Check all of these items yourself to get your product published upon the very first submission.
Configuring test environment
- Minimum PHP version from Webasyst system requirements is installed, or IDE is configured to support that PHP version. If your product's system requirements contain a higher minimum PHP version, then that version must be used for testing instead.
- Download and install the latest version of Webasyst framework.
- The framework must be installed in a subdirectory of the test domain; e.g., at
http://localhost/check/
. - The backend login URL is changed to a custom one; e.g.,
/admin/
. - Parameter
'sql_mode' => 'TRADITIONAL'
is added to filewa-config/db.php
. - Logging of all PHP errors is enabled:
error_reporting = 2147483647
. - In Site app at least 2 site with different domain names are set up. For the app being tested, at least 2 settlements are set up: at the site root (
*
) and in a "subfolder" (shop/*
). The the app with all settlements of all available sites.
What a submitted product should not have
- Possibility of conflicts with other installed software products.
- More than one directory in the archive root. The submitted archive must contain only one directory named by the product ID.
- Custom code in configuration files
db.php
,app.php
,plugin.php
,settings.php
besides that described in the documentation. In filerouting.php
custom code may be accepted in certain cases when there is no way to avoid it. - PHP and HTML files and PHP classes in them, named in violation of the recommendations provided in the documentation.
- Unnecessary files which are not used by the product.
- Directories with PHP files, HTML templates, and localization files without
.htaccess
files containingDeny from all
directory. - Extra directives in
.htaccess
files. - Empty subdirectories.
- Values are added to SQL queries without the use of placeholders (recommended method) or conversion to a safe data type.
- PHP code utilizes coding features which are not available in some PHP versions higher that the minimum version from the framework’s system requirements, and there is no such limitation in the product's system requirements.
- PHP extensions are used and their availability is not verified in the working PHP code or in the system requirements.
- Functions
file_get_contents
,copy
,get_headers
, classXMLReader
, or other similar methods are applied to remote resources wihout checking the value ofallow_url_fopen
parameter, which must also be mentioned in the product's system requirements. - Any files are saved, modified, or deleted beyond directories designed for this purpose, i.e.
wa-cache/
,wa-config/
, andwa-data/
; e.g., in directorieswa-apps/
,wa-content/
,wa-installer/
,wa-plugins/
, orwa-system/
. - Names of files or directories contain characters not supported by some operating systems.
- Database tables are created by other means than using file
db.php
(except for meta udates, see details below). - Database table fields are created by other means than using file
install.php
. - Repeated execution of code in file
install.php
generates errors. - JavaScript error messages in the browser error console.
- PHP error messages.
- Error messages in server responses.
- Text characters are not escaped when displayed to users, or excessive escaping is performed.
- In user interface, text similar to the one shown below is not correctly displayed:
'"></textarea><script>alert(1)</script>
I.e. JavaScript code is executed instead of being displayed as text. - Only
webasyst/
is always used as the path to Webasyst backend. - URLs of files loaded on web pages from external resources use
http://
as the protocol name, which can affect the operation of a page opened viahttps://
. The universal method of loading external files on web pages by using//
notation must be used to avoid such errors. - In website frontend, temporary messages like "Website is under maintenance" generated by your product are freely accessible to search engine crawlers for indexing, including the use of redirects.
- Debugging code left in product's source files.
- Large amount of code disregarding the architecture and programming interfaces provided by the framework.
- A plugin does not use its ID as the prefix for the following:
- names of plugin's own database tables; the correct template for plugin's database table names is
[app]_[plugin]_***
; e.g.,shop_watermark_data
- names of plugin's own fields added to an app's existing database tables
- names of plugin's own PHP session variables
- names of plugin's own
cookie
variables - names of plugin's global JavaScript variables and functions, on the pages where plugin's code is executed next to the code of other plugins or its app.
- names of plugin's own database tables; the correct template for plugin's database table names is
- When a plugin is deleted, its file
uninstall.php
does not delete its own fields in an app's database tables, except for reasonable cases when deleting such fields can harm the app's normal operation. - In plugin's configuration file
plugin.php
, non-existent methods of its main PHP class are specified. - A system plugin of shipping, payment, or SMS type utilizes functions and classes of a certain app instead of being developed for use with any number of different apps designed to support those system plugins.
- In method
callbackHandler()
of a payment plugin there is no check for existence, positive length, and validity of a hash or signature sent by a payment gateway before updating order status by an app using the plugin. - Plugin or app, when processing and event or in an HTML template helper, terminate the execution of a PHP script using
die()
function or other similar methods. - Ability for a user to upload PHP or other similar files to the server which can be executed by requesting files at their URLs or in any other way.
What else should not be in a product update
- Database tables and fields in existing tables are created by other means than using meta updates.
- Repeated execution of code in meta updates files generates errors.
- Modified contents of file
db.php
without corresponding meta update files adding the new tables to the servers of users who already have the product installed. - The new version does not contain files which were available in the previous version, and there are no meta update files removing those old files.
Critical defects in product's functionality and description
- Incomplete localization of the user interface.
- Non-intuitive user interface without a detailed description.
- Many grammar errors in the user interface or product description, including screen shots.
- Referral links in the user interface or product description.
- Critical errors in the product functioning.