1. Set all warnings and errors to ‘on’ in php.ini file.
2. Set register_ globals to ‘off’ in php.ini file.
3. Set magic_quotes_gpc to ‘off’ in php.ini file.
4. Set magic_quotes_runtime to ‘off’ in php.ini file.
5. Test in browser with javascript errors on.
6. Make an include file for all settings and variables.
7. Check data entry with single quotes and double quotes.
8. Use stripslashes() when fetching data.
9. Use nl2br() when printing data (entered from a textarea) in html pages.
10. Use encrypted query strings where required.
11. One user must not be able to see the records of another user by tampering with the query string variables.
12. Use image resizing wherever required.
13. Do not resize images that are smaller than the specified size.
14. When uploading file, display allowable file types and maximum upload size like: JPG, PNG and GIF Only. Max file size 2 MB.
15. All forms should come filled in, in case of any errors in filling the form, so that user does not have to type all info again.
16. All deletes must be confirmed before deletion.
17. Use lipsum for dummy text. Get it from www.lipsum.com.
18. When a search or view record is not found, please show a message, “No record found.”.
19. Check for cascade deletions where required or warn for child record entry.
20. On all submitted forms, especially contact us pages, please check referrer.
21. Make messages like this:
    • Username is a required field.
    • Your passwords do not match.
    • This category cannot be deleted as it is being referred to in a subcategory. Please delete the subcategory first.
22. Delete corresponding images when deleting records from database.
23. All forms must be validated.
24. Use date picker or date combos whenever date is required to be entered.
25. Paginate when required.
26. When writing insert and/or update SQL queries, always write field names and then values. Do not insert or update all values.
27. When writing database queries, always use quotes, even for numeric fields. This is for MySQL database.
28. Table names and field names should be like this:
    • Table name: databasename_tablename
    • Field name: tablename_fieldname
29. Some commonly used field sizes should be as below:
    • username: varachar(20)
    • password: varchar(20)
    • firstname: varchar(15)
    • lastname: varchar(15)
    • fullname: varchar(30)
    • phone: varchar(15)
    • fax: varchar(15)
    • email: varchar(50)
    • address: text
    • city: varchar(20)
    • state: varchar(20)
    • zip: varchar(12)
    • country: int (to come from from country’s table).
    • url: varchar(255)
    • amount/price: double
    • date: date
    • timestamp: bigint
30. Please set textbox’s max attribute to what it is in the database.
31. Add server timeout when required.
32. Test all your applications on multiple browsers.
33. Give alt tag to all images
34. Give title tags to images and hyperlinks.
35. There is always space after a comma, a colon, a semi-colon and a full stop and not before them.
36. Place an index page (with page title and text as “Access Denied” in all folders without index page to stop directory browsing. Or stop directory browsing using htaccess file.
37. Show dates in full date format (January 10, 2012)
38. Make admin login window database driven.
39. All forms submitted, leading to select statements most have GET method.
40. All views must be ordered by their respective fields.
41. In user manager, the application must not be able to delete self and must not be able to delete the admin level user.
42. Password protect admin folder with database driven module. Do not depend on password protecting admin folder.
43. Use meta tag to redirect to log out page for auto log out when required.
44. Always use die() with queries.
45. Set auto complete off for login forms.
46. Stripslashes() in email messages.
47. Use substr where required to show long messages like “Lorem ipsum dorit…”.
48. Format numbers as 24.00 where required.
49. Spell check
50. Write recommended size for pictures
51. Contact and similar pages should go to thank you page.
52. Required field must be marked with *.
53. Use inner joins where required.
54. Use enum data type where required.
55. Close connections at page end or before redirection.
56. Clean up test files before uploading.
57. Use frame busters where required.
58. Centre pop up windows.
59. Delete images before updating them. Either check if exists before deleting or use @unlink.
60. Mark all required fields with * in all forms.
61. To get file path, use the following as it works on Apache and IIS.
• $url_to=”http://”.$ HTTP_HOST.$SCRIPT_NAME;
62. Set different session names for admin and public users.
63. Remove all test email addresses that send forms to you.
64. Some sample messages at below.

Signup: Thank you very much for registering. Your account is now active and ready to use.

Contact Us: Thank you for contacting us. Your message has been sent to the concerned department and you will be contacted back shortly.

 

Profile Update: Your profile has been updated successfully.

 

Bug report submission message: Thank you very much for your time. Your reported bug/error has been routed to the concerned department for further action.

 

Lost Password: Your login information has been mailed to your email@domain.com.

 

Wrong Login info for Lost Password: Invalid login information; please provide the email address you used when you registered with us.

 

Lost Password Email:

 

Subject: Your SITE_NAME Login Information

 

Dear Member Name,

 

Your SITE_NAME login information is as below.

User Name: username

Password: password

The SITE_NAME Team

Registration Email to the member:

Subject: Welcome to SITE_NAME

Dear Member Name,

We welcome you to SITE_NAME. Your login information is as below and you can change your password anytime after logging in to the web site.

User Name: username

Password: password

The SITE_NAME Team