Programming Guideline for PHP

This document lists down the basic guideline that should be followed by the Techasofts.

  • tick All websites/applications developed in PHP development platform must use PHP version 7.3 or greater. WP requirements: https://wordpress.org/about/requirements/
  • tick The PHP based sites will be hosted on Windows Environment, with IIS 8.0 and above. The website must be compatible with the Microsoft Azure Cloud (PAAS)/AWS
  • tick All Data capturing forms must be developed as PHP standard forms.
  • tick All development should follow the standard PHP models to differentiate the front-end code and scripting.
  • tick Coding standard must be followed for markups (HTML5) files.
  • tick Front end files should use pluggable libraries for user inputs and output. If client site scripting also be used for validation provided the server site validations are also handled for the same.
  • tick Any third-party templates or code libraries can be used provided it is stable and verified by the Techasoft and all the required libraries are included as part of the solutions.
  • tick Appropriate server controls should be used in the front-end design for user friendliness Ex. Drop down list, Radio buttons, Grids
  • tick All PHP code should be developed using the PHP coding standards.
  • tick When designing the front end; try to use CSS based lay outing and CSS must be stored in an external file with proper naming convention.
  • tick Client site scripting like JavaScript/jQuery can be used with proper open source licenses and same should be kept in external files.
  • tick Make sure to choose latest and stable external libraries. It is a must and avoid using old vulnerable versions. Example: jQuery, jQuery-Ui & bootstrap etc.
  • tick We suggest maintaining a global resource file for all form level Labels and Messages.
  • tick All client side and server-side validations must be incorporated in the code level as listed below.
    • All required fields must be marked with “*”
    • Fields marked as required must be validated for empty/blank submits and user should be prompted with appropriate message. Use required field validators not java scripts.
    • All input fields must be validated with regular expressions as required and should be restricted to capture alpha numeric.
    • Email fields must be validated for valid email address using regular expressions.
    • Date fields should use related calendar controls and must be validated for valid dates (ex. 30/02/1990)
    • All input fields must be validated for the listed special characters i. Special characters: ~! @ # $ % ^ & * ( ) = + | \ { } [ ] < > ’ “ /
    • All text boxes must be validated for maximum length according to the database field in the text box level
    • Any other validation should be handled based on the data capturing requirement.
  • tick All open database connections must be properly handled and closed.
  • tick All methods must be written with exception handling and the exceptions must be handled with proper exceptions. (use try catch finally blocks).
  • tick All exception and code level information must be logged using log4php/similar and logged in DB or file level.
  • tick For any data capturing and storage module only the listed backend server technology should be used. The backend object scripting must be developed using the same technology versioning and standard as per chosen backend server.
  • tick The data provider or the driver for the above backend server must be in latest version.
  • tick MySQL database user should have low privileges. Recommended: SELECT, INSERT, UPDATE & DELETE.
  • tick Specially, it will be considered in WordPress environment and access should be restricted with low privileges.
  • tick Database connection string and other application related parameter must be kept and configured externally using configuration files and the password should be in encrypted mode.
  • tick Create the data tables and data columns with appropriate names using naming conventions. Please follow the respective Database coding standards.
  • tick Tables must include auditing information live timestamp, inserted/updated users, etc.
  • tick Create necessary table indexes to optimize performance.
  • tick Use table relationship, foreign key constraints and other constraints to maintain the data integrity.
  • tick Try to use Stored Procedures to build the data logics and avoid construction SQL queries on the fly to avoid SQL injections.
  • tick Use Views for complex queries and frequently used queries.
  • tick All files should be organized in a structured way Ex: Style sheet and images must be in one separate folder
  • tick As a security measure, the following items should be considered:
    • Auto complete feature should be disabled by default
    • Only POST method should be allowed not GET
    • Should avoid passing values in URL unnecessarily
    • Special character should be validated/removed to stop cross site scripting
    • Google captcha should be included in all the login screen and registration forms.
  • tick The files need to be tested on Techasoft side before sending it to Client for the following:
  • tick Deploy in a windows platform over IIS and do a test. (Highly Recommended)
    • Compilation Errors
    • Run Time Errors
    • Unit Test
    • Functional Test
  • tick All source files must be shared with Techasoft for security purposes and code review.
  • tick All data capturing forms must have captcha included with refresh option including login.
  • tick All login attempts must be tracked and the account should be locked after defined number of attempts with an admin based unlock feature.
  • tick Forgot Password & Reset Password options must be provided to users.
  • tick All the input fields must be validated with input length according to database column size.
  • tick Any token based links should have an expiry period.

