Annex II: Technical Requirements for the Development of Virtual Museum of Canada (VMC) Exhibits and Games, 3.1

Technical Requirements for the Development of Virtual Museum of Canada (VMC) Exhibits and Games, 3.1 are available in PDF format (215 KB) | About the freeware (PDF)

Table of Contents

Notes on Terminology

The following terms and definitions, as used in this document, are adapted directly from RFC 2119:

Must
This word indicates an absolute requirement.
Must not
This phrase indicates an absolute prohibition.
May
This word indicates an optional course of action that is neither required nor prohibited.
Should
This word indicates a recommended course of action that may in some circumstances be ignored, the full implications of which must be understood before implementing such a course of action.
Should not
This phrase indicates a course of action that is not recommended, but in some circumstances is permitted, the full implications of which must be understood before implementing such a course of action.

1.0 Markup, Presentation, and Scripting

Baseline Technologies

To ensure that the product's content will be available to the greatest number of visitors regardless of the technical configuration of their system or device:

XHTML 1.0 Strict

  • 1.1 The product must use XHTML 1.0 Strict for the semantic and structural markup of Web page content. The Frameset and Transitional variants of XHTML 1.0 must not be used.

    Note: It is important to understand the issues involved in serving XHTML as HTML (MIME type “text/html”) as opposed to XML (MIME type “application/xhtml+xml”). For more on these issues, see the W3C's document, XHTML Media Types, as well as the W3C tutorials, HTML on Handling character encodings in HTML and CSS, and Serving XHTML 1.0. Products that will not be hosted on CHIN's server may serve the product's pages as "application/xhtml+xml" to compatible user agents. However, CHIN's server sends all XHTML as “text/html.”

  • 1.2 The product and all of its XHTML pages, including markup generated or modified dynamically by client-side DOM scripts, must validate against the W3C-published Document Type Definition (DTD) for XHTML 1.0 Strict.

    Note: The W3C Markup Validation Service is available at http://validator.w3.org.

Cascading Style Sheets (CSS)
  • 1.3 Presentation and style (i.e., visual layout and design) must be applied through the use of valid Cascading Style Sheets (CSS).

    Note: CSS 1, CSS 2.1 and CSS 3, for which the W3C provides a validator, may be used. It is not required that every browser be provided the same CSS presentation of the product's content. In some cases, it may be preferable to not send any CSS at all to certain browsers, e.g., Netscape 4.x, Internet Explorer 4.x for Windows and 5.x for the Mac.

  • 1.4 CSS must be completely separate from page content and structure, and referenced as external files from within a page's head element. Inline or embedded styles must not be used.

    Note: CSS rules generated dynamically by client-side DOM scripts should not be written inline. Instead, class names should be dynamically added to the relevant XHTML elements, thus invoking the associated CSS rules contained in an external stylesheet.

Client-Side Scripts
  • 1.5 Client-side scripts must bind to the W3C DOM, and be compliant with ECMAScript, version 3 (ECMA-262).

    Note: The innerHTML property and XMLHttpRequest object are exceptions to the above rule and may be used.

  • 1.6 Client-side scripts must be unobtrusive, completely separate from page content and structure, and referenced as external files from within a page's head element. Inline or embedded client-side scripts must not be used.

    Note: Inline event handlers (e.g., onclick, onfocus) in the XHTML layer are prohibited. Event handlers must be dynamically written to the DOM using valid, unobtrusive DOM-scripting techniques.

    Note: In the case that a third-party script cannot easily be implemented unobtrusively, permission to use inline scripts or script elements must be requested from CHIN.

  • 1.7 Client-side scripts must test for and execute based on the user agent support for the critical DOM objects implemented in the scripts, as opposed to testing for user agent strings or otherwise “browser sniffing.”

Character Encoding

  • 1.8 Every product page must use and declare UTF-8 character encoding.

    Note: For a discussion of the issues with character encoding and serving XHTML documents, see the W3C tutorial, Character sets & encodings in HTML and CSS.

Secure Sockets Layer (SSL)

  • 1.9 The product must use the Secure Sockets Layer (SSL) protocol when users are required to input a username and password (i.e., log in), or when any personal information (including, but not limited to, name, address, age, email address, telephone number, and credit card number) is solicited from a user and to be stored by the product and kept for use by the institution responsible for the product.

