In the meanwhile, I’ve been doing some reading.
Let’s talk about usernames: Excellent read. Also, horrifying. As I was reading, I came across this line:
There’s our user table, there’s our unique username column. Easy!
That’s exactly what I was thinking. That’s how to make something unique, right?
And then I kept reading. Case-sensitivity, normalization, punycode, other alphabets… Also, single-script confusables (ie: a lower-case L and a number one and a capital i, l 1 I, all look ridiculously similar in many fonts. Is that a problem? And what about unique emails? Gonna have to take the + sign that Gmail allows and nuke everything after it to ensure true unique mails. Also, remove all periods in the email’s username portion. And what about names like “root” or “admin”? Probably should disallow those, too.
So that alone gets complicated.
Then I did some more reading about PHP web apps in particular, in terms of best practices, just to make sure I’m on the right page. This page, PHP Best Practices, is a great resource. It’s mostly in English, basically, which is useful. Or, at the very least, I can understand it. It also goes into detail about why or why you should not use a specific way of doing things.
So in terms of storing passwords, I’d been right — this resource recommends bcrypt hashing. That’s wonderful.
In terms of connecting to, and querying, a MySQL database, not do much. Turns out the method I hated most (PDO – PHP Data Objects) when learning is the newest and most robust method, particularly when using prepared statements. All of my testing code to date uses mysqli, so that’s something I need to rewrite to ensure it works okay.
So lots of reading and understanding done there and more to come, I’m sure.
In other news, I successfully installed a Let’s Encrypt SSL certificate all by myself for one of my (many) domains. The only bummer is that they expire every three months. Still, refreshing them takes like, five minutes. So it’s not too bad. And it’s free! That’s one of my projects for this spring: Get all of my sites to be on SSL, using HTTPS, even though I basically don’t ask for any user information whatsoever. Why? Because Chrome is starting to list things as “insecure”. So that’s something to do.
Finally, in terms of work, can I just say how delightful it is to have a job that allows us to work flexibly? I was about an hour and change short of my 40 hours last week, so I made up the time this weekend. Of course, in making up the time this weekend, I actually worked for almost three hours. So because I worked an extra two hours or so, those are banked against next week’s time. Normally, I work 9-hour days on Mondays or Tuesdays (sometimes both) in order to make up for class on Thursday, but seems as though I won’t need to do so this week. And the bonus is, I’m all caught up on my own outstanding tickets. Whew.
All right, it’s now past midnight, so I should consider going to bed, now. Have an excellent week!