DatabaseDesign
This page contains notes about database design. For the moment the page is a stub.
Web programming with PHP
This section contains notes I took while I was coding Little Go for the Web.
General Database access principles:
- Only use prepared statements to prevent SQL injection attacks.
- Whenever reading data from the database that may have been supplied by a user, that data is immediately put through
htmlspecialchars()to prevent XSS attacks.
The following notes target MariaDB:
- All ID columns are numeric and have type
bigintto prevent overflows. - All ID columns use
AUTO_INCREMENTso that the code does not have to deal with generating new IDs. - The session key is defined using 128 characters length to guarantee sufficient space to store the session ID generated by the PHP function
session_id(). The length of such a session ID is variable and depends on various configuration elements inphp.ini, among them the hash algorithm. I didn't decide on length 128 because of any official documentation, but because of a user comment in the PHP docs forsession_id(). Originally I had planned to use a UUID as the session key, in that case it would have been sufficient to use length 36 for the session key. Unfortunately PHP does not have a built-in function to generate UUIDs, and since I didn't want to use a separate PHP library just for generating UUIDs, I decided to fall back onsession_id(). - For time data I am using a numeric column to store the number of seconds since 1 January 1970. The data type should be
bigintto get around the Y2038 problem. In the PHP code, however, I'm using the data typeintbecause that is the data type returned by thetime()function. The size of PHP'sintis platform dependent.