PHP/WordPress Websites

  • tick Any WordPress page Permalink to be SEO friendly and not have any ID/numbers
  • tick Avoid Query string parameter in the website.
  • tick WordPress sites need to follow/have the following:
    • Remove Un-necessary/default templates
    • Plugin selection to be selected based on the Stable/Rating/Last Release Date. Plugin last update should not be greater than 3 months from the current date.
    • Change the WordPress database table prefix, don’t use wp_
    • All the website forms should be developed and tested as per the standards mentioned in the document.
    • WordPress CMS should update to latest version along with plugins.
    • /wp-admin path should not visible to end user. If users trying to access http://www.anywebsite.com/wp-admin it should not open admin login page (Based on IP Source). It will be restricted to TECHASOFT networks.
    • Change the 'wp-admin' name similar to any other names like www.anywebsites.com/anywebsite. Use this WP plugin for name modification.
    • Recommended WP plugin - https://wordpress.org/plugins/wps-hide-login/
      • Prevent Hotlinking on server & CDN
      • Delete default users
      • Automatically log idle users out of your site
      • File Permissions
      • Secure wp-config.php
    • Disable XML-RPC, File editing in the dashboard. WordPress JSON REST API details should not expose to public. Access should be restricted accordingly.
    • Harden HTTP security headers – Use https://securityheaders.com/ and make sure your website is fully secured and receive A result.
    • Hide WordPress version.
    • Apply google re-captcha or invisible captcha to secure login form.
    • SMTP Plugin restricted to - https://wordpress.org/plugins/wp-mail-smtp/
    • Remove WordPress logo from admin panel.
    • Make sure that forms are integrated with google invisible captcha which is easy and effective, it doesn't interfere with the user experience.
    • GTMetrix report should have a page speed score of 80% and above.
    • Website HTML should comply with the W3C standards.
    • WordPress super admin privilege to be shared only with the Techasoft team.
    • Accounts with restricted privilege to be configured for Content Update and shared with the relevant business users. Master account won’t share with any users once it deployed in TECHASOFT environment.
    • Recommended plugins to be considered.
      • Backup - https://wordpress.org/plugins/vaultpress/
      • Security - https://wordpress.org/plugins/sucuri-scanner/
      • Audit - https://wordpress.org/plugins/wp-security-audit-log/
      • Authentication/Authorization - https://wordpress.org/plugins/miniorange-saml-20-single-sign-on/
      • Multi Lingual - https://wpml.org
      • Forms - https://www.gravityforms.com
      • Compression & Minification - https://wordpress.org/plugins/autoptimize/
      • CDN - https://wordpress.org/plugins/wp-super-cache/
      • Autotomize & WP-Super-Cache Conflict Resolution - https://gregsullivan.com/wordpress/autoptimize-wp-super-cache-conflict/
      • IMAGE Compression – Use recommended high rating plugins.
  • tick There are always bad bots, scrapers, and crawlers hitting your WordPress sites and stealing your bandwidth. See a comprehensive list of bots at botreports.com. Many of the security plugins mentioned above can work great to block bad bots, but sometimes you might need to do this at the server level. If you wanted to block multiple User-Agent strings at once, you could add the following to your .htaccess file:

    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]
    RewriteRule .* - [F,L]
    Or you can also use the BrowserMatchNoCase directive like this:
    BrowserMatchNoCase "agent1" bots
    BrowserMatchNoCase "Catall Spider" bots
    Order Allow,Deny
    Allow from ALL
    Deny from env=bots
    And here is an example on Nginx.
    if ($http_user_agent ~ (agent1|Wget|Catall Spider)) {
    return 403;
    }

    Refer below URL for web.config update which will work out in windows environment. https://www.saotn.org/hackrepair-bad-bots-htaccess-web-config-iis/

    Above mentioned changes/updates are recommended before it deploy in Techasoft environment. Once the changes are applied then you can share the source code with MySQL for deployment in Techasoft Environment or Cloud (Microsoft Azure - Windows) platform.

Other Notes

  • tick As per TECHASOFT standard security policies, admin control won’t expose to internet & access will be restricted only for internal users. If require, access will be granted for Techasoft s based on special request using a VPN service.
  • tick Source code access is restricted only for TECHASOFT web team. All the source code changes should deploy in staging environment first for review and same will move to production once it approved by appropriate business users.
  • tick If require proceeding any code deployments, then Techasoft has to provide necessary code pack to TECHASOFT web team for staging deployment with proper instruction or web team can provide WebEx session in order to carry out deployment by Techasoft.

Appendix

Table A: Character validations for input fields:

Input fields must be validated for the following:

First name Alpha, minimum 2 characters
Last Name Alpha, minimum 2 characters
Phone no Numeric with Country, Area, Phone number separation
Date of Birth Numeric/Valid date
Email Address Alpha numeric and only allow special characters @ and dot (.)
Text Area Alpha numeric and following special characters - . , : ; should be allowed
Table B: Username & Password policy

Username/login id must be minimum 5 characters in length
Username/login id should not include spaces and special characters Username/login id must be validated for uniqueness
Password must be minimum 6 characters in length and must include the following

  • One Caps
  • One number
  • One special character (@,#,$)
  • Password must be stored encrypted