Elmandria Art Community
The Elmandria Art Community is a project I've been working on for about one and a half year. The planned final result is to have an art community for artists to expose (mainly) dragon-themed art. The home page will be found at www.elmandria.com (There is a placeholder there right now, that will stay until the site is open).
In this post, I will attempt to summarize the work that has been done until now and I will post updates as the developement keeps moving on, for the people who are interested. The rest of this post will be fairly technical, but hopefully understandable enough that everyone should be able to get an idea of what's going on.
We are three people working on this project. Etath is the actual owner of the site and she takes care of all user interface design + any artistic work related. I take care of all technical aspects, from running and maintaining the server to reading up on standards, designing and writing the code and a lot more. Ethelshai, who is a very good friend of ours, is helping us with all things written (User agreement, text of emails, and so on).
Before getting to making the site itself, I wanted a solid engine to run under it. Hopefully, something that was both secure and fast, while still having the features I needed, so I started by designing that. I began with a limited template engine that could piece together documents from several files, allowing for a good separation between the layout and the code itself. It wasn't very advanced at that point. I decided pretty early to allow the engine to have support for multilingual pages and thus added a translation engine and made sure to have UTF8 support everywhere.
At that point, I had one webpage with a header that was sortof looking good and I started working on some backend for the login system. I first needed something to handle the sessions and holding credential informations, reading and writing cookies, and making sure that everything was properly secured. I wrote a session manager to take care of that and all aspects pertaining to session handling. The next issue to solve regarding login was permanent storage. As a storage engine, I chose to use MySQL since I'm pretty familiar with it already and it has served me well in the past.
The real difficulty with permanent storage is to decide how to make the communication between the site and the database safe. The first part of the problem is to decide what should be responsible for extracting the data from the database and turn them into a usable form for the site. There are two school of thoughts on this: one saying that the code used to get and process information from the database should be stored in the database, along with the data, in what is called "stored procedures". The other approach is to do it to "simply" have all the code for queries and processing information directly in the program code. Both have advantages and inconvenients, but both fail to solve at least some important issues. Needless to say, this is also the topic of quite a few flamewars around the web.
The second part of the problem is how to ensure that the connection to the database can be made while keeping the database credentials safe. The usual approach is to have the credentials stored in one file that can be accessed by the code, but that is restricted for access via http, but this means the file still has to be readable to the web server user for executing the code. There are a few other approaches described online but at the end of the day, they let the webserver user have access to those credentials, so having the web server compromissed can mean that the database credentials have been obtained.
To solve these two issues and some other, I decided to make an additional small application, which I called database accessor, to be used as a proxy between the database and the website engine. The database accessor runs as a different user than the webserver and it alone needs to know the database credentials. The site engine only needs to send it commands via some socket and it executes them on the database then sends back the result. One can add modules to it to add commands that can be executed.
In addition, I made another small application to similarly isolate a private key used for cryptographic operations. The app is requested by the site engine to perform the operation and receives the data then sends back the data after processing, effectively isolating the key from the webserver
Once this was done, I wrote a registration page and did some fixing in the template engine, then I made the login work. The next step was to get the "remember me" functionality to work, but at that point, I ran in trouble with the handling of cookies and I ended up rewriting quite a bit of the database accessor. I changed the code that handled the login to be instead made by an user defined module and simplified quite a few things. A bit earlier, I rewrote the handling of the connection between the site engine and the database accessor to allow multiple parallel connections, to improve the code quality and to allow debugging of the communication between the processes. From that point, the database accessor has worked fairly well and I only fixed some minor bugs in it.
The next, small step I took was to check everything over for UTF8 compatibility and add some related functions. Then I did some reorganization of the existing template code I had been writing to have more reusability and I did some important security fixes to the engine
The next important task was to set up the introduction email sent upon registration. The requirement was to have it sent as HTML, so I added a few classes to generate correct MIME mulitpart emails with correct encoding ( the PHP MIME-related functions were not satisfactory for this ). I also spent a good amount of time rewriting the BB Code parser I had written several years ago, so that it could be used for allowing to translate the email text with formatting, and have UI strings with formatting as well. Of course, it will also be available for user content.
The last few days, I've fixed some more potential security issues and I've started working on the language selection page/popup... and this is basically it. I've glossed over quite a many details and skipped a few things (mostly the whole apache, php and sendmail configuration parts) but this should give you a good idea of where the project actually is at the moment. Again, I'll post updates here as I go to keep the people interested up to date with the progress.