One thing I think many developers new to programming lack is a summary of the fundamentals. The experienced developers take certain concepts for granted - having a thorough understanding of how their systems work, they understand implicitly how certain code affects performance and other basic do's and don'ts. The new developer, on the other hand, may not have the benefit of a formal programming education, and many programming tutorials assume a basic level of knowledge.

I've written this article to emphasize the basics for the new programmer. It applies to web development in any language, but since I do my development work in PHP (usually building the php(Reactor)), I'd like to share it with the PHP community.

Whenever I talk to people about web development I always lead in with the question "What do you think is most important for building web sites?" I get a variety of answers, but 9 times out of 10 the answer is:

"It has to look good" or "Good graphic design."

At that point I take a step back and say "oh ... really?!?! Are you sure"

That usually pauses them. After that, I find my way to the closest white board and go to work. I make a list on the board like so:

• security
• maintainability
• usability
• performance

and then way down at the bottom of the board I put:

• graphic design

Where do I get my priorities? Let me explain in detail. I'll start with security ...

When you're discussing the Internet, security should be the first thing that comes to mind. Unfortunately, security is an extremely complicated issue - even security experts cannot be 100% sure that their network is secure. At most, you can hope to reach a state where you feel comfortable about your network's security.

Now, granted that security poses a distinct challenge, it clearly becomes the priority in your network and application design. Security can be divided into three categories: 1) network, 2) server, and 3) application. For network and server security, installing a quality firewall and hiring a competent system administrator can go a long way towards making you feel comfortable.

Application security, however, is not so easy. Generally software must undergo a series of audits and "trial by fire" before it can be considered anywhere near safe. And even then, some exploits or bugs in the software may go undiscovered for years.

The point is that it takes years for application software to gain the comfortable level of security that is appointed the most secure applications. With that in mind, it makes sense to base your design on fundamental security concepts.

Some quick rules of thumb:

• Always verify any data sent from a client for size and type.


• Be extra careful with scripts that talk to databases - don't give the web server any more permissions that it needs.


• Any file operations done by the web server are high risk. Verify that your permission structure does not grant any unnecessary permissions which could be exploited to damage the system.


• Avoid executing shell commands at all costs.


• Never send clear-text passwords over the network. Use encrypted connections, with ssh or ssl, whenever sending important information.

OK, more on that later, next, we'll talk about maintainability, or, where you are going to spend your time and money.

What's the number one cost in web design? Is it planning the application? Is it building the application for the first time? Is it the cost of the server or the connectivity?

Actually, it's none of these things. The highest cost will be maintaining the application. This is in contrast to traditional systems design, where a majority of expense is in the systems understanding and analysis.

Why the difference? With traditional systems, an application has a typical lifetime of 2 to 4 years. Once the application has reached a stable configuration the design effort is all but finished.

On the other hand, the dynamic aspect of the web makes most applications outdated in months rather than years. Improvements in existing applications are continuous, new content is expected, new technologies appear on a regular basis. A web application must improvise or be replaced. Another way to put it is that web software is in a continual prototyping process - user feedback and design demands are much more prevalent than in their traditional counterparts.

The fact remains that your software must be frequently modified and updated. Realizing this at an early point in the design phase is crucial to making maintenance easier in the future. Trust me, I've learned the hard way.

Build customization variables into your code. Separate code and content. Use templates. Use style sheets. Make the language of your site customizable. Develop a common coding style and stick with it. Comment your code well.

To put it simply, you can do what we do, and build everything for distribution. It may seem like an unnecessary investment of time and resources if you a designing for one customer only, but, trust me, when the client starts asking you to make changes, you'll thank me.

Next, we'll take a trip to the other side of the application: the user ...

What is usability? Usability is the is the study of how to make using applications easy and intuitive. It seems really obvious, but it is frequently overlooked and is the #1 stumbling block of new designers. Rather than delve into the intricacies of web usability (an inspection of Jakob Nielsen's useit.com is recommended), I'll try to boil it down into a few simple guidelines.

Computer programmers rely on the Internet for their work - it is the only place for many of the tools they need. I myself am severely impeded without a network connection. This reliance on the Net gives programmers a unique perspective on how to make things usable; as they use the Net more than anyone else, they know how to make processes and common actions as efficient as possible.

New users, on the other hand, may have little or no technological background. They can't be expected to read manuals; they may not even have access to manuals. For that reason, the design goal is to make your software intuitive to the point where anyone can learn it on the fly.

...means you have to do it too. People expect things to work in a certain way (i.e. so it becomes intuitive). If your application doesn't work like everyone else's, people may not understand it, or worse yet, think it is broken. Pay attention to how other sites handle forms, logins, and the like and make sure your interface is equivalent.

The greatest threat to good usability comes from poor download speeds. A slow download breaks a user's train of thought. In a business environment it's pure inefficiency. In a consumer environment it's lost sales. The guidelines I like to use are as follows:

• Great: < 8 KB/page (text and images)
• Good: 8 - 20 KB/page
• Reasonable: 20 - 50 KB/page
• Poor: 50 - 100 KB/page
• Don't: > 100 KB/page

Now, some might say that those numbers are outdated. After all, broadband is here, isn't it? Not quite. The majority of Internet users are on a dialup. More importantly, the advent of new technologies and networks goes in two directions - large and fast or small and slow. Good usability dictates that we satisfy both extremes.

When in doubt, use Google as a guideline. The size of their index page is carefully and deliberately calculated.

Last but not least, let's talk performance:

Performance on the web is straightforward: a relatively small amount of servers must be able to support a potentially unlimited number of clients. Any code running on the server must be clean and fast.

When inspecting code for performance issues, I look at two things: 1) database queries, and 2) disk reads.

Database queries are a critical part of most applications. Optimizing databases is a topic unto itself and I can't possibly cover it here, but I can give some coding tips in order to ease database optimization.

• Number your queries in your code. This will help you keep track of how many queries are involved in a certain process, and will save you time when trying to optimize your scripts.


• Create proper indexes. Optimized indexes are key to database speed. Any fields which are routinely queried against should have indexes. Don't create too many indexes, as unnecessary indexes will slow INSERTs and increase the database size unnecessarily.


• Test, test, and test again. Poorly written queries can kill a database server. Take the time to gauge the performance of your queries and understand what the database needs to do in order to execute them.

After database queries, disk reads are your next largest performance worry. It is common in scripted languages (like PHP or Perl) to keep groups of functions and variables in separate files in order to ease maintenance and make code more readable. While doing so has it advantages, we have to remember that every include() or require() statement involves a disk read, and every disk read increases load on the web server.

Basically, we want to design our applications to have a minimal number of included files, or perhaps include the code explicitly when our application has become relatively stable.

Now, let me close by returning to our original concern: graphic design.

Graphic design is indeed important, but, in my opinion, it is not the priority. Why? Because it is only one facet of the application. One of my sites has over 70,000 pages stored in a database. I designed the site so that if I want to change the look and feel, all I have to do is change two or three files and 70,000 pages are instantly updated with the new look.

Basically, changing the graphic design of the site is as easy as changing your t-shirt - there is no great expense involved. That's why I don't consider graphic design a priority - if the site is designed well, it can change it's looks with the style of the day.

If you're interested in learning more about web application design, I recommend two places:

• Jakob Nielsen's Alertbox, a monthly column on web usability. Alertbox is a great resource, I would recommend reading many of the back issues if you have not done so already.


• Philip Greenspun's Philip and Alex's Guide to Web Publishing, a great book with many insights into web development. A must-read for anyone programming for the web.

I'll try to get more technical in my next article. Until then, have fun coding!

--Angus