Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASSIGNMENT 02 – Week of Nov 16 th IDEAS SQL insert and update statements Programmers-defined functions in PHP PHP safe IO functions: mysql_real_escape_string.

Published byAshlee Chambers Modified over 8 years ago

Similar presentations

Presentation on theme: "ASSIGNMENT 02 – Week of Nov 16 th IDEAS SQL insert and update statements Programmers-defined functions in PHP PHP safe IO functions: mysql_real_escape_string."— Presentation transcript:

1 ASSIGNMENT 02 – Week of Nov 16 th IDEAS SQL insert and update statements Programmers-defined functions in PHP PHP safe IO functions: mysql_real_escape_string - protects against SQL injection htmlspecialchars, filter_input - protects against XSS attacks html5 input elements /attributes including sliders/output elements hashing for secrecy Client-side Javascript functionality More complex decision-making logic and file Organization bonus: using media queries

2 Legend for REGISTRATION form User- password Type This User name submit Hyperlink to statement page Aligned Labels Hyperlink to txt versions of PHP files [not DB account file] Email – email Type Fullname Address - textarea Confirm pwd Cell Major Check For email copy Form action="register.php" All fields required This will be your pwd This confirms your pwd This will be your user name

3 register.php register.html YOUR DIRECTORY grades.php grades.html account.php myfunctions.php retrieve.php retrieve.html REGISTERED GRADES MySQL DB Database and File Organization triggers connected include triggers

4 Connect to DB Get Form data Sanitize with mysql_real_escape_string: video 3B1 & filter_input Include myfunctions.php file with function definitions Does user or email already exist in REGISTERED ? Exit message Yes No Define & Execute SQL Insert with Form data. Use NOW() for insert datetime parameter and initialize numcourses. Echo input data from Form with htmlspecialchars. Later: send mail of the user (such as to mailinator) if requested. How register.php works Use Rnum to decide this

5 Programmer-defined functions to simplify programming. The following functions count certain rows in REGISTRATION & GRADES tables. This will simplify the logic of the PHP scripts for registration and grading. Rnum( $user, $email ) - returns number of rows in REGISTERED where either $user or $email address occurs. Gnum( $user, $course ) - returns number of rows in GRADES where the user and course fields in a GRADES row match $user and $course values on grading form. For programmer-defined functions see Video 6C[5:00 minutes into video, to the end] and IT 202 Manual pp. 202-203 Before you can execute these functions: 1.register.php & grades.php scripts must be connected to DB. 2.$user, $email and $course must be defined using $_GET - and mysql_real_escape_string (and optionally filter_input) to make data safe. Later: $A1, $A2 and $Part must be defined and transformed mysql_real_escape_string and validated as int by filter_input.

6 register.php uses following functions: function Rnum ( $user, $email) { //Detects user or email is REGISTERED $s1 = "select * from REGISTERED where … " $t1 = mysql_query($s1); return mysql_num_rows($t1); // If $user or $email is in REGISTERED a non-zero number is returned, else zero is returned. } function Gnum ( $username, $course ) { … } This checks whether user and course appear in same row of GRADES. It's code is slightly different than Rnum. See pp. 202-203 of IT 202 manual to see how to define, execute and include functions. The main script register.php must be connected to database when these functions are used otherwise the mysql_ functions used in Rnum will not work.

7 register.php called by the form register.html verifies this is a new user. Sanitizes form input using mysql_real_escape_string (and optionally filter_input functions) Uses programmer-defined function Rnum ($username, $email) to verify it's a new user and a new email address. Function definition is included from file named myfunctions.php. If user & email are new: apply SQL Insert with form data to REGISTRATION table. The password is encrypted using sha1 in insert. The numcourses attribute is set to 0. Registration data echoed to browser. Registration time uses SQL's NOW() function in SQL. Echo uses PHP htmlspecialchars function to protect against XSS attacks. Echo datetime (can use PHP date function date) to avoid having to retrieve to get time. If Email box checked, register.php sends mail to address entered in register.html along with properly laid out registration data including PHP datetime. Use mailinator addresses as the inputs. register.html form uses Javascript (w. onblur event in 2 nd required password field.) To confirm the passwords match JS erases field contents if the passwords differ. This erasure prevents form submission since field is required. LINKS: Include hyperlink to pages with personal experience with project and text copies of txt PHP files. FEATURES - register.php and register.html Also: Make simple change to retrieve.html to handle the encrypted (user) pwd so retrieve code is compatible with REGISTERED's contents. This only affects "Case 3" type input because that is only place where user password is retrieved.

8 register.php logic Database must be connected before executing user-defined functions which use mysql_ functions. Data must be accessed from HTML form using $_GET. Data must be sanitized using mysql_real_escape_string. If user or email already exists die ("message content") can send message to browser and terminate. Otherwise insert Form data for new user in REGISTERED. 1.Connect to database. 2.Use include myfunctions_inc.php to incorporate user functions. 3.Get and sanitize Form data with mysql_real_escape_string. 3. if Rnum(( $user, $email ) != 0) display message that user or email already in REGISTERED and exit (such as with die). 4.Otherwise: Define and execute SQL statement that inserts new row in REGISTERED. Use NOW( ) function to define datetime entry for REGISTERED table. The insert looks like "insert into REGISTERED value ('$user', $email', …., NOW(), … )"

9 Legend for GRADES form Admin Password submit User Course A1 Additive Partic Pts A1S A2 A2S Align labels as shown Form action="grade.php" html5 date field use small read-only text field to display slider value use PHP applies slider and date values to DB only if box is checked hml5 slider: 0-50 user whose grades are to be updated Only first 3 fields are required course whose grades are to be updated Only admin can change grades

10 Connect to DB Get Form data [eg from slider(s)] Sanitize with mysql_real_escape_string: 3B1 include myfunctions.php user not REGISTERED? Rnum($user, "") == 0 ? Exit w. message : "User must be REGISTERED to be graded" true If Gnum($user, $course) == 0 Then: insert an initial row for $user & $course with default entries (0 for grades, 0000-00-00 for dates, etc) update user's entry in REGISTERED by Set numcourses=numcourses+1 Update grades, dates, etc: if (A1 box is checked) SQL updates A1 and A1S A1S should be empty if A1's checkbox is not checked. A1S should be of type date on Form. Similarly for rest of inputs: Participation, etc Echo all input data from grades.html Form. How grade.php works Rnum($username, $email) Gnum($user, $course) Typically only one grade is submitted at a time – so your PHP code should not affect a grade whose slider box is not checked. setup registered? update yes exit

11 grades.