    Note: It is not necessary to use SSL when gathering information through form-based email feedback, nor when soliciting a user's nickname only, for example, to store a high score in an online game.

  • 1.10 All hyperlinks on SSL pages to non-SSL pages must use absolute URLs.

2.0 Accessibility

W3C Web Content Accessibility Guidelines 2.0

To ensure that the product's core content and functionality are available to the greatest number of visitors:

  • 2.1 The product must conform to to Level A and Level AA Success Criteria of the Web Content Accessibility Guidelines (WCAG) 2.0, with the exception of Success Criteria 1.2.4 regarding captions for live media, and 1.2.5 requiring audio descriptions.

    Note: In accordance with Level A Success Criteria 1.2.1, 1.2.2, and 1.2.3, audio-only clips must have text transcripts; video-only clips must either have a transcript or an audio track describing the important visual information; and synchronized multimedia clips must include synchronized captions as well as a full text transcript or audio description.

    Note: The product must additionally comply with the WCAG Priority 3 Checkpoint 2.2 where the contrast of text and background colours is concerned. Many tools are available to evaluate the color difference and contrast, such as the Juicy Studio Luminosity Colour Contrast Ratio Analyser.

Progressive Enhacement

  • 2.2 Following the progressive enhancement approach to Web design, the first content format that a user encounters must be the most accessible, unless the user's system configuration is compatible with and prepared to accept content in more enhanced formats.

    Note: For example, in the case of an interview between two people, such content might be presented by default to all users as an accessible still image of the two individuals, accompanied by a full text transcript; while, in the case that a user's browser has JavaScript enabled and the Flash Player installed, the default image might be dynamically replaced by a captioned Flash video of the interview.

  • 2.3 The product's main version must be accessible; that is, the site's accessibility must not be accommodated through the provision of a secondary (e.g., text-only) version of the site.

Script Independence

  • 2.4 The product's core content and functionality must be available without client-side scripts

    Note: Presentational or behavioural enhancements implemented solely through client-side scripts are permitted, but the product's core content and functionality must remain in the case that client-side scripts are disabled or not supported.

CSS Independence

  • 2.5 The product's core content and functionality must be available without Cascading Style Sheets (CSS).

3.0 Directories, Files, and URLs

File and Directory Structure

  • 3.1 Publicly available product files (e.g., XHTML, images, CSS, JavaScript) that are common to all language versions of the product must be placed in unique directories located in the product's top or root level directory, and must not be duplicated for each language version of the product.
  • 3.2 Directory browsing must be disabled.

File and Directory Names

  • 3.3 The names of publicly available files and directories must use only the following characters:
    • lower-case letters (i.e., a–z)
    • numbers (i.e., 0–9)
    • hyphen (-)
    • underscore (_)

    Note: : The hyphen (-) is a reserved character that must not be used except as a separator between equivalent bilingual words, phrases or abbreviations, and the ISO-639-2 three-letter code. Hyphens occurring naturally in words or phrases must be omitted and the resulting space collapsed, e.g., “avant-garde” becomes “avantgarde.” Spaces occurring naturally in phrases must be replaced by an underscore character (_), e.g., “new events” becomes “new_events.”

  • 3.4 The names of directories whose contents are publicly available must comprise either
    • a French word, phrase or abbreviation, followed by a hyphen and an equivalent English word, phrase or abbreviation; or,
    • a single word or abbreviation that is the same in both languages

    Examples:

    • /histoire-history/
    • /images/
    • /contes_aborigenes-native_stories/
    • /ca-ns/
  • 3.5 The names of publicly available files must comprise either
    • a French word, phrase or abbreviation, followed by a hyphen and an equivalent English word, phrase or abbreviation, followed by a hyphen and the ISO-639-2 three-letter code (i.e., “fra” and “eng”) reflecting the linguistic version of the file; or,
    • a single word or abbreviation that is the same in both languages, followed by a hyphen and the ISO-639-2 three-letter code (i.e., "fra" and "eng") reflecting the linguistic version of the file.

