ASSIGNMENT 02 – Week of Nov 16 th IDEAS SQL insert and update statements Programmers-defined functions in PHP PHP safe IO functions: mysql_real_escape_string - protects against SQL injection htmlspecialchars, filter_input - protects against XSS attacks html5 input elements /attributes including sliders/output elements hashing for secrecy Client-side Javascript functionality More complex decision-making logic and file Organization bonus: using media queries
Legend for REGISTRATION form User- password Type This User name submit Hyperlink to statement page Aligned Labels Hyperlink to txt versions of PHP files [not DB account file] – Type Fullname Address - textarea Confirm pwd Cell Major Check For copy Form action="register.php" All fields required This will be your pwd This confirms your pwd This will be your user name
register.php register.html YOUR DIRECTORY grades.php grades.html account.php myfunctions.php retrieve.php retrieve.html REGISTERED GRADES MySQL DB Database and File Organization triggers connected include triggers
Connect to DB Get Form data Sanitize with mysql_real_escape_string: video 3B1 & filter_input Include myfunctions.php file with function definitions Does user or already exist in REGISTERED ? Exit message Yes No Define & Execute SQL Insert with Form data. Use NOW() for insert datetime parameter and initialize numcourses. Echo input data from Form with htmlspecialchars. Later: send mail of the user (such as to mailinator) if requested. How register.php works Use Rnum to decide this
Programmer-defined functions to simplify programming. The following functions count certain rows in REGISTRATION & GRADES tables. This will simplify the logic of the PHP scripts for registration and grading. Rnum( $user, $ ) - returns number of rows in REGISTERED where either $user or $ address occurs. Gnum( $user, $course ) - returns number of rows in GRADES where the user and course fields in a GRADES row match $user and $course values on grading form. For programmer-defined functions see Video 6C[5:00 minutes into video, to the end] and IT 202 Manual pp Before you can execute these functions: 1.register.php & grades.php scripts must be connected to DB. 2.$user, $ and $course must be defined using $_GET - and mysql_real_escape_string (and optionally filter_input) to make data safe. Later: $A1, $A2 and $Part must be defined and transformed mysql_real_escape_string and validated as int by filter_input.
register.php uses following functions: function Rnum ( $user, $ ) { //Detects user or is REGISTERED $s1 = "select * from REGISTERED where … " $t1 = mysql_query($s1); return mysql_num_rows($t1); // If $user or $ is in REGISTERED a non-zero number is returned, else zero is returned. } function Gnum ( $username, $course ) { … } This checks whether user and course appear in same row of GRADES. It's code is slightly different than Rnum. See pp of IT 202 manual to see how to define, execute and include functions. The main script register.php must be connected to database when these functions are used otherwise the mysql_ functions used in Rnum will not work.
register.php called by the form register.html verifies this is a new user. Sanitizes form input using mysql_real_escape_string (and optionally filter_input functions) Uses programmer-defined function Rnum ($username, $ ) to verify it's a new user and a new address. Function definition is included from file named myfunctions.php. If user & are new: apply SQL Insert with form data to REGISTRATION table. The password is encrypted using sha1 in insert. The numcourses attribute is set to 0. Registration data echoed to browser. Registration time uses SQL's NOW() function in SQL. Echo uses PHP htmlspecialchars function to protect against XSS attacks. Echo datetime (can use PHP date function date) to avoid having to retrieve to get time. If box checked, register.php sends mail to address entered in register.html along with properly laid out registration data including PHP datetime. Use mailinator addresses as the inputs. register.html form uses Javascript (w. onblur event in 2 nd required password field.) To confirm the passwords match JS erases field contents if the passwords differ. This erasure prevents form submission since field is required. LINKS: Include hyperlink to pages with personal experience with project and text copies of txt PHP files. FEATURES - register.php and register.html Also: Make simple change to retrieve.html to handle the encrypted (user) pwd so retrieve code is compatible with REGISTERED's contents. This only affects "Case 3" type input because that is only place where user password is retrieved.
