View
241
Download
0
Category
Preview:
Citation preview
3rd Year Project
Designing and implementing a secure portal for the department's alumni
Introduction
Brief Introduction to software chosen to implement project and some alternatives
Work undertaken on aspect of project (main part of this presentation)
Brief discussion on security
What Software
Using a combination of:– PHP (Hypertext Pre-processor)– MySQL (My Structured Query Language)– Apache (Web Server)
Server-side scripting common use of PHP– Web server– Web browser– PHP parser
PHP
Open Source– Free to use
Dynamic– Allows dynamic web page creation. On the ‘fly’
Interactive– Allows interaction with databases
Freedom to choose– Web-server– Operating System
PHP
HTML-embedded web scripting language – PHP code is transformed into HTML before page is loaded– Users cannot view source code of PHP pages
Types of programming it offers:– Procedural– Object orientated– (or mixture of both)
Supports ODBC (Open Database Connection standard)– Which is the World wide database standard
PHP
Supports extensive range of operating systems– Windows– Linux– Mac OS X– Risc OS
Supports extensive range of browsers– Apache– Microsoft Internet Information Server– Personal Web Server– Netscape
PHP
Supports talking to other services– LDAP, IMAP, SNMP, NNTP, – POP3, HTTP, COM
Also supports– Java, XML, SAX, DOM
Not limited to output HTML– Can output images, PDF files and even Flash movies
PHP
Supports extensive range of databases– MySQL– Oracle– IBM DB2– InterBase– Sybase– Unix dbm
PHP – supports extensive range of databases continued…
Adabas D InterBase PostgreSQL dBase FrontBase SQLite Empress mySQL Solid FilePro (read-only) Direct MS-SQL Sybase Hyperwave Velocis IBM DB2 ODBC Unix dbm Informix Oracle (OCI7 and OCI8) Ingres Ovrimos
PHP
PHP can act as a CGI (Common Gateway Interface)
– CGI used to exchange data between web server and a program
PHP has function for online payments– Cybercash payment– CyberMUT – VeriSign – Payflow Pro – MCVE
MySQL
Open Source– Free to use– Can tailor it to your own needs– Most popular relational database in the world
Stores data in tables rather than one huge area
Renowned for its– Speed– Flexibility– Reliability– Ease of use– Robustness
Simple yet powerful
Apache
Open Source– Free to use– One of the most powerful and widely used Web server in use today
Security– Enables the use of SSL (Secure Socket Layer)
Supports– Extensive range of operating systems including:
Windows Linux Mac OS X
Alternatives
Aspect of project being described today
Style and Code repetition issues– What has been introduced to help here:
CSS (Cascading Style Sheet) Header File
CSS – (Cascading Style Sheet)
CSS Helps:– separate content and structure from presentation and layout
Content can be changed independently of formatting because presentation and layout can be handled by a separate CSS file. External CSS being used in this project
– Web Designers to: Create documents that load faster:
– and that are easier to maintain and manage
CSS
CSS Helps:– Reduces needs to input formatting into individual
PHP files for: Tables Borders Images Text (paragraphs, H1, h2 etc)
– Provides way to apply formatting and style into multiple files using one or more CSS files.
CSS
CSS Helps:– Reduces risk of style and presentation errors
Introduced by programmers coding style and presentation into individual files with no real link to other files on the website
– Provides ways to apply the same formatting and style into multiple files using one or more CSS files.
Header File
Header Files Help:– Removes the need to repeat coding in various files for
common features such as: Navigation bars Images Copyright notices Tables Borders
– Example: Reduce the costs, of time spent copying/separating content
and coding of individual pages, no need to repeat copyright notice into each PHP file just include it as a footer function in the Header file and call it with one short line of code.
