ergophobe - 6:41 pm on Nov 24, 2009 (gmt 0)

>>develop a site like elance

Not trying to be snide, but is this a serious request?

You need a serious apprenticeship, if you are going to build a complex site like elance that matches strangers, takes credit cards and runs an escrow system. I would say that no site like that should ever be built by a single programmer without at least one other set of eyes to run code audits and so forth.

That said, you can get a lot of the pieces of such a site in ready-made scripts and try to piece them together. Others have done it. But before you build a site that handles money and exposes you to serious liability, it would be nice to find a chance to work with a team that really does security right.

So getting a site that kind of works like elance is a tall, but not insurmountable order. Getting one to work like that and is rock solid in terms of security will be much harder. That last 0.1% of refinement in the code is what makes the difference there.

A couple other comments on rocknbill's post.

>>assume "my customers won't...

There's an adage along the lines of "Be permissive in what you accept, strict in what you return".

Following that goes a long way to achieving stability, security and usability in an application. To give one example, let's say you have a phone number blank on your form. Being permissive in what you accept means that you would accept
(209) 555-1212
209.555.1212
2095551212
etc

Being strict in what you return means that the function that reads in the phone number data would realize that only numbers matter and anything else could be used by a hacker or lead to unexpected data being sent further down the pipeline. So the first thing your function would do is strip out anything that's not numeric, verify that it fits the requirements for a phone number (10 digits in the US or Canada), and so forth. So the function would be very strict about what it passes on to other parts of the program.

- Learn some basic debugging procedures. Learn to simplify use cases, learn to boil something down to it's essence for testing purposes. I think my ancient post on troubleshooting in PHP [webmasterworld.com] is still decent advice and the ideas can be generalized to CSS and HTML problems as well.

And for a more lighthearted look at how not to code, [webmasterworld.com...]