3rd Year Project

Designing and implementing a secure portal for the department's alumni

Introduction

Brief Introduction to software chosen to implement project and some alternatives

Work undertaken on aspect of project (main part of this presentation)

Brief discussion on security

What Software

Using a combination of:– PHP (Hypertext Pre-processor)– MySQL (My Structured Query Language)– Apache (Web Server)

Server-side scripting common use of PHP– Web server– Web browser– PHP parser

PHP

Open Source– Free to use

Dynamic– Allows dynamic web page creation. On the ‘fly’

Interactive– Allows interaction with databases

Freedom to choose– Web-server– Operating System

PHP

HTML-embedded web scripting language – PHP code is transformed into HTML before page is loaded– Users cannot view source code of PHP pages

Types of programming it offers:– Procedural– Object orientated– (or mixture of both)

Supports ODBC (Open Database Connection standard)– Which is the World wide database standard

PHP

Supports extensive range of operating systems– Windows– Linux– Mac OS X– Risc OS

Supports extensive range of browsers– Apache– Microsoft Internet Information Server– Personal Web Server– Netscape

PHP

Supports talking to other services– LDAP, IMAP, SNMP, NNTP, – POP3, HTTP, COM

Also supports– Java, XML, SAX, DOM

Not limited to output HTML– Can output images, PDF files and even Flash movies

PHP

Supports extensive range of databases– MySQL– Oracle– IBM DB2– InterBase– Sybase– Unix dbm

PHP – supports extensive range of databases continued…

Adabas D InterBase PostgreSQL dBase FrontBase SQLite Empress mySQL Solid FilePro (read-only) Direct MS-SQL Sybase Hyperwave Velocis IBM DB2 ODBC Unix dbm Informix Oracle (OCI7 and OCI8)  Ingres Ovrimos

PHP

PHP can act as a CGI (Common Gateway Interface)

– CGI used to exchange data between web server and a program

PHP has function for online payments– Cybercash payment– CyberMUT – VeriSign – Payflow Pro – MCVE

MySQL

Open Source– Free to use– Can tailor it to your own needs– Most popular relational database in the world

Stores data in tables rather than one huge area

Renowned for its– Speed– Flexibility– Reliability– Ease of use– Robustness

Simple yet powerful

Apache

Open Source– Free to use– One of the most powerful and widely used Web server in use today

Security– Enables the use of SSL (Secure Socket Layer)

Supports– Extensive range of operating systems including:

Windows Linux Mac OS X

Alternatives

Aspect of project being described today

Style and Code repetition issues– What has been introduced to help here:

CSS (Cascading Style Sheet) Header File

CSS – (Cascading Style Sheet)

CSS Helps:– separate content and structure from presentation and layout

Content can be changed independently of formatting because presentation and layout can be handled by a separate CSS file. External CSS being used in this project

– Web Designers to: Create documents that load faster:

– and that are easier to maintain and manage

CSS

CSS Helps:– Reduces needs to input formatting into individual

PHP files for: Tables Borders Images Text (paragraphs, H1, h2 etc)

– Provides way to apply formatting and style into multiple files using one or more CSS files.

CSS

CSS Helps:– Reduces risk of style and presentation errors

Introduced by programmers coding style and presentation into individual files with no real link to other files on the website

– Provides ways to apply the same formatting and style into multiple files using one or more CSS files.

Header File

Header Files Help:– Removes the need to repeat coding in various files for

common features such as: Navigation bars Images Copyright notices Tables Borders

– Example: Reduce the costs, of time spent copying/separating content

and coding of individual pages, no need to repeat copyright notice into each PHP file just include it as a footer function in the Header file and call it with one short line of code.

