E395923x TT284 Tma02

TMA02 – TT284 – Parth Shah – E395923X
1a.
<?php
// This file holds the credentials to connect to the database.
if(!defined('ISITSAFETORUN')) {
// This provides protection against file being called directly - if it is, ISITSAFETORUN will not be defined
die('This file does no useful work alone'); // and so this warning message will be issued
}
// If this point is reached, ISITSAFETORUN was defined and this file has been called from an appropriate
place
$mydatabase='ps8974_db';
$username='ps8974';
$password='83qinrS!*F?74hdH'; // Note that is especially important for the password to be in single quotes
$hostname = 'localhost';
?>
tma02_mydatabase.php
1bi.
$mytitle = 'Erehwon Guest House ps8974';

Modified Line 5 in tma02_coreadmin.php
1bii.
tma02_coreadmin.php
body {
font-family: Impact, Helvetica, sans-serif;
background-color: #d7f2f6;
}
.showhide { /*button style */

display: inline-block;
background: palegreen;
}
.warn {
background: palegreen;
}
tma02_.css
 Changed the font-family to Impact with “Helvetica” and “sans-serif” as fallback fonts.
 Changed the background colour to “palegreen”
1biii.

<label for="bookingreference">Booking Reference: </label>
<input type="text" id="bookingreference" name="bookingreference" minlength="10" maxlength="10" onchange="fieldcheck(this.id)" requi
red>
 

tma02_form.php
1biv.
//test for booking reference

if (id == "bookingreference") {
pattern = /^[a-z A-Z]{4}-[0-9]{5}$/;
failmessage = "Only valid booking numbers are permitted here";
}
tma02_.js – fieldcheck()
valid = valid && fieldcheck("bookingreference");

tma02_.js – validate()
Valid
Invalid
1ci.
$newtable ="TT284ps8974";
Modified Line 17 in tma02_create-a-table.php
bookingreference VARCHAR(10) NOT NULL UNIQUE,

Added a new column named “bookingreference” with length of 10 and added the “NOT
NULL” SQL statement, along with “UNIQUE” to ensure that the booking reference cannot
be empty and is uniquely identifiable – tma02_create-a-table.php
1cii.
$mytitle = 'Erehwon Guest House ps8974';

Modified Line 5 in tma02_coreadmin.php
1ciii.
$sql = "INSERT INTO $mytable (firstname, lastname, email, bookingreference) VALUES (?,?,?,?)";
Modified Line 23 in tma02_savedata.php
mysqli_stmt_bind_param($stmt, 'ssss', $webdata['firstname'], $webdata['lastname'], $webdata['email'], $w
ebdata['bookingreference']);
Modified Line 28 – referenced “bookingreference” field and added one extra ‘s’ for the
new field. – tma02_savedata.php
1civ.
$sql = "SELECT id, firstname, lastname , email, bookingreference FROM $mytable"; // no user input
Modified Line 14 to include the “bookingreference” column
echo "<tr><td>id: " . $row["id"]. "</td><td>Firstname: " . htmlspecialchars($row["firstname"]). "</
td><td>Lastname: " . htmlspecialchars($row["lastname"]). "</td><td> email= " . htmlspecialchar
s($row["email"]). "</td><td>bookingreference = " . htmlspecialchars($row["bookingreference"]) . "</
td></tr>";
Modified Line 20 to add the “bookingreference” column in the table.
1cv.
if (isset($webdata['bookingreference'] )) {
if (!preg_match("/^((ACFT)|(ABQR)|(BXDE))-(1|2)[0-9]{4}$/",$webdata['lastname'])) {
$formerror['bookingreference'] = 'Not valid on server: Booking reference must start with one of "AC
FT-", "ABQR-", or "BXDE-"It must be followed by either 1 or 2, and then any other 4 digits.';
$valid = FALSE;
}}
Added this block of code in tma02_validatedata.php
<?php if (!$valid){echo $formerror["bookingreference"] ;} ?>