    Examples:

    • index-fra.html
    • index-eng.html
    • entete-header-fra.swf
    • entete-header-eng.swf
    • logo-fra.jpg
    • logo-eng.jpg
    • liste_de_membres-members_list-fra.html
    • liste_de_membres-members_list-eng.html
    • lm-ml-fra.html
    • lm-ml-eng.html
  • 3.6 The names of publicly available files whose content is the same for both French and English versions of the product (e.g., certain images, media, JS and CSS files) must comprise either
    • a French word, phrase or abbreviation followed by a hyphen and an equivalent English word, phrase or abbreviation;
    • a single word or abbreviation that is the same in both languages; or,
    • a language-neutral numeric or alphanumeric string.

    Note: No three-letter language code is required for files whose content is the same in both official languages. Proprietary or third-party support files, e.g., "jquery-1.2.6.min.js", should not be modified according to the above naming conventions.

    Examples:

    • ferme-farm.jpg
    • artefact.jpg
    • aaD77980017.jpg
    • couleur-colour.css
    • deroulant-pulldown.js
    • intro.swf
  • 3.7 All of the product's static XHTML files, must use the ".html" suffix, and must not use the ".htm" suffix.

URLs

Home Page URLs

  • 3.8 The URLs for the language-selection "splash" page and the unilingual home pages (see requirements 4.1 and 4.2) must not include any URL query string name/value parameters.

    Note: The file name of the splash page must be index.*, or default.*, for example, index.html, default.html, index.php, default.php.

Relative URLs

  • 3.9 All URLs for product pages and resources must be relative (i.e., not absolute), with the exception of URLs used in hyperlinks from SSL-secured pages to non-SSL-secured pages (see requirement 1.9).

4.0 Navigation, Layout and Design

Navigation

Language Navigation

  • 4.1 The default page at the product's root directory must act as the product's language-selection "splash" page and include a hyperlink to the unilingual home page for each language version of the product (see requirement 4.2).
  • 4.2 The product must include a unilingual home page for each language version of the product.
  • 4.3 Every product page must include a hyperlink to the product's other language version(s). This hyperlink must be visible without scrolling the page at a screen resolution of 1024 x 768 pixels, and direct the user to the same page in the other language.

Home Page Navigation

  • 4.4 Every product page must include a hyperlink to the unilingual home page in the relevant language.

Secondary/Pop-up Windows

  • 4.5 The product must not open links in new windows or tabs except for in the following situations:
    • Opening a page containing context-sensitive information (such as help instructions), or an alternate means of completing a form field (such as a calendar-based date picker), in the same window or tab will significantly disrupt a multi-step workflow (such as filling in and submitting a form).
    • Opening a page outside a secure session in the same window or tab will break or destroy the current secure session.

Note: Users must be warned if a link will open in a new window or tab.

Product Title

  • 4.6 Every product page must include the product's main title as XHTML text to identify the page's content as part of the product.

Note: Flash files or images may be used to replace the XHTML text version of the product's main title, but must not prevent assistive technologies from accessing the replaced text.

VMC Logo

  • 4.7 Every product page must display the VMC logo image in the page's top right-hand corner and without any image border.

    Note: CHIN will provide a copy of the VMC logo upon request. Different versions of the logo are available for greater compatibility with various visual designs.

  • 4.8 The VMC logo must be implemented using the following XHTML code to load and hyperlink the logo image:

    English

    <a href="http://www.museevirtuel-virtualmuseum.ca/index-eng.jsp"><img src="path/to/English/image" alt="Virtual Museum of Canada" /></a></p>

    French

    <a href="http://www.museevirtuel-virtualmuseum.ca/index-fra.jsp"><img src="path/to/French/image" alt="Musée virtuel du Canada" /></a></p>

    Note: Replace the src attribute in the code above with the correct filepath for the logo image used in the product.

  • 4.9 The VMC logo image must not form part of a client-side image map or CSS background-image without CHIN's express approval.

Copyright

  • 4.10 The product must include, in the form of a separate Web page for each language version, a "Copyright" page featuring a full copyright statement identifying all rights holders.
  • 4.11 The copyright symbol, ©, the copyright holder, and the year in which the product was launched, must appear on each product page and hyperlink to the full copyright statement (see requirement 4.10, for example:

    © Museum of History 2005. All Rights Reserved.