Examples Home Page (Nick’s Version)
ExamplesHome Page (Lee’s Version)
Examples Administrator Login Page (Nick’s Version)
Examples Administrator Login Page (Lee’s Version)
Examples New Register Page (Nick’s Version)
Examples New Register Page (Lee’s Version)
Examples Registered Alumni User Login Page (Nick’s Version)
Examples Registered Alumni User Login Page (Lee’s Version)
Nick’s Version Explained
Home Page
New Register
Administrator Login
Alumni Login
Lee’s Version Explained
Home Page
New Register
Administrator Login
Alumni Login
Nick’s and Lee’s Versions Compared
Home Page Administrator Login New Register Alumni Login
Let’s compare coding costs - Example
Membernavigation.html (Nick’s Version) Membernavigation.php (Lee’s Version)
12,107 characters (no spaces)
281 lines in Dreamweaver
2,472 characters (no spaces)
89 lines in Dreamweaver
Brief discussion on Security
PHP, mySQL, Apache
– Security on mySQL and Apache servers being used in this project is control by the Department of Communication Systems
– I can help by writing more security conscious code both in PHP coding and mySQL scripts
– Using methods such as encryption to secure passwords, MD5 (Message Digest 5) has been implemented for Alumni password, stronger algorithms may be considered for Administrator password.
Brief discussion on Security
PHP, mySQL, Apache
– Learnt how to install mySQL and Apache Servers on standalone PC/Server
– Learnt common ways in which you can make them more secure for example set global variables to “off”
– Made use of sessions on all pages, also on login pages check that both the username AND passwords are correct to login to the required session.
Brief discussion on Security
PHP, mySQL, Apache
– Going to implement use of PEAR’s CAPTCHA (in PHP) Technology helps distinguish between computer and
human input (particularly useful for “New Register”)
Questions?
Please free to ask any questions either on material covered this morning or any other aspects related to the project
Views, feedback, suggestions would be much appreciated.
THANK YOU
3rd Year Project Part II
Designing and implementing a secure portal for the department's alumni
Introduction
Specification of Project Designing and implementing a secure portal for the Departments alumni. This will enable alumni to be kept updated and update us on latest developments, e.g. new courses, job moves and various career opportunities. There will also be an area for sharing documents, e.g. new courses, modules etc.
Introduction
The project involved many stages which included – Project Planning, Design of System, Project Execution, Evaluation and Testing.
This morning I will explain some of these key aspects
Project Planning
Work Breakdown Structure (WBS)
PORTAL Project
Literature Search
Project Report
Literature Survey
Literature Review
Design PORTAL
Implement PORTAL
Evaluate and Test PORTAL
Develop PORTAL Model
GANTT Chart
ID Task Name Start Finish Duration2006 2007
Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun
1 16d10/08/200620/07/2006Research Alumni needs and expectations
4 30d13/10/200604/09/2006Review current implementation of departmental alumni web portal
5 23d03/11/200604/10/2006Carry out security investigation on PHP, MySQL, Apache
18d14/11/200620/10/2006Compare security of other programming languages
3
2 16d29/08/200608/08/2006Attain Departments needs and expectation of an alumni portal
10d01/09/200621/08/2006Attain key and common features of various alumni implementations
6
66d19/10/200620/07/2006Definition, Plan and Assessment Criteria
10
9
8
7
143d03/04/200715/09/2006Project Implementation
47d01/05/200726/02/2007Evaluation and Testing
33d14/06/200701/05/2007Project Report
Design of System
SQL Tables
create table memories (m_id int not null auto_increment, c_username varchar (32) not null, c_picture text not null, m_time varchar (32) not null, m_date varchar (32) not null, m_content text not null, primary key(m_id));
create table news (n_id int not null auto_increment, n_title text not null, n_date varchar (32) not null, n_time varchar (32) not null, n_picture_picture text not null, n_content_brief text not null, n_content_full text not null, n_entered_by varchar(32) not null, n_entered_for varchar (32) not null, n_status varchar (32) not null, primary key (n_id));
create table customer (cus_id int not null auto_increment, c_username varchar (32) not null, gender varchar (30) not null, DoB varchar (30) not null, c_nationality varchar (30) not null, gra_year varchar (30), e_mail varchar (50) not null, c_password varchar (32) not null, c_picture text not null, primary key(cus_id));
create table administrator (a_id int not null primary key auto_increment, a_username varchar(32) not null, a_password varchar(32), email varchar(40));
Entity Relationship Diagram (ER)
Relational Schema
Project Execution
Home Page
New Register (Alumni)
Login (Alumni)
Member Navigation (Alumni)
View/Add Memories (Alumni)
View Current News (Alumni)
View Archived News (Alumni)
Login (Administrator)
View Users (Administrator)
Insert News (Administrator)
Delete Memories (Administrator)
Delete User (Administrator)
Delete News (Administrator)
Memory Description Change (Administrator)
News Status Change (Administrator)
Logout (Administrator)
New Register Validation #1
New Register Validation #2
New Register MD5 Encryption
Other Coding Examples #1
administrator_change_memory_desc_insert.php
$cvar = $_POST['m_id'];$cvar2 = $_POST['m_content'];
$sql="update memories set m_content = '$cvar2' where m_id = '$cvar'";
administrator_change_news_status_insert.php
//db_conn();$cvar = $_POST['n_id'];$cvar2 = $_POST['n_status'];
$sql="update news set n_status = '$cvar2' where n_id = '$cvar'";
Other Coding Examples #2
administrator_insertnews.php
$n_entered_by = $_SESSION['a_username'];
$n_title = $_POST['n_title'];$n_picture_picture = $_POST['n_picture_picture'];$n_content_brief = $_POST['n_content_brief'];$n_content_full = $_POST['n_content_full'];$n_entered_for = $_POST['n_entered_for'];$n_status = $_POST['n_status'];
$n_date = date('jS F Y');$n_time = date('h:i');
echo '<h4>'.$n_date . " " . $n_time.'</h4>';
db_conn();$n_content_full = mysql_real_escape_string($n_content_full);$n_content_brief = mysql_real_escape_string($n_content_brief);
$query = "insert into news values (null,'$n_title','$n_date','$n_time','$n_picture_picture','$n_content_brief','$n_content_full','$_SESSION[a_username]','$n_entered_for','$n_status')";
Other Coding Examples #3
administrator_logout.php
unset($_SESSION['a_username']);session_destroy();
viewmemories.php
$username = $_SESSION['username'];
$query2 = "select c_picture from customer where (c_username = '$username')";$query2 = mysql_query($query2);$query2 = mysql_result($query2,0 , 'c_picture');
$c_username = $_SESSION['username'];$c_picture = $_POST['c_picture'];$m_content = $_POST['m_content'];$m_date = date('jS F Y');$m_time = date('h:i');$m_content = mysql_real_escape_string($m_content);
$query = "insert into memories values (null,'$c_username','$c_picture','$m_time','$m_date','$m_content')";
Other Coding Examples #4
users.php<?
if (!isset($_SESSION['username'])){
if (isset($_POST['username'])) {
//check with DB$username = $_POST['username'];$password = $_POST['password'];$md5pass = md5($password);//$md5pass = ($password);db_conn();$query = "select * from customer where c_username = '$username'";$result = mysql_query($query);if ($result){
$row = mysql_fetch_array($result);
//now check password matchesif ($md5pass == $row['c_password']){
Evaluation & Testing
Testing – Usability Trials
Usability trials were carried out on both the alumni. There were 9 people who took part in all, with 5 of those being 3rd year students of the DCS.
Testing - Technical
Login - correct/incorrect username and password (all combinations for Administrator and Alumni pages
Direct Access to pages – Authorisation checks on pages
Further Work - Suggestions
Using library card numbers and password for security to register users could be a good idea, 3rd years could even be provided with their logins before they leave.
Email confirmation for registration could be used so that a real life users email address needs to be confirmed first before they can have access rights as an alumni user on the system.
Further Work - Suggestions
Conclusion
The project worked well and met the majority of the aims in regards to Definition of Project, Major Deliverables, Statement of Requirements and Critical Success Factors. Administrators can effectively Add/Edit/Delete data with ease.
Recommended