Module Learning Outcomes

Knowledge & Understanding:

Demonstrate an in-depth knowledge and critical understanding of secure, standards compliant web applications that
interact with databases.
Intellectual / Professional skills & abilities:
1. Systematically analyse a web development problem
2. Apply key web accessibility, security, and web design principles to create an appropriate web application to
solve a problem, considering specified user requirements
3. Critically appraise web applications with reference to current security issues

Personal Values Attributes (Global / Cultural awareness, Ethics, Curiosity) (PVA):

4. Effectively communicate findings from a critical appraisal of web security issues in written form.

Assignment Overview
The assignment is divided into two components as follows:

Practical Web Solution Individual work - development of a dynamic web solution using HTML5
(75%) and PHP, based on the case study given below. This activity assesses
module learning outcomes 1, 2 & 3.

Critical Discussion Individual work - critical discussion of some issues relating to web Website
(25%) Development and Deployment. This activity assesses module learning
outcome 4, and 5.

Page 2 of 6
 : Website Development and Deployment
Assessment title: TipTop Music

1. General description
Assignment Case Study Scenario
You are a consultant working for a web development company who have been awarded the contract to design a
fresh, dynamic and interactive web site for ‘TipTop music’ a retro music club and fanzine.
TipTop is owned and operated by an enthusiast (Jim Jones) who understands that the popularity of the club is due to
his focus on the music rather than purely business factors. As such, he wishes to replicate the community experience
of the paper magazine by including social networking concepts such as allowing customers to share each other’s
music reviews, and by structuring the site using the latest web design ideas.
Since TipTop stores valuable data, a secure system is both legally required and expected by club members.

This phase of the project requires you to develop a prototype database web system, which will implement only part
of the functionality that the final system will require. Refer to the following ‘Tasks’ section for details of the
prototype requirements.
The design team that you work with has already identified that given the facilities provided by TipTop’s ISP
(Internet Service Provider) this project will need to be capable of connecting to a MySQL database management
system (DBMS) and will be developed using PHP as server-side scripting language.
A SQL script file and sample queries for creating and populating the database tables will be given on Blackboard.

Component 1: Practical Web Solution (75%, Learning Outcomes 1, 2, & 3)

The web site should be compatible with the current version of xampp1 and be portable. That is, you should not
assume that your assignment will start in the root folder of the web server. It is essential that clear indications are
given as to which source code file principally implements the required elements. This will be done by including a
page ‘features.txt’ that lists the element, and the web page on which it is implemented. All data should be
appropriately validated and protected against SQL Injection and stored cross-site scripting attacks.

Tasks
Using the above TipTop music case study, develop a web solution that includes the following:
Practical Web Solution
Design and create appropriate HTML5/PHP web pages (connecting to the underlying MySQL database) to
provide the following functionality:
 Create a home page (called index.html) located in the root of your web site (i.e. in
http://localhost/KF7013/ directory), which contains the appropriate links to the other sections of your
web site, including the page containing your critical discussion. Note: depending on your design, this
page may purely act as a redirect to a PHP script. [Please include a footnote that states "This site is an
assignment for the XXX University module : Website Development and Deployment]
Pages giving information about TipTop Music should be accessible to non-members without login
(for example, the home page and contact pages). You should make up reasonable English text so the
site looks realistic.
 The public should be able to see a list of music categories that are dynamically retrieved from the
database. When one of the music categories is selected, an appropriately formatted list of albums in
that category should be shown
 Provide one logon form that will allow club members and system administrators to log onto and use
certain parts of the web site. If a user logs on as a member, then display page(s) relevant to either the
member or administrator functionality.
 Club Member Functionality: If a user is logged on as a member, they should be able to:
o View a list of their own reviews and dates created.
o Delete a review which they wrote.
1
XAMPP Apache + MariaDB + PHP + Perl. See: https://www.apachefriends.org/index.html

Page 3 of 6
 o Add or Edit a review that they contributed. (The changes must be recorded in the database,
using an UPDATE SQL query.)
 Administrator Functionality: A user logged on as a system administrator, should be able to view a
page that lists all the members, in alphabetical order by surname. It will also display a summary of
their reviews:

The Administrator may create and delete club members. The form used to create a new member
should ensure that data are valid. For example, that a member's password has at least six characters,
with one or more numbers, that house number are numeric. Data validity should be checked on the
client and indicated without screen refreshes.
Additional Requirements:
Your code must comply with the following requirements:
 HTML5 should be used on all web pages (NOT HTML4, XHTML, or similar).
 CSS should be used in order to separate style from content. <font> tags should not be used;
tables should only be used for tabular data.
 PHP must be used as the server-side scripting language.
 Web page content used should be dynamic (if the data is stored in the database, it should be
retrieved from there, not hard coded into the web page).
 Your code should be structured in such a way as to promote code re-use (for example, place
code that is used on more than one page in a separate file to be imported into all web pages that need it.
You should use PHP and JavaScript (jQuery) functions as appropriate).
 All images used on the web site must be stored in the ./assets/images stylesheets
in ./assets/stylesheets and JavaScript in ./assets/scripts/ directories, whilst php and html files should
in ./content/.
 The database tables that are provided in the SQL script must be used. You are not permitted
to alter the data structure in any way although you are expected to alter the data dynamically though
your application.
 The integrity of the data should be maintained at all times.
 Security issues as discussed in the module need to be addressed. That is, your application
should resist injection attacks, and cross site-scripting. All forms should validate their client-side data
using either jQuery or JavaScript. ALL database queries must use prepared statements.
 The solution should be independent of the data, so that security data is retrieved from the
database, and not hard coded into the web pages.
 Any orphaned pages/scripts -- pages or scripts that are not linked to the main pages in any
way -- will not be marked (excludes index.html/index.php).
 PHP sessions should be used to provide application security. It should not be possible to
access restricted pages once the owner has logged out.
 Sensitive data such as passwords should be stored encrypted.
 Use comments to reference code fragments (in any language) that you did not write yourself.
 Code that is program generated will NOT attract credit.