    Note: If the institution holding the copyright is officially bilingual, use the institution's English name in the English version of the product, and the institution's French name in the French version. If the institution is unilingual, use the same unilingual name in each language version.

Credits

  • 4.12 The product must have a "Credits" page to which there is a hyperlink from both the language selection "splash" page and each unilingual home page.
  • 4.13 The "Credits" page must acknowledge the financial participation of the Government of Canada as follows:

    English

    The [Name of Institution] gratefully acknowledges the financial investment by the Department of Canadian Heritage in the creation of this online presentation for the Virtual Museum of Canada.

    French

    Le [Nom de l'établissement] exprime sa reconnaissance au minist\xE8re du Patrimoine canadien pour son investissement financier dans la création de cette présentation en ligne dans le cadre du Musée virtuel du Canada.

  • 4.14 The "Credits" page must name and provide hyperlinks, if available, to all institutional partners involved with the product.

Feedback Mechanism

  • 4.15 Every product page must include a hyperlink to a simple XHTML form that allows for audience feedback. The feedback form must be configured to send an email both to the institution responsible for the product, and to CHIN (at vmccc@virtualmuseum.ca for the English version of the product, and mvccc@museevirtuel.ca for the French version), with a clear identification of the product in the subject line.

    Note: CHIN will provide, upon request, a customized URL to the VMC's feedback form that can be used for the product's feedback mechanism.

  • 4.16 The product's feedback mechanism must connect to CHIN's Anti-Spam API prior to sending feedback in order to verify that the feedback message being sent is not spam or from a questionable source.

    Note: Documentation for CHIN's Anti-Spam API will be provided to successful applicants. If the product uses the VMC feedback form, the functionality of CHIN's Anti-Spam API is included by default.

    Note: If the product is not hosted on CHIN's server, it must not connect to CHIN's Anti-Spam API. Only products that are hosted on CHIN's server must connect to CHIN's Anti-Spam API.

  • 4.17 Users must be advised that their feedback messages are also being forwarded to CHIN, and be provided with a hyperlink to the CHIN Privacy Policy (see the example below). Alternatively, information that identifies the user may be stripped from the feedback.

    English Message Example

    Your comments will also be forwarded to the Canadian Heritage Information Network (CHIN), which has overall responsibility for the Virtual Museum of Canada, to be used as part of its audience research. Please see the VMC Privacy Policy for more information.

    French Message Example

    Vos commentaires seront également acheminés au Réseau canadien d'information sur le patrimoine (RCIP), qui a la responsabilité globale du Musée virtuel du Canada. Ils seront utilisés à des fins de recherche sur le public. Veuillez consulter la Politique du MVC sur la protection des renseignements personnels pour de plus amples renseignements.

    VMC Privacy Policy URL - English

    http://www.museevirtuel-virtualmuseum.ca/avis_importants-important_notices-eng.jsp#pp

    VMC Privacy Policy URL - French

    http://www.museevirtuel-virtualmuseum.ca/avis_importants-important_notices-fra.jsp#pp

  • 4.18 Users must be advised of the privacy issues associated with sending feedback through email by being provided the following notice:

    English

    The Internet is a public forum and electronic information can be intercepted. For reasons of security and privacy, we ask that you not send us any personal or confidential information, such as your Social Insurance Number (SIN), home or business address.

    French

    Internet est un forum public et l'information électronique peut \xEAtre interceptée. Pour des raisons de sécurité et de respect de la vie privée, nous vous demandons de ne pas nous faire parvenir de renseignements personnels ou confidentiels, tels votre numéro d'assurance sociale, l'adresse de votre domicile ou de votre bureau.

Sitemap

  • 4.19 The product must include, in the form of a separate Web page for each language version, a sitemap (i.e., a hierarchically organized or nested list of hyperlinks to all of the major sections and pages of the product at least two directory levels deep) that uses text hyperlinks, as opposed to graphical hyperlinks or buttons.

