not too lazy (and if we pay him, it means he should not be lazy), he can and should implement the CNC in your project. Besides the fact that this is all pleasant for our eyes, it is also pleasant for search engines.
2. AJAX
Ajax is beautiful, comfortable, popular and modern. But remember, it is impossible to overdo AJAX, it should be used only where it is really useful. However, where to use AJAX, and where not, programming is not relevant, but implementation itself is related to programming ... As a programmer, I’ll say that our biggest flaw is laziness, coupled with disregard for users. If your project uses AJAX, make sure that when dynamically loading data, the user is informed that something is happening on the site. Maybe you have a ten-megabit dedicated line in your office, but many Internet users are slower in the Internet, and when you click on a link, the user may not understand that something is loading, you should tell him about it.
3. CMS
If a content management system is used on the site, as it happens most often, and if your programmer wrote this system, make sure that you understand how the system works, and if necessary, you can work with it yourself. I saw one cms, where the pages were created by driving the desired values ​​into the mysql table via phpmyadmin. Managing your sites should be completely understandable to you, because programmers come and go, but the site will remain.
')
They say that only the best programmers can become hackers (or, as they say, “IT security consultants”), so do not expect to be able to check the site for vulnerabilities by reading this article, but I will give a couple of recommendations.
1. SQL vulnerabilities
Perhaps the most common mistake of programmers. We always forget to check the variable before using it in the sql query. The essence of the vulnerability is to change the variable passed to the script so that the sql query does not give out what it should, but what the hacker needs. It is quite simple to check the variable for security; it is enough to insert the symbol "'" into it. Let's say you have url
your_site.ru / news / last / 451
Try changing it to:
your_site.ru / news / last / 4 '51 /
And if an error like
Warning: Supported argument is not a valid MySQL result resource ...
Or that a thread like that - cut down the salary to a programmer, if instead of news with identifier 451 news comes out with identifier 4, nothing good either. Apostrophes should be inserted not only in urls but also in all input and textarea fields on the site, in short, wherever the user is allowed to enter text.
2. Download files
If the user can upload files (photos, documents) to the site, you need to check which files are allowed to be downloaded, and if the type of the downloaded file is not checked, consider that your site has been hacked.
3. The rest
I wanted to write now about xss vulnerabilities, and I realized that I could not express my thoughts in words that were accessible to people who did not understand IT security. Therefore, I still advise you to use to check the site for the vulnerability of a special person, or special software. I would advise XSpider ( http://www.ptsecurity.ru ), though it will cost you from 9000r per year. There are also free utilities, less reliable, but still free.
Well, and so in the bonus, there is a good service.
http://webo.in/
Which will tell you how fast your site is loading, and what can be done to speed up its loading ... this is so, if you want to punish a programmer ...
What are we going to test?
We will test the following points:
- Typesetting
- Programmer
- Safety
Layout
1. True site display in different browsers
It so happens that different browsers display the same html code in different ways. This is sad, and this is the headache of all the makers. However, this headache is paid for and paid for by you. So it’s worth checking how exactly your site is displayed in different browsers, and checking it out doesn’t mean opening the main page of the site, it’s better to check all the pages. Here I would highlight five browsers:
- Internet explorer 6 (somewhere on http://www.microsoft.com/ )
- Internet explorer 7 (somewhere on http://www.microsoft.com/ )
- Opera ( http://www.opera.com/ )
- FireFox ( http://www.mozilla-europe.org/ru/firefox/ )
- Chrome ( http://www.google.com/chrome/ )
Well, you can also check in:
- Safari ( http://www.apple.com/safari/download/ )
If you are too lazy to load browsers and poke through links, then you can automate this action, for this there are special services:
- http://browsershots.org/ - free service, a bunch of browsers. Enter the address of the site, and it is queued for review, your turn will come in about an hour, but only one page and one screen resolution are checked, so if you want to check all pages at different resolutions - be patient ... with inhuman patience ... After checking links to your screenshots.
- http://ipinfo.info/netrenderer/ - Only different versions of Internet explorer are checked. No waiting, the screen is issued immediately. The service is free.
- http://www.browsercam.com/ - The service is pretty cool. You can check 10 urls at once, you can specify to what level of nesting of the pages you can check, or you can check the whole site. You can even switch to subdomains. In general, this service has everything, probably because it is not free (about 100 bucks a month).