Notes:
 During the login process, if the username entered by a user does not exist in the member table, check if it
exists in the admin table (i.e. the user logging in may be a system administrator instead of a club member)
before failing the login process.
 40 characters is allowed for password field for hash encoding as SHA1. For simplicity there is no password
reset facility.

Page 4 of 6
Critical Discussion
You are each required to create an HTML5 web page (name your web page using your user ID, e.g.
unn_w1534567.htm) that contains a critical discussion with the title "Injection flaws and cross site scripting".

Injection flaws and cross site scripting are amongst the most common web application security violations
(OWASP 2017). Given that, please address the following topics in your discussion:
 Using references, briefly describe Injection and Authentication Flaws
 Using code and text, as appropriate, critically review defenses against cross site scripting and sql
injection in your application and suggest possible improvements with appropriate references.

Reference:
Stuttard Dafydd; Marcus Pinto 2010 "The Web Application Hacker's Handbook: Discovering and Exploiting
Security Flaws 2nd ed." John Wiley & Sons
OWASP 2017 "OWASP Top 10 Application Security Risks - 2017"
(https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project accessed 25/08/2020)

This is meant to be a critical discussion and not just a description of things such as PHP. Your discussion should
not be limited to your practical system, but a discussion of the broader issues involved.

Your discussion should contain between 1000-1500 words and should be presented in the form of an HTML5
web page.

References must be used in order to strengthen any points that you raise in your discussion. Your discussion
must be your own words and, where you have used someone else’s words (quotations), they should be
correctly quoted and referenced in accordance to the Harvard System. If you require guidance on citation,
please use the booklet ‘Cite Them Right’ available from the City Campus library. There are no marks for
literal quotes – please avoid them.

Marking Scheme
The following marking scheme will be used for this assignment:
Description Marks
Practical Solution (75%) (75)
Logon functionality including authentication 5
Database connectivity 5
Member Web Functions 15
System Administrator Web Function 15
General page design/layout of the user interface and application of a CSS 10
Security Defences 15
Coding style and structure (i.e. comments, use of functions and classes, code re- 10
use, variable naming, indentation, use of HTML5, CSS standards etc.…)
Critical Discussion (25%) (25)
Introduction, Conclusion and Criticality 5
Critical Assessment of Security Defenses 10
Conclusion and Suggestions for Improvement 5
Referencing and references 5

Total Marks Available: 100

Page 5 of 6
Marking Criteria
Since the elements above are wide ranging, general criteria are given that are applied as a percentage to each
component of the portfolio. In the following, ‘writing’ is understood to apply both to coding and English.

Percentage General Criteria

(0 – 29%) A very poor contribution showing little awareness of subject area. Lack of clarity.
Communication of knowledge is either inarticulate and or irrelevant. Website not
dynamic, or not written using HTML5, or does not use external stylesheets and scripts.
Code fragments from the Internet may have replaced student written content to the
Fail extent that it is not possible to determine what the student has understood.
(30 – 39%) Knowledge is limited or superficial. Some awareness of concepts and critical
appreciation are apparent, but there are major omissions or misunderstandings. Writing
is not clear or coding is unstructured and there is no argument or significant errors. Web
pages do not contain links proving they have been validated, or the site does not give
correct solutions to any of the interface requirements
(40 – 49%) Knowledge is barely adequate. Writing is fluent, and coding functional but mostly,
description and or assertion are used rather than argument or logical reasoning. Program
may be unstructured. A basic understanding of the key issues is demonstrated, but
insufficient focus is evident in the work presented.
(50 – 59%) Knowledge base is up-to-date and relevant to an appropriate breadth and depth for level
7. The student has demonstrated the ability to apply theory and concepts, across domains
and identify their interrelationship. A critical appreciation is demonstrated, which is
supported by appropriate references. Writing and coding are clear and accessible if a
little uneven.
(60 – 69%) As above but there is clear evidence of independent thought and reasoned conclusions.
Literature is fully supported by citation using appropriate references and there is
Pas development of a critical appreciation of opposing arguments. Programs will be fully
s object oriented and easy to follow. Presentation of work is fluent, focused and accurate.
(70 – Exceptional scholarship is demonstrated. There is a sustained ability to confront the
100%) current limits of knowledge in a relevant area, or applied ‘real world’ contexts where
demands of theory and practice may conflict. Argument is fluent, sustained, and
convincing. Programming standards are professional and the site is well secured.
Clearly exceeds taught material.

Page 6 of 6