It is difficult to develop Web applications.

The bigger the system is, the more problems it has. Some of them have been completely solved, and some have been combined to solve the problems. Now, we can list the main problems we have encountered and give them a tip:

1 cross-browser layout problem: due to the small gap between browsers, it will be difficult to layout complex pages.
My current project requires Firefox and IE. Due to some famous bugs in IE, sometimes I accidentally step on mines.

2. Date Control
How to Implement the date control across browsers, how to set the default value, and how to implement direct positioning of a wide range of dates? How to Adapt to the multi-region format problem?
I also used a lot of ready-made things like http://www.mattkruse.com/javascript/calendarpopup/
But there are more or less problems.

3. Resolution
How to support common resolutions, such as 800*600,102 4*1024? How to Adapt tables and layers?
Some customers prefer to center left, some content is too wide, some ultra-wide content is still in the container, and some need to be superimposed, so it is troublesome to mix these together.

4. Prevent SQL injection attacks
The placeholder is used for parameters, which is basically solved, but it is a little worried about the efficiency of the database.

5. Prevent script attacks. Sometimes you need to allow some HTML or JavaScript code on the page, such as displaying multiple lines of text.
I know how to escape HTML, but I want to allow some HTML code to work. For example, I want <br> to work, while others do not work to implement multi-line text
6. Unauthorized page access
How to implement security verification for each page, and how to prevent users from directly copying specific page addresses to access the system, including some pages and JSP pages without links. How to control some permissions? What is the minimum control unit?

It looks very simple, but the question is coming,
Security Verification for each page: dynamic pages are generally URL + query string
The number of URLs is limited, but query strings generally take ID as the parameter, there are many, so for example, URL-based verification, sometimes
The granularity is not fine enough. If query string is added, the configuration table cannot be used as the basis for verification, because query string is multiplied
The number of users (or the number of roles) is an astronomical number.
The security verification rules of each system are different.

Further, you will find that if an operation is divided into several steps, the pages of these steps must have the same permissions.
If the user does not have the permission, the user will be killed.

If you refine the granularity, some elements on the page can be modified and seen by some users, does your head start to hurt?
7. submit questions repeatedly
After the function operation is complete, right-click the page and select the refresh function of the pop-up menu, which is prone to repeated submission issues.
After the function operation is complete, repeat the operation through the browser's back key, prone to repeated submission issues.
The URL is not redirected, and repeated submission occurs when the page is refreshed.
When the response time of a function key is delayed, you can click the function key again within a short period of time, which may cause repeated submission;
Some users are used to double-click the button. Some users have two buttons in the wrong location. Some of the mouse fails, resulting in the clicking to double-click, and the results are submitted repeatedly.

If not processed, these requests will be processed by the server, resulting in incorrect results.

Struts token can solve the problem, but users always complain to me, why do I not
I can use the browser's back-up button to submit it again. I have never encountered this problem on other websites. How can I explain it?
Then you will find that some operations can be submitted repeatedly.

8. How to lock resources such as records: this is an old and difficult problem, so many things have been made.
If you use the keyword isolation level dirty lock to search, you will find that there is a way to solve this problem, but the cost
Are you willing to bear it? Development cost, performance cost, and availability cost

9. It is dangerous in some cases to prevent the browser from remembering data. Some browsers may remember the data entered by users for each URL. For example, if I modify some data, but for some reason I want to refresh it, the data has been modified by another user, but what you see in the browser is the data you modified (you cannot see the new data either by using the refresh button ). If you save it again, you think that you have not modified the data, but the data has been modified. This problem is more serious when the page is dynamically generated by scripts.

Usually occurs in Firefox and other browsers.

10. How to prevent or detect users from modifying browser settings? For example, the user can disable the Script Function after opening the page.
Sometimes it is not even a user's ban on scripts, but some software and plug-ins, viruses, and even corporate culture that affect user settings.

11. The rollback problem is very clear to those familiar with the workflow. How can an operation node return to the startup point, how can it return to the previous node, and how can it avoid hard coding? For example, if a page is shared by two operation streams, security verification is a problem. You may have to consider it carefully.

12. Check the problem. How to implement both client and server verification? The client calls the server-side verification function.
I am already using the Apache commons validator provided by struts, but I have to modify many places
. For example, some hidden fields need to be verified. However, commons validator uses the focus statement, causing an error.
This is a small bug, but it is even more troublesome that some server-side verification cannot be implemented on the client. For example, validwhen
Another example is that some verifications need to query the database, so the verification I want should be called by Ajax.
The verification is the same on the client and server, but is it necessary for the client to verify it? We used the client to verify it.
It is a matter of fact that his validation response is fast and does not burden the server. So I am confused again.

13. How to Prevent data forgery and how to prevent customers from submitting data to the server using special tools and technologies.
All the data sent by the browser follows public standards. Hacker tools such as Sniffer can modify your data at will,
There are also some magical browser plug-ins that can modify data at will. Even SSL can only ensure intermediate transmission, and the client cannot control it. Do you still think that your hidden fields are safe? Do you still think that your select statement only has the following options?

14. How can I track and locate errors and handle exceptions?
In a running system, how do you know which data generates this error? Logs of multiple users are hashed together
How to organize?
15. How to transmit large amounts of data between two operations, especially non-stored data.
For example, paging data (the page number of columns sorted by filtering conditions) is generally not stored in the database, but in some cases it must be passed to the next page, session is not the final solution.
16. resumable upload and download with Security Control
I'm afraid I have something to do with the server. This is a taboo for many enterprises.
17. Special processing in a distributed environment,
18. How to improve development efficiency?