    Note: To increase the ability of search engines to properly index all product pages, it strongly suggested that the product also implement an XML Sitemap.

  • 4.20 Every product page must include a text hyperlink to the sitemap in the appropriate language to help ensure that human users and search engines can find every page of the product.

title Element

  • 4.21 Every product page must include, within its head element, a title element containing a meaningful and keyword-rich title that is no more than 60 characters in length and unique to that page's content.

    Note: As the single most important page element from the perspective of search engine optimization (SEO), the title element's content should be written from most specific to least specific, with the unique page title coming first, and the product's main title last, e.g., "About Dr. Neville | Doctors in the North."

meta "description" Element

  • 4.22 Each unilingual home page must include within its head element a meta "description" element containing a meaningful and keyword-rich description that is no more than 150 characters in length and that describes the product's content as a whole.

    Note: If other product pages include a meta "description" element, it must be specific and unique to the page's content.

meta "keywords" Element

  • 4.23 Product pages may include within their head element a meta "keywords" element containing a list of keywords and keyphrases that must be specific and unique to the page's content. Three keywords/keyphrases is sufficient.

Banners, Headers and Footers

  • 4.24 The product must not use corporate- or institution-branded Web site navigational elements, such as banners, headers or footers, without CHIN's express approval.

Web Analytics

  • 4.25 Every product page must include a special JavaScript file and additional HTML (and Flash, if necessary) code to enable the collection of visitor statistics for the product.

    Note: CHIN will provide successful applicants with the product-specific JavaScript file and explicit directions for the implementation of the code to enable the collection of visitor statistics.

5.0 Content Types and Formats

Plug-ins and Specialized Software

If any product content requires a plug-in or specialized software in order to be viewed:

  • 5.1 A plug-in or specialized software capable of presenting the content must be freely available for all platforms (i.e., Windows, Mac, and Linux).

    Note: For example, since Windows Media Player 10 does not work natively on the Mac or Linux platforms, either additional directions to download an equivalent media player for Mac and Linux are provided, or the plug-in/specialized software indicated is compatible with all three platforms, e.g., VLC.

    Note: CHIN's Akamai audio streaming service is available only to products that are hosted on CHIN's server. If the product is not hosted on CHIN's server, it cannot make use of CHIN's audio streaming service.

  • 5.2 The content that requires a plug-in or specialized software must be accompanied by a text indication of its format, file type, and file size.
  • 5.3 A hyperlink to the source of a relevant plug-in or specialized software must be provided from each page on which a plug-in or specialized software is needed to access the content.

Text

  • 5.4 All text-based content must be presented primarily as text in XHTML 1.0 Strict.

    Note: While all text-based content must be displayed as XHTML, such content may additionally be developed in another format for viewing or printing with the use of plug-in software freely available for all platforms. An example of this type of format is Adobe's PDF, for which the Adobe PDF viewer, Adobe Reader, is available for all platforms.

Still Images

  • 5.5 All still-image graphics must be optimized and enhanced for the Web to reduce file size and download time:
    • Line-drawn graphics must use the GIF or PNG formats.
    • Photographs, high resolution, and continuous tone images must use the JPEG (24-bit) format.

    Note: Exemptions to this requirement may be granted by CHIN in certain situations where the use of proprietary solutions is needed to meet project objectives.

  • 5.6 All hyperlinks to image files greater than 100KB in size must be accompanied by a text indication of the file's size in order to alert users.
  • 5.7 Product pages must not initiate the download of full-size content image files unless the user has expressly requested it.

    Note: This requirement is intended to restrict the development of pages that include both image thumbnails and their associated full-size versions that are hidden via CSS until the user sets focus to the thumbnail. Such pages are usually very large, require more bandwidth, and force the user to download content in which they have not expressly signalled an interest.

Video/Moving Images

  • 5.8 Video files must not be larger than 4 MB in size.
  • 5.9 If a video file is prepared for delivery in a high-bandwidth environment, an alternate low-bandwidth version must also be prepared and provided to users.

    Note: Some streaming systems allow producers to prepare a single video file that can be played at various streaming speeds corresponding to multiple Internet access speeds. In cases where such systems are used, a single version of a video file is sufficient.

