Payroll

Best practices in writing Markup: # The document must validate as HTML or XHTML # The document must have a DTD # The document must have a character encoding, either through a HTTP header or a meta tag # Its good to have the language defined for the document # All attribute values should be quoted. In XHTML, quotes are mandatory # Element and attribute names should use a consistent case to enhance readability, preferred is lowercase # Never put a block level element inside a inline element # Make sure mark up is complete and conforms to Accessibility standards # Make sure that the markup is Semantic and the application is progressively Enhanced # Code should be well commented to help maintaining developers to get a fast grip of the basic structure and key concepts # Code should be consistently indented, tabs preferred over spaces. # Images, image maps and scripted content must have an alt-attribute with an appropriate value # Script and style tags must have a type attribute # JavaScript code should be included using external files for caching and better maintenance. # When defining tables, make sure thead and tbody sections are properly defined. # When creating forms, input elements are to be grouped using fieldsets. Best Practices in writing CSS # Its good if CSS validates # Elements should be positioned with CSS 2, not tables # All ornamental lines, borders, background colors and -images, underlines and other decorational elements should be rendered with CSS 2 # Do not use 0px, 0pt, Zero is zero, so do don’t include a unit type. For all other cases, CSS requires you to specify units on all quantities such as fonts, margins and sizes. Example: margin: 0 4px 0 2em; # All style sheets should be included in reusable, centrally maintainable, and cacheable external CSS files, not as redundant code within the HTML files # Text should be formatted with CSS 1, not with font tags. # Try to avoid applying padding/borders and a fixed width to an element. Rather, apply padding to the parent element # CSS classes and IDs must be valid, i.e. beginning with a letter, not a number or an underscore. IDs must be unique. Their names should be generic, describe functionality rather than appearance # Avoid too many CSS Hacks # External CSS files should be sent with the correct MIME type (text/css) # The cascade can be very powerful but sometimes there is a temptation to use the same generic classname in many places. Put your classname on the outer-most element. The child elements can be targeted with the parent elements classname or ID # Make sure YUI foundation CSS and YUI grids is used in your web application Important Points observed noted while fixing some issues in css # z-index only works on elements that have been positioned. # An element that is been positioned absolutely will be displayed in relation to the the first parent element that has non static position. # Properties like top, left, right, bottom have no effect when a position has static positioning. # Setting the top or left properties in relative positioning will cause the element to be shifted in relation to its original position. # Fixed positioning works by positioning an element relative to the browser window. # There are two ways in css to hide an element. Visibility: hidden, display:none. Both have their own advantages and disadvantages. # The visibility property toggles whether an element is visible or not, while still leaving its normal flow properties intact. Semantics   Semantics refers to aspects of meaning, as expressed in language or other systems of signs. In the context of web, HTML for content, CSS for style, Javascript for behavior, Ajax for Remoting for enhanced UE. Tables are to be used to represent tabular data only, not for page alignment. Character encoding   A character encoding is a method of converting bytes into characters.To validate or display an HTML document, a program must choose a character encoding. An HTML document must specify its character encoding. The preferred method of indicating the encoding is by using the charset parameter of the Content-Type HTTP header. For example, to specify that an HTML document uses ISO-8859-1, a server   would send the following header.Content-Type:text/html; charset=ISO-8859-1 A less preferred method of setting the character encoding is by using the following tag in the HEAD of an HTML document: The MIME type describes the format of the file being served Javascript Closures:      Specificity in CSS    Advantages of Table less structure:  It is a process used to determine which rules takes precedence in CSS when several rules could be applied to the same element in markup. For every element name add 1 to specificity, every class name add 10 to specifity, every id name add 100 to specifity. If two elements have same specifity, then order matters. A closure is the local variables for a function - kept alive after the function has returned A closure is a stack-frame which is not deallocated when the function returns. In JavaScript, if you use the function keyword inside another function, you are creating a closure. A closure is a variable, created inside a function, which continues to exist after the function has finished executing. XHTML    It is an XML based markup language that has same set of element types and attributes as HTML 4. XHTMl is case-sensitive, HTML is not. All tags and attributes must be lowercase in HTML. Xmlns  