In general, there are a lot of such services in the network, one has only to ask Google ...
2. The validity of the layout.
Now they talk a lot about whether you need a valid layout. Basically, they cite as an example google, such as “If Google’s website is oversized by scoring on validity, then what remains to us is mere mortals ...”. If you take a closer look at the google.com code, then ... you know, I would not take such a typesetter ... design and markup - mixed, the document type is not specified, the style sheet is not rendered into a separate file .... On the FrontPage, they make up something ... In general, this is all with a minus sign, but you shouldn’t even out on the minuses. About the importance of validation, you can talk a lot, and you can bring a bunch of arguments showing the importance of validation, and all these arguments can be challenged, except one:
A professional coder will never allow himself a non-valid code, and a good studio will not take a coder who imposes "just about anything."
Check the validity of the site layout can be here:
http://validator.w3.org/
Programming
To evaluate the work of a programmer, a programmer is not being, to put it mildly, difficult, and yet I will give some advice so that you could have some idea of ​​the level of a programmer working with your project.
1. CNC
Or Man Understandable URL. Look carefully at the address bar of the browser, there should not be any “?”, “=”, “&” And other garbage, only letters! That is, for example, if you have news on your site, then the address on the news page should be different.
your_site.ru/news.php? cat = last & id = 451 ,
and something like:
your_site.ru / news / last / 451
Agree, the second option, at least, is more pleasant for the eyes, and I think any good programmer, if he is not too lazy (and if we pay him, it means he should not be lazy), he can and should implement the CNC in your project. Besides the fact that this is all pleasant for our eyes, it is also pleasant for search engines.
2. AJAX
Ajax is beautiful, comfortable, popular and modern. But remember, it is impossible to overdo AJAX, it should be used only where it is really useful. However, where to use AJAX, and where not, programming is not relevant, but implementation itself is related to programming ... As a programmer, I’ll say that our biggest flaw is laziness, coupled with disregard for users. If your project uses AJAX, make sure that when dynamically loading data, the user is informed that something is happening on the site. Maybe you have a ten-megabit dedicated line in your office, but many Internet users are slower in the Internet, and when you click on a link, the user may not understand that something is loading, you should tell him about it.
3. CMS
If a content management system is used on the site, as it happens most often, and if your programmer wrote this system, make sure that you understand how the system works, and if necessary, you can work with it yourself. I saw one cms, where the pages were created by driving the desired values ​​into the mysql table via phpmyadmin. Managing your sites should be completely understandable to you, because programmers come and go, but the site will remain.
')
Security
They say that only the best programmers can become hackers (or, as they say, “IT security consultants”), so do not expect to be able to check the site for vulnerabilities by reading this article, but I will give a couple of recommendations.
1. SQL vulnerabilities
Perhaps the most common mistake of programmers. We always forget to check the variable before using it in the sql query. The essence of the vulnerability is to change the variable passed to the script so that the sql query does not give out what it should, but what the hacker needs. It is quite simple to check the variable for security; it is enough to insert the symbol "'" into it. Let's say you have url
your_site.ru / news / last / 451
Try changing it to:
your_site.ru / news / last / 4 '51 /
And if an error like
Warning: Supported argument is not a valid MySQL result resource ...
Or that a thread like that - cut down the salary to a programmer, if instead of news with identifier 451 news comes out with identifier 4, nothing good either. Apostrophes should be inserted not only in urls but also in all input and textarea fields on the site, in short, wherever the user is allowed to enter text.
2. Download files
If the user can upload files (photos, documents) to the site, you need to check which files are allowed to be downloaded, and if the type of the downloaded file is not checked, consider that your site has been hacked.
3. The rest
I wanted to write now about xss vulnerabilities, and I realized that I could not express my thoughts in words that were accessible to people who did not understand IT security. Therefore, I still advise you to use to check the site for the vulnerability of a special person, or special software. I would advise XSpider ( http://www.ptsecurity.ru ), though it will cost you from 9000r per year. There are also free utilities, less reliable, but still free.
Still
Well, and so in the bonus, there is a good service.
http://webo.in/
Which will tell you how fast your site is loading, and what can be done to speed up its loading ... this is so, if you want to punish a programmer ...
Source: https://habr.com/ru/post/46598/
All Articles