Added this line in tma02_form.php next to the “bookingreference” input to show user the
error.
1d.
No errors.
Erehwon Guest House Website Report
INTRODUCTION
This report explains the concept of system architecture with examples of three different
architectures. It highlights the implemented security measures along with three potential
security features to consider.
ARCHITECTURE
“System Architecture” is a term which defines the overall structure of a system. A system
can be broken down into smaller, distinct segments which each serve their own purpose.
For example, a web application can be broken down into two segments – the client and the
server. The client side provides a user-interface, allowing users to make requests on the
website. These requests are passed to the server, which handles and processes each
request. This architecture is known as “two-tier architecture”.
Two-Tier Architecture
As the name describes, two-tier architecture consists of two parts – the client and the
server. The term ‘client’ represents many user devices, whereas the server is just one
machine which handles the core functionality of the website. Many clients can connect to a
server. The server process requests from different clients and returns the corresponding
response to the same client who made the request.
A user should only be able to access things which are of use to them. They should not be
exposed to the website’s entire inner workings and database. The barrier between the client
and server prevents exactly this. The client requests something, the server then performs
validation, and the client receives precisely what they need.
Multi-Tier Architecture
Multi-Tier architecture enables the system to be broken down into more pieces. An
additional ‘middle tier’ or ‘middleware’ acts as a gateway between the client and the
database and prevents users from directly accessing the database.
For complex systems, this architecture could be beneficial because it makes the system
more modular and easier to manage. One section of the system could be changed without
heavily impacting the other sections.
Cloud Architecture
Cloud Architecture provides great configurability and is extremely flexible if the web
application wants to scale. The cloud is an online pool of computing resources like servers
and databases. Cloud architecture provides a great amount of configurability and flexibility –
resources like server memory and CPU and be precisely chosen and upgraded/downgraded
at any time. Cloud Architecture is more suited towards use-cases which provide an online
service, e.g. Netflix, Dropbox as they rely heavily on computer resources for processing files
quickly and serving high-quality video content.
Verdict
With plans for 20 guest houses and 200 bedrooms, each house should have their own set of
databases, administration and user booking portals. Since users will make bookings and post
reviews, it would not suffice to have just a Two-Tier architecture. A multi-tier architecture
would allow the booking and reviews system to be separate and enable greater
customisation for each guest house (the largest house could require a custom set of
functions or a separate database for bookings). A cloud-based architecture would not a
good choice as the website does not require many computing resources. I would
recommend a Multi-Tier Architecture.
SECURITY
Current Security Implementations
Form Validation
The data from the form is validated on the client-side before submitting and also on the
server-side before updating the database. Using Regular Expressions, the validation
processes ensure that only valid inputs enter the database.
Prepared SQL Statements

An SQL Injection attack happens when the user enters SQL in an input and it combines with
the SQL statement used to process that input and executes in the database. To combat this,
every database operation is done through prepared SQL statements. This enables the
database to know what the input data is and what the SQL is in a statement.
Future Security Implementations

Storing Passwords
Account passwords should not be treated like other fields and should be stored as a hash.
There should be a one-way, irreversible, function which converts the user-entered password
into a hash so that nobody except the user knows the password.
CSRF (Cross-Site Request Forgery)
A CSRF attack is when a malicious user sends a URL to a currently authenticated user. The
URL automatically performs an action on the website when clicked. A CSRF attack can be
prevented by sending a SameSite flag in cookies. This cookie gets sent if the request
originates from the same domain. When the unsuspecting user clicks on the URL, it does not
originate from the same domain and the cookie does not get sent. (Cross-Site Request
Forgery Attacks, 2020)
HTTPS
HTTPS is a secure version of HTTP. All interactions between the client and the server cannot
be intercepted with HTTPS as they are encrypted. To enable HTTPS, an SSL certificate is
needed.
CONCLUSION
As discussed, I believe the Multi-Tier architecture is best suited for the Erehwon Guest
House web application due to its complex needs. The three potential security problems are
worth considering, especially with the rise of cyber-attacks.
REFERENCES
Netsparker.com. 2020. Cross-Site Request Forgery Attacks. [online] Available at:
<https://www.netsparker.com/blog/web-security/csrf-cross-site-request-forgery/> [Accessed 26
January 2021].
Word Count (excluding references): 800 words.

E395923x TT284 Tma02

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

E395923x TT284 Tma02

Uploaded by

Copyright:

Available Formats

TMA02 – TT284 – Parth Shah – E395923X

$mytitle = 'Erehwon Guest House ps8974';

.showhide { /button style /

//test for booking reference

valid = valid && fieldcheck("bookingreference");

bookingreference VARCHAR(10) NOT NULL UNIQUE,

$mytitle = 'Erehwon Guest House ps8974';

<?php if (!$valid){echo $formerror["bookingreference"] ;} ?>

Prepared SQL Statements

Future Security Implementations

Word Count (excluding references): 800 words.

You might also like