Stanford Web Application Toolkit
From Web Services Wiki
The Stanford Web Application Toolkit (SWAT) is a set of tools designed to assist Stanford web developers in creating secure and robust PHP-based web applications. It gives the programmer straightforward methods for connecting to the database, searching the directory, authorization, sending e-mail, handling file uploads, defending against SPAM, and other common-but-often-tedious tasks. SWAT has three primary goals: security, accessibility, and ease of use. The toolkit is broken down into several modules.
This module functions as a light framework for Stanford web applications. Using StanfordApp, you may load a YAML-formatted configuration file with your site's basic information, database configuration, and other settings.
In conjunction with WebAuth, StanfordAuthorization serves as a convenient way to perform fine-grained authorization to permit or deny certain people from accessing parts of your application.
- How to set fine-grained access controls in conjunction with WebAuth
- How to check if a script is behind WebAuth
- How to log a user out of WebAuth
StanfordData is split up into two subclasses: StanfordTextFile and StanfordDBQuery. The former is useful for parsing, sorting, and displaying data contained in CSV files. StanfordDBQuery works nearly identically, but instead of parsing CSV files, it reads from a MySQL database. Both classes feature a method for displaying retrieved data in an HTML table that may be easily styled and customized.
- How to parse, sort, and display a text file
- How to retrieve, sort, and display information from a database
A simple extension of PHP's MySQLi, this module greatly simplifies database-related functionality at Stanford. Enabling MySQL-based sessions is one line of code, and turning on encryption is just as easy.
- How to configure and access MySQL
- How to set up MySQL-based PHP sessions
- How to securely store data into MySQL
StanfordDirectory / StanfordPerson
Writing raw LDAP queries and parsing the results using PHP is far from straightforward, which is why we developed these classes. StanfordDirectory connects and binds to the directory in order to perform searches, while StanfordPerson provides an intuitive means of getting basic information about Stanford users.
- How to get information about users in the directory
- How to get the currently logged-in WebAuth user
- How to search the directory for specific information
It is easy to send e-mail using PHP, so easy that many developers overlook the potential security flaws. StanfordEmail is a secure extension of the open source project PHPMailer. It adds error detection and reporting, automatic mail server configuration, and easier to understand functions. Securely adding file attachments takes only a couple extra lines of code so that you don't have to bother writing your own MIME headers.
Allowing file uploads is another convenient feature of PHP that by default comes with a plethora of potential security holes. StanfordFileUpload is a great improvement over PHP's default file upload behavior. With automatic, built-in error detection and reporting and easy ways to set restrictions on the types of files uploaded, this module attempts to protect against many of the problems that affect web applications across the web.
SPAM is a huge problem, and while many websites have begun adding CAPTCHAs and other less-than-accessible approaches to solving the problem, we developed a non-intrusive countermeasure designed to make bots reveal themselves instead of the other way around. StanfordForm has SPAM protection and also some general error-handling functions.
Logging is an essential feature of any site, whether the goal is to track user activity or record errors. StanfordLog contains two subclasses: one for logging to a database (StanfordLogDatabase) and one for logging to a file (StanfordLogFile). Each of the logging classes may be configured to periodically send the latest log entries to the site administrator via e-mail (using StanfordLogEmailSettings).
StanfordUtil is a collection of miscellaneous tools that require little-to-no configuration. Operations such as undoing magic quotes and setting up custom error reporting only require a single line of code each using this module.