Here are some conventions to follow when developping a Claroline module :
1. do not use php short tags '
2. never use external data coming from the user directly : all input data MUST filtered and validated BEFORE using them
3. as a consequence : never use the super globals variables $_REQUEST, $_GET, $_POST or $_COOKIE directly in SQL or HTML code :
3.1.
always escape SQL variables using casting for numbers or
claro_sql_escape() for strings, the use of addslashes is DEPRECATED
since in it does not take mysql escaped chars into account, not
respecting this rule leads to potential execution of arbitrary SQL
queries !
3.2. always protect external data in display by using
htmlspecialchars() or striptags() functions or a similar mechanism, not
respecting this rule leads to potential data stealing from the user web
navigator (cookies, session identifier, identity theft...)
4.
avoid the use of the global namespace through either the global key
worg or the $GLOBALS super variable, not repsecting this rule can lead
to strange side-effect bugs
5. use the Claroline API provided by
the kernel libraries like sql.lib.php, init.lib.php, path.lib.php,
module.lib.php, icon.lib.php, file.lib.php, fileManage.lib.php... they
have been written to answer common tasks and issues in the Claroline
platform and to ensure common behaviour in all the scripts
6. avoid mixing php and html code (except in the Claroline 1.9 template system) to enhance code readability and maintenance
7. as a consequence always separate business logic from display
A more complete developer's documentation will follow as soon as possible.
Thanks for helping to make Claroline a better LMS.
Regards,
阅读(1301) | 评论(0) | 转发(0) |