Differences between HTML and XHTML     XHTML elements must be properly nested XHTML elements must always be closed XHTML elements must be in lowercase XHTML documents must have one root element Document Type Definition    Needs to be specified to enable validation with SGML Tools. Not specifying DTD will make browser to run is quirks mode DTD is specified using DOCTYPE HTML Declaration    The doctype declaration should be the very first thing in an HTML document, before the tag. The doctype declaration is not an HTML tag; it is an instruction to the web browser about what version of the markup language the page is written in. The doctype declaration refers to a Document Type Definition (DTD). The DTD specifies the rules for the markup language, so that the browsers can render the content correctly. Different Doctypes available in w3c recommendations are HTML 4.01 strict, HTML 4.01 Transitional, HTML 4.01 Frameset, XHTML 1.0 strict, XHTML 1.0 Transitional… The original purpose of the DOCTYPE declaration only had to do with markup validation. A validator needs to know against which document type definition (DTD) to check for compliance. DOCTYPE declaration serves two purposes: it tells a validator against which DTD the document claims conformance, and it is used by browsers to determine the rendering mode to use.    Layered Page Development       Framework that suggests building application in layers. Core functionality in base layer. Functionality and style added as layers. CSS for styles. Javascript validation and DHTML effects. DHTML widgets to improve usability. Ajax calls to reduce network transfers and improve application responsiveness. Each layer is added unobtrusively. Content Type is everything  When a web site sends a document to the visitor’s browser, it adds on a special content type header that lets the browser know what kind of document it’s dealing with. For an example, a PNG image has the content type image/png and a css file has content type text/css.  The content type for HTML is text/html. XHTML does not have content type as that of HTML. The content type of XHTML is application/xhtml+xml. Currently web servers don’t have this content type registered, so server side configurations has to be set or server side scripting language like PHP has to be used to set the content type. Meta tag in HTML    Metadata is information about data. The tag provides metadata about the HTML document. Metadata will not be displayed on the page, but will be machine parsable. Meta elements are typically used to specify page description, keywords, author of the document, last modified. The meta tag always goes inside the head element. The meta data can be used by browsers, search engines. DTD (Document Type Definition)   The document type definition defines elements, attributes, and character entities which exist in the language and where those elements are to be placed. DHTML(Dynamic HTML)   DHTML is not a language. It is a term used to describe different combinations of HTML, Javascript, DOM and css that can be used to create more dynamic web pages. Java Script      Javascript is a scripting language which is used to add interactivity to the web pages. Javascript in the body section will be executed while the page LOADS whereas Javascript in the head section will be executed when CALLED. The javascript Navigator object contains information about the visitor’s browser. Javascript built in objects : String, Date, Array, Math etc.. HTML DOM     HTML DOM defines a standard way for accessing and manipulating HTML documents. It allows programs and scripts to dynamically access and update the content, structure and style of a document. The DOM models HTML as a set of node objects. The nodes can be accessed with js or other programming languages. Super globals  Superglobals are built-in variables that are always available in all scopes.  Example: $_ENV, $_SERVER, $_REQUEST, $_FILES, $_COOKIE, $_SESSION $_ENV   This is a super global or automatic global variable. This simply means that it is available in all scopes throughout a script. There is no need to do global $variable; to access it within functions or methods. These variables are imported into PHP's global namespace from the environment under which the PHP parser is running. Many are provided by the shell under which PHP is running and different systems are likely running different kinds of shells, a definitive list is impossible. $_SERVER  $_SERVER is an array containing information such as headers, paths, and script locations. The entries in this array are created by the web server. There is no guarantee that every web server will provide any of these; servers may omit some, or provide others. Include_path   It is a configuration directive. Specifies a list of directories where the require(), include()nd fopen_with_path() functions look for files. The format is like the system's PATH environment variable: a list of directories separated with a colon in Unix or semicolon in Windows. Open base dir restriction  The open_basedir function defines the locations or paths from which PHP is allowed to access files using functions like fopen() and gzopen(). If a file is outside of the paths defined by open_basdir, PHP will refuse to open it. You cannot use a symbolic link as a workaround, because the path that the symbolic link resolves to falls under the restrictions of the open_basedir function. .htaccess .htaccess