    Note: CHIN's Akamai video streaming service is available only to products that are hosted on CHIN's server. If the product is not hosted on CHIN's server, it cannot make use of CHIN's video streaming service.

    CHIN regularly contracts media streaming services from Akamai. If the product is to use video, it might be possible for it to use these services. For more information, contact CHIN.

  • 5.10 Video files that are loaded into a browser-embedded player must not start automatically, and the player must include controls for starting and stopping the video.
  • 5.11 Non-streaming video files that are loaded into a browser-embedded player must be accompanied by a direct hyperlink to the video file itself, enabling users to access it without having to rely on the browser-embedded player.
  • 5.12 All hyperlinks to streamed video files must be accompanied by a text indication of the streamed file's duration.
  • 5.13 Where a codec is used to compress video file content, the codec must be included in a standard platform or package, or be freely-available for installation by users. A hyperlink to the codec must be provided for users who need to download and install it.

Audio/Sound

  • 5.14 Audio files must not be larger than 4 MB in size.
  • 5.15 If an audio file is prepared for delivery in a high-bandwidth environment, an alternate low-bandwidth version must also be prepared and provided to users.

    Note: Some streaming systems allow producers to prepare a single audio file than can be played at various streaming speeds corresponding to multiple Internet access speeds. In cases where such systems are used, a single version of an audio file is sufficient.

    CHIN regularly contracts media streaming services from Akamai. If the product is to use audio, it might be possible for it to use these services. For more information, contact CHIN.

  • 5.16 Audio files that are loaded into a browser-embedded player must not start automatically, and the player must include controls for starting and stopping the audio.
  • 5.17 Non-streaming audio files that are loaded into a browser-embedded must be accompanied by a direct hyperlink to the audio file itself, enabling users to access it without having to rely on the browser-embedded player.
  • 5.18 All hyperlinks to streamed audio files must be accompanied by a text indication of the streamed file's duration.
  • 5.19 Where a codec is used to compress audio file content, it must be included in a standard platform or package, or freely-available for installation by users. A hyperlink to the codec must be provided for users who need to download and install it.

Animations

  • 5.20 Animation (e.g., Flash animation) files must not be larger than 4 MB in size.
  • 5.21 All hyperlinks to animation (e.g., Flash animation) files greater than 100 KB must be accompanied by a text indication of the file's size.
  • 5.22 All animation (e.g., Flash animation) files greater than 25 KB must, while being downloaded to the client application (e.g., Flash Player), present a continually updating progress indicator (“preloader”) showing the degree to which the file has been downloaded.

6.0 Dublin Core (DC) Metadata

DC Metadata Elements

  • 6.1 The Title, Creator, Subject, Date, Identifier, and Language metadata elements from the Dublin Core Metadata Element Set, Version 1.1 must be included on the following pages:
    • the product's unilingual home pages;
    • the main page for every major section of the product; and,
    • pages featuring resources for which there is sufficient context and meaning and which are worth listing in a search engine.

    Note: DC metadata content for English pages or resources must be in English, while metadata content for French pages or resources must be in French.

Implementing DC Metadata

Unique Metadata

  • 6.3 Each page described by DC metadata must feature a unique set of metadata.

    Note: Copying and pasting the same metadata content is bad practice. No two Web pages should have the same Identifier, Title, or Subject.

7.0 CHIN Server and Database Technical Specifications

CHIN Server Environment

  • 7.1 Products that will be hosted on CHIN's server must be developed for and in accordance with the following environment specifications:

    Server

    • Linux - RHEL 5.3
    • Apache 2.2.11
    • Static XHTML pages must use the ".html" suffix.

    CGI and PERL

    • CGI scripts must use the ".cgi" suffix, and may be located anywhere in the product's directory structure.
    • PERL 5.8.8 is enabled.
    • Most standard PERL modules are available, for example, CGI, DBI.
    • PERL and CGI scripts must begin with the following "shebang" notation:

      #!/usr/local/bin/perl
      use strict;

    PHP

    • PHP 5.2.9 is enabled.
    • PHP scripts must use the ".php" suffix.
    • PHP scripts may be located anywhere in the project's directory structure.
    • The "register_globals" is set to OFF
    • PHP access to MySQL is enabled.
    • PHP support for XML is enabled.
    • The addition of PHP extensions will be decided by CHIN on a case by case basis. If you are interested in using a particular PHP extension, enquire with CHIN.