register.php logic Database must be connected before executing user-defined functions which use mysql_ functions. Data must be accessed from HTML form using $_GET. Data must be sanitized using mysql_real_escape_string. If user or already exists die ("message content") can send message to browser and terminate. Otherwise insert Form data for new user in REGISTERED. 1.Connect to database. 2.Use include myfunctions_inc.php to incorporate user functions. 3.Get and sanitize Form data with mysql_real_escape_string. 3. if Rnum(( $user, $ ) != 0) display message that user or already in REGISTERED and exit (such as with die). 4.Otherwise: Define and execute SQL statement that inserts new row in REGISTERED. Use NOW( ) function to define datetime entry for REGISTERED table. The insert looks like "insert into REGISTERED value ('$user', $ ', …., NOW(), … )"
Legend for GRADES form Admin Password submit User Course A1 Additive Partic Pts A1S A2 A2S Align labels as shown Form action="grade.php" html5 date field use small read-only text field to display slider value use PHP applies slider and date values to DB only if box is checked hml5 slider: 0-50 user whose grades are to be updated Only first 3 fields are required course whose grades are to be updated Only admin can change grades
Connect to DB Get Form data [eg from slider(s)] Sanitize with mysql_real_escape_string: 3B1 include myfunctions.php user not REGISTERED? Rnum($user, "") == 0 ? Exit w. message : "User must be REGISTERED to be graded" true If Gnum($user, $course) == 0 Then: insert an initial row for $user & $course with default entries (0 for grades, for dates, etc) update user's entry in REGISTERED by Set numcourses=numcourses+1 Update grades, dates, etc: if (A1 box is checked) SQL updates A1 and A1S A1S should be empty if A1's checkbox is not checked. A1S should be of type date on Form. Similarly for rest of inputs: Participation, etc Echo all input data from grades.html Form. How grade.php works Rnum($username, $ ) Gnum($user, $course) Typically only one grade is submitted at a time – so your PHP code should not affect a grade whose slider box is not checked. setup registered? update yes exit
grades.php - logic summary Connect to database; Exit if admin password wrong; Get grades.html data & sanitize with mysql_real_escape_string if ( Rnum( $user, "") == 0) { send message saying user must be registered before grading then exit ; } if ( Gnum( $user, $course ) == 0 ) { insert initial GRADES row for $user, $course pair with zero or default values for the other fields ; } if (A1 box checked) update (don't insert) A1 & A1S using SQL Update command for that user/course if (A2 box checked) update (don't insert) A2 &A2S using SQL Update command for that user/course if ($Partic != "") Update Partic value by adding form value $Partic to DB value Partic for that user/course Update Total by adding A1, A2, Partic Update percent: Update GRADES Set Percent = 100*Total / 150 for that user/course only
grades.php logic - another summary Connect to database. Get/check administrator password and exit if it's wrong. Otherwise: Get grades.html data and clean it with mysql_real_escape_string if ( Rnum( $username, $ ="" ) == 0) send message to browser that user must be registered before getting grades and then exit. if ( Gnum( $username, $course ) == 0 ) add an initial row to GRADES for $username, $course pair – with zero or suitable default values for other fields. //GRADES updates – applies only to row where user & course match form fields if (A1 box checked) update A1 and A1S Similarly for A2 //Participation, Total, Percent Updates - only to row where user & course match form fields if ($Partic != "") Update Partic value - by adding form value to GRADES column value Update Total - by adding all row's grade and participation values Update % - by using Update to Set Percent = 100*Total / 150 where user = etc grades.html form does not have an field so $ value is taken as empty. Rnumtherefore just checks if user is registered
HTML: html5 slider & output element/oninput event in grades.hml to input grades PHP: checkboxes used to signal slider has a new grade - otherwise grades.php ignores slider input. FEATURES of grades.php and grades.html Make simple change to retrieve.php to handle encrypted user pwd in REGISTERED. grades.html: Administrator can change grades (not a user) so grades.php only provides service if password is admin's password. For simplicity, can test against a plaintext password for administrator like Asgt01. For extra credit: you can use an sha1 hashed entry for 'admin' (which can be kept as a faux user in REGISTERED.) The admin password stored in REGISTERED can be entered manually using phpMyAdmin. Update entries in GRADES using values from grades.html. Echo inputs to browser. Programmer-defined functions help implementation: Rnum($user, ="") : used to verify user is registered Gnum ($user, $course) : used to check if need to add initial row for $user/$course inserted in GRADES Later slides show how to implement and use these! Participation: updated by adding its value on grades.html using SQL Update. Total and Percent: updated by appropriate SQL Update statements. A1/A1s and A2/A2s: updated only if their checkboxes are checked.
Points-off Check List - UNDER CONSTRUCTION See next slide for late submission and other rules PointsRequirement 5Correctly defined HTML REGISTRATION form 7Correctly defined HTML GRADES form 5Use mysql_real_escape_string, filter_input and htmlspecialchars for IO 5 Correctly define and apply Javascript function to confirm instructor password entry. 5 In PHP, hashed admin password must prevent scripts from displaying data if password is wrong. Also retrieve.html should work with hashed user passwords. 5 Correctly define and apply user-defined functions for registration and grading. Place function definitions in include file. 5 Correctly handle REGISTRATION insert. Use mysql_real_escape_string to sanitize the data for both PHP scripts:. 10 Correctly handle GRADES UPDATE for A1 and A2 grades and their dates, participation, total grades and percent calculations. 3Your statement on assignment: what you learned, difficulties, time-spent on assignment, etc.
LATE SUBMISSION - Rules when assignment is handed in late 1 day late => 5 points off 2 days late => 10 points off 2 days to 5 days late => 15 points off More than 5 days late => no credit HONOR CODE: RULES FOR WORKING TOGETHER [you can work solo or in authorized pairs only – see following] Authorized Partners – 2 persons max, only one can be the senior partner, the other must be the designated junior partner who can get at most 85% of points and no extra credit; the assignment must be submitted by one with both students identified in the . The senior partner's points may also be limited. Must acknowledge partnership by a joint submission – else you violate honor code rules; if any submitted assignments are recognizably joint work but not identified as such then that will be reported as an Honor code violation.
Legend for HTML GRADES Update Form Password submit Username Course A1 Additive Partic Pts A1S A2 A2S Note: As usual align labels. A1, its slider and its box are left aligned. A1S & its field are right aligned. Same for A2. use Note the Parallel layout
Interesting link on Password Strength