�ݺ�ߣ

Best practice for
Magento Programming
Saturday 4th July 2020

2
S H A N K A R K O N A R
Magento developer - Elatebrain Pvt Ltd
@konarshankar7
@konarshankar07

3
S H A N K A R K O N A R - www.elatebrain.com

Key points
4
● Principles to write good coding
● Coding Best Practices
● Security Best Practices

5
Principles to write good coding
● S.O.L.I.D principle

SOLID is an acronym of five sets of principles that was coined by Robert C Martin aka
“Uncle Bob” in the year 2000 to write high cohesive, maintainable and extensible
software systems.
Following are the five concepts that make up SOLID principles:
Single Responsibility principle
Open/Closed principle
Liskov Substitution principle
Interface Segregation principle
Dependency Inversion principle.
6
S.O.L.I.D principle
> Principle of Good Programming...

Single Responsibility Principle:
7
“A class should only have a single responsibility, that is, only
changes to one part of the software's specification should be
able to affect the specification of the class.”
“

8
● The main purpose is to have a single responsibility for a
class/module
● The class or module should solve one and only one problem
So it should have a single reason to change
● SRP makes our code more cohesive hence making it easy to
test and maintain

9

Open–closed principle:
10
“
“Software entities ... should be open for extension, but closed for
modification.”

11
● Open Closed principle purpose that existed and well-tested
class should not be modified when a new feature needs to be
built
● It may introduce a new bug when we modify an existing class
to make a new feature
● Rather than changing an existing class/Interface, we should
extend that class/Interface in a new class to add new features

12

13

Liskov Substitution:
14
“
“Objects in a program should be replaceable with instances of
their subtypes without altering the correctness of that program”

15
● Liskov substitution principle is named after the name of
Barbara Liskov.
● Liskov substitution principle defines that objects of a
superclass shall be replaceable with objects of its subclasses
without breaking the application

16

Interface Segregation Principle:
17
“
“Many client-specific interfaces are better than one general-
purpose interface.”

18
● Interface Segregation principle (ISP) states that an interface
should not enforce unwanted methods to a class
● Instead of having a large interface (FAT interface) we should
have smaller interfaces
● ISP is intended to keep a system decoupled and thus easier to
refactor and change

19

Dependency Inversion Principle:
20
“
“One should "depend upon abstractions, [not] concretions.”

21
● Dependency Inversion principle (DIP) states that higher level
classes should not directly depend on lower level classes but
abstractions
● It means that a higher level class should not need to know the
implementation details of the low-level class, the low-level
class should be hidden behind an abstraction

22

23
Coding Best Practices
● Avoid using helper class
● Plugins Best Practices
● Use of View Model
● Use of VirtualTypes

Avoid using helper class:
● Helper classes are classes filled with static methods that do
not quite fit anywhere else.
● A helper class violates the single responsibility principle
because it is an attempt to solve multiple problems in a
single class
24
> Coding Best Practices...

Plugins Best Practices:
● Plugins should not be used within own module.
● Avoid using around method plugins when they are not
required
● Around Plugins increase stack traces and affect
performance
● The only use case for around method plugins is when
you need to terminate the execution of all further
plugins and original methods
25

Use of ViewModel:
● A viewModel is an abstraction of the view exposing
public properties.
● ViewModel allows you to offload features and business
logic from block classes into separate classes that are
easier to maintain, test, and reuse.
● ViewModel is used to inject functionality into template
files
26

27

Use of VirtualType:
● A virtual type allows you to change the arguments of a
specific injectable dependency and change the
behavior of a particular class.
● Virtual type allows you to use a customized class
without affecting other classes that have a dependency
on the original class.
28

29

30
Security Best Practices
● Implement HttpMethodActionInterface
● List of PHP functions to avoid
● Cross-site scripting (XSS) vulnerability

Implement HttpMethodActionInterface:
> Security Best Practices...
31
“
“To improve security and logistics we need to limit Actions to processing
only requests with certain HTTP methods and add those limitations to as
many existing Actions as possible. There are many vulnerabilities caused
by actions processing both GET and POST requests and thus allowing
bypassing security validations like form key validation. Also limiting actions
to processing only requests with certain methods would serve as self-
documentation for Action classes and improve consistency of server side
for client code and functional tests.”

In Http{Method}ActionInterface, {Method} can be replaced with ‘GET’, ‘POST’,
‘DELETE’ basic HTTP verbs
32
HTTP verbs Class Implementation
GET MagentoFrameworkAppActionHttpGetActionInterface
POST MagentoFrameworkAppActionHttpPostActionInterface
DELETE MagentoFrameworkAppActionHttpDeleteActionInterface

33

PHP functions to avoid:
The following is a list of PHP functions that are known to be vulnerable and
exploitable. Avoid using these functions in your code.
34
eval Using eval is considered bad practice
because of its ability to execute arbitrary
PHP code.
serialize/unserialize Attackers can create an exploit for these
functions by passing a string with a
serialized arbitrary object to the
unserialize function to run arbitrary code.

35
md5 The algorithm for this function is known
to have cryptographic weaknesses. You
should never use this function for
hashing passwords or any other sensitive
data.
mt_srand This function is a pseudo-random
number generator (PRNG) and is not
cryptographically secure.

Cross-site scripting (XSS) vulnerability:
● XSS vulnerability allows attackers to inject malicious
code/styles into a web page viewed by users
● XSS vulnerabilities can be prevented by validating and
sanitizing user input as well as sanitizing dynamic
values when rendering the view (HTML, mobile).
36

Case1: JSON inside an HTML attribute
The $escaper local variable is available inside the .phtml templates
Escaper method: escapeHtmlAttr
37

Case2: HTML tag content that should not contain HTML
Escaper method: escapeHtml
38

Case3: JavaScript string that must not contain JS/HTML
Escaper method: escapeJS
39

40
Q/A Session
Any
Questions?

41
Thanks!
@konarshankar7
@konarshankar07

�ݺ�ߣ

Best practice for magento programming by shankar konar

Convert to study guideBETA

More Related Content

Best practice for magento programming by shankar konar