    Server Side Includes (SSI)

    • Any XHTML page with the ".html" suffix and the execute bit set will be parsed for Server Side Includes (SSI).

    Database

    • MySQL 5.0.45
    • Direct access to the MySQL database management system (DBMS) will be granted by special permission only. In the case that permission is granted, access will be available through a SSH/command line interface.
    • The Department of Canadian Heritage network policy does not permit the use of graphical interfaces for connecting to the database server from outside of the departmental network.
    • For the creation of the database structure or the loading of table data, a MySQL-compliant SQL file may be sent to CHIN for loading onto the DBMS.

    Note: Products that will not be hosted on CHIN's server should be developed in accordance with the specifications for the CHIN server environment as the product may eventually be hosted on CHIN's server.

Script Validation

  • 7.2 If the product will be hosted on CHIN's server, PHP and PERL scripts must adhere to the following validation rules:
    • All parameters passed to scripts must be validated before they are used.
    • All local variables must be explicitly initialized before they are used.
    • Parameters that may only contain values from constrained sets must be validated to ensure that their values are within those constrained sets.
    • Parameters must be validated to ensure that their values are of the expected type. For example, if a parameter is to contain only numbers, the value passed must validate as numeric.
    • Parameters used as criteria for dynamically generated SQL statements must not contain unescaped apostrophes.
    • Included/required files must be validated to ensure that their file paths exist on the host server.
    • Included/required files must be validated to ensure that they are files.
    • All SQL queries built using data from HTTP requests (cookies, GET/PUT/POST) must be escaped.

    Note: See "CGI and PERL" and "PHP" under requirement 7.1 above for the latest versions of PERL and PHP in use on CHIN's server.

Database Design

Connection Strings

  • 7.3 All database connection strings must be abstracted from the product and stored only once within a file outside of the product's root directory in a location unavailable to the Web server.

DBMS

  • 7.4 If the product employs a database and will be hosted on CHIN's server, the database must use the MySQL Database Server database management system (DBMS).

    Note: See "Database" under requirement 7.1 above for the latest version of MySQL in use on CHIN's server.

Normalization

  • 7.5 If the product employs a database and will be hosted on CHIN's server, logical data models must be in third normal form (3NF). That is, all attributes of a particular relational table must be functionally dependent on the entire primary key.

    Note: In the logical data model, a candidate key that is comprised of real attributes should be used for the primary key. An autoincrement, or other form of artificial key, may be used in the physical data model. Tables may be denormalized in physical data models for performance reasons, but these exceptions must be justified to CHIN with quantitative evidence, e.g., how much faster is the denormalized structure.

Naming Standards

  • 7.6 If the product employs a database and will be hosted on CHIN's server, the following database naming standards must be followed:
    • Databases must have both a descriptive name and a short abbreviation (max. 5 characters).
    • Tables must have both a descriptive name prefixed with the database abbreviation, and a short abbreviation (max. 5 characters).
    • Fields must have a descriptive name prefixed with their table abbreviation.
    • Views must have a descriptive name prefixed with their database abbreviation.
    • Index names must begin with a "U" for unique indices or "S" for non-unique indices, followed by the table abbreviation, followed by the name of each field that participates in the index.
    • Trigger names must begin with a "T", followed by a "B" (Before) or "A" (After) to indicate timing, followed by a "D" (Delete), "I" (Insert), or "U" (Update) to indicate the trigger event, and finally followed by the table name.

Data Dictionary

  • 7.7 If the product employs a database and will be hosted on CHIN's server, all database elements (database, table, field, index, view, trigger, etc.) must have a name, caption, and description. Fields must also have data type and default value information.

    Note: The description of views should include the view definition, and the description of triggers should include annotated source code.

  • 7.8 If the product employs a database and will be hosted on CHIN's server, any information that is stored in the database and that indicates product usage must have an associated timestamp value for tracking and verification purposes.

Return to Previous Technical Requirements