files (or "distributed configuration files") provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof. CURL curl is a tool to transfer data from or to a server. it supports huge no.of protocols.. With the help of curl we can safely fetch the data from remote sites.. HTTP        Http is stateless. i.e client doesn’t remember the server if it goes for the second time. Some methods such as GET, HEAD, OPTIONS and TRACE are safe because they are intended only for information retrieval and should not change the state of the server. Because the Internet hosts many thousands of different data types, HTTP tags each resource with a data format called MIME type. Hostnames can be easily converted to IP addresses for resources through a facility called Domain Name Service. When port Number is missing from the HTTP URL, we can assume the default value of port 80. HTTPS     HTTPS is secure version of HTTP. HTTPS combines with the HTTP protocol with a powerful set of symmetric, non symmetric and certificate based cryptographic techniques making HTTPS very secure. Instead of sending messages unencrypted to TCP, HTTPS sends messages first to security layer (security socket layer, SSL) that encrypts them before sending to TCP. If a URL has https:// the client opens a connection to the server on port 443 and then handshakes with server, exchanging some SSL security parameters with the server in the binary format, followed by encrypted HTTP commands. Headers   The most common use of headers is to redirect the user to another page. Caching: By default, most browsers will attempt to cache as much as data as they download. This is to save the time of the user and reduce the bandwidth. However caching the data is always not desirable. By setting the “Expires” to past date and “cache-control” to “non-cache” in the headers, we can tell the browser not to cache the date. SQL injections  SQL injection refers to the act of someone inserting a MySQL statement to be run on your database without your knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database.  mysql_real_escape_string is one solution where it takes the string that is going to be used in mysql query and return the same string with all the sql. Cross site Scripting (XSS)  The main goal of cross side scripting is to steal the client cookies, or any other sensitive information, which can identify the client with the website.  XSS attacks are result of flaws in server-side web applications and are rooted in user input which is not properly sanitized for HTML characters.  XSS attacks are possible if the input entered by the user is not properly validated or cleaned.  XSS attacks begin with the identification of use input which is not properly validated. Once such a variable is identified, code may be injected to exploit this opening. Since code is inserted under a different site, it can take the advantage of variables and attacker gets the whole access of the site.  XSS is related to the application performing insufficient data validation. Cross site Request Forgery (XSRF)    XSRF is about the predictability of the structure of the application. XSRF is a confused attack against a web browser. For example, one user, Bob, might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references a script on Bob's bank's website (rather than an image file), e.g., If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.  CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.  To avoid CSRF, make sure that a request is sent by the user, not by the browser.  When a user visits a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this pseudorandom value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same. When an attacker submits a form on behalf of a user, he can only modify the values of the form. An attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can send any value he wants with the form, he will be unable to modify or read the value stored in the cookie. Since the cookie value and the form value must be the same, the attacker will be unable to successfully submit a form unless he is able to guess the pseudorandom value.  The root of the problem is that web authentication normally assures a site that a request came from certain user’s browser; but it does not ensure that the user actually requested. Ajax   Declare a XMLHTTPRequest object Three properties onreadystagechange(stores the function that can receive data that is returned by server), readystate(status of server’s response), responseText(data sent back by the server is stored here) “this” keyword in javascript  The keyword this actually refers to the entire HTML tag for the object to which it refers.  The this keyword serves as a way to access the current object within the scope of a function.  Sessions  Sessions are used to create a measure of state in between the requests.  Sessions are started in one of the two ways. You can either set PHP to start a new session automatically whenever a request is received by changing session.auto_start configuration variable in php.ini file or explicitly call session_start() at the beginning of each script.  Once the session is started, we can access the data in $_SESSION super global array. Unix commands     du – disk usage utilities (du –sh) df – display disk free space (df –h) GRANT SELECT ON Backyard.Employees TO 'payroll'@'10.66.84.99' IDENTIFIED BY 'payroll01'; (grant previligies to user payroll and pwd payroll01)