Examples Home Page (Nick’s Version)

ExamplesHome Page (Lee’s Version)

Examples Administrator Login Page (Nick’s Version)

Examples Administrator Login Page (Lee’s Version)

Examples New Register Page (Nick’s Version)

Examples New Register Page (Lee’s Version)

Examples Registered Alumni User Login Page (Nick’s Version)

Examples Registered Alumni User Login Page (Lee’s Version)

Nick’s Version Explained

Home Page

New Register

Administrator Login

Alumni Login

Lee’s Version Explained

Home Page

New Register

Administrator Login

Alumni Login

Nick’s and Lee’s Versions Compared

Home Page Administrator Login New Register Alumni Login

Let’s compare coding costs - Example

Membernavigation.html (Nick’s Version) Membernavigation.php (Lee’s Version)

12,107 characters (no spaces)

281 lines in Dreamweaver

2,472 characters (no spaces)

89 lines in Dreamweaver

Brief discussion on Security

PHP, mySQL, Apache

– Security on mySQL and Apache servers being used in this project is control by the Department of Communication Systems

– I can help by writing more security conscious code both in PHP coding and mySQL scripts

– Using methods such as encryption to secure passwords, MD5 (Message Digest 5) has been implemented for Alumni password, stronger algorithms may be considered for Administrator password.

Brief discussion on Security

PHP, mySQL, Apache

– Learnt how to install mySQL and Apache Servers on standalone PC/Server

– Learnt common ways in which you can make them more secure for example set global variables to “off”

– Made use of sessions on all pages, also on login pages check that both the username AND passwords are correct to login to the required session.

Brief discussion on Security

PHP, mySQL, Apache

– Going to implement use of PEAR’s CAPTCHA (in PHP) Technology helps distinguish between computer and

human input (particularly useful for “New Register”)

Questions?

Please free to ask any questions either on material covered this morning or any other aspects related to the project

Views, feedback, suggestions would be much appreciated.

THANK YOU

3rd Year Project Part II

Designing and implementing a secure portal for the department's alumni

Introduction

Specification of Project Designing and implementing a secure portal for the Departments alumni. This will enable alumni to be kept updated and update us on latest developments, e.g. new courses, job moves and various career opportunities. There will also be an area for sharing documents, e.g. new courses, modules etc.

Introduction

The project involved many stages which included – Project Planning, Design of System, Project Execution, Evaluation and Testing.

This morning I will explain some of these key aspects

Project Planning

Work Breakdown Structure (WBS)

PORTAL Project

Literature Search

Project Report

Literature Survey

Literature Review

Design PORTAL

Implement PORTAL

Evaluate and Test PORTAL

Develop PORTAL Model

GANTT Chart

ID Task Name Start Finish Duration2006 2007

Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

1 16d10/08/200620/07/2006Research Alumni needs and expectations

4 30d13/10/200604/09/2006Review current implementation of departmental alumni web portal

5 23d03/11/200604/10/2006Carry out security investigation on PHP, MySQL, Apache

18d14/11/200620/10/2006Compare security of other programming languages

3

2 16d29/08/200608/08/2006Attain Departments needs and expectation of an alumni portal

10d01/09/200621/08/2006Attain key and common features of various alumni implementations

6

66d19/10/200620/07/2006Definition, Plan and Assessment Criteria

10

9

8

7

143d03/04/200715/09/2006Project Implementation

47d01/05/200726/02/2007Evaluation and Testing

33d14/06/200701/05/2007Project Report

Design of System

SQL Tables

create table memories (m_id int not null auto_increment, c_username varchar (32) not null, c_picture text not null, m_time varchar (32) not null, m_date varchar (32) not null, m_content text not null, primary key(m_id));

create table news (n_id int not null auto_increment, n_title text not null, n_date varchar (32) not null, n_time varchar (32) not null, n_picture_picture text not null, n_content_brief text not null, n_content_full text not null, n_entered_by varchar(32) not null, n_entered_for varchar (32) not null, n_status varchar (32) not null, primary key (n_id));

create table customer (cus_id int not null auto_increment, c_username varchar (32) not null, gender varchar (30) not null, DoB varchar (30) not null, c_nationality varchar (30) not null, gra_year varchar (30), e_mail varchar (50) not null, c_password varchar (32) not null, c_picture text not null, primary key(cus_id));

create table administrator (a_id int not null primary key auto_increment, a_username varchar(32) not null, a_password varchar(32), email varchar(40));

Entity Relationship Diagram (ER)

Relational Schema

Project Execution

Home Page

New Register (Alumni)

Login (Alumni)

Member Navigation (Alumni)

View/Add Memories (Alumni)

View Current News (Alumni)

View Archived News (Alumni)

Login (Administrator)

View Users (Administrator)

Insert News (Administrator)

Delete Memories (Administrator)

Delete User (Administrator)

Delete News (Administrator)

Memory Description Change (Administrator)

News Status Change (Administrator)

Logout (Administrator)

New Register Validation #1

New Register Validation #2

New Register MD5 Encryption

Other Coding Examples #1

administrator_change_memory_desc_insert.php

$cvar = $_POST['m_id'];$cvar2 = $_POST['m_content'];

$sql="update memories set m_content = '$cvar2' where m_id = '$cvar'";

administrator_change_news_status_insert.php

//db_conn();$cvar = $_POST['n_id'];$cvar2 = $_POST['n_status'];

$sql="update news set n_status = '$cvar2' where n_id = '$cvar'";

Other Coding Examples #2

administrator_insertnews.php

$n_entered_by = $_SESSION['a_username'];

$n_title = $_POST['n_title'];$n_picture_picture = $_POST['n_picture_picture'];$n_content_brief = $_POST['n_content_brief'];$n_content_full = $_POST['n_content_full'];$n_entered_for = $_POST['n_entered_for'];$n_status = $_POST['n_status'];

$n_date = date('jS F Y');$n_time = date('h:i');

echo '<h4>'.$n_date . " " . $n_time.'</h4>';

db_conn();$n_content_full = mysql_real_escape_string($n_content_full);$n_content_brief = mysql_real_escape_string($n_content_brief);

$query = "insert into news values (null,'$n_title','$n_date','$n_time','$n_picture_picture','$n_content_brief','$n_content_full','$_SESSION[a_username]','$n_entered_for','$n_status')";

Other Coding Examples #3

administrator_logout.php

unset($_SESSION['a_username']);session_destroy();

viewmemories.php

$username = $_SESSION['username'];

$query2 = "select c_picture from customer where (c_username = '$username')";$query2 = mysql_query($query2);$query2 = mysql_result($query2,0 , 'c_picture');

$c_username = $_SESSION['username'];$c_picture = $_POST['c_picture'];$m_content = $_POST['m_content'];$m_date = date('jS F Y');$m_time = date('h:i');$m_content = mysql_real_escape_string($m_content);

$query = "insert into memories values (null,'$c_username','$c_picture','$m_time','$m_date','$m_content')";

Other Coding Examples #4

users.php<?

if (!isset($_SESSION['username'])){

if (isset($_POST['username'])) {

//check with DB$username = $_POST['username'];$password = $_POST['password'];$md5pass = md5($password);//$md5pass = ($password);db_conn();$query = "select * from customer where c_username = '$username'";$result = mysql_query($query);if ($result){

$row = mysql_fetch_array($result);

//now check password matchesif ($md5pass == $row['c_password']){

Evaluation & Testing

Testing – Usability Trials

Usability trials were carried out on both the alumni. There were 9 people who took part in all, with 5 of those being 3rd year students of the DCS.

Testing - Technical

Login - correct/incorrect username and password (all combinations for Administrator and Alumni pages

Direct Access to pages – Authorisation checks on pages

Further Work - Suggestions

Using library card numbers and password for security to register users could be a good idea, 3rd years could even be provided with their logins before they leave.

Email confirmation for registration could be used so that a real life users email address needs to be confirmed first before they can have access rights as an alumni user on the system.

Further Work - Suggestions

Conclusion

The project worked well and met the majority of the aims in regards to Definition of Project, Major Deliverables, Statement of Requirements and Critical Success Factors. Administrators can effectively Add/Edit/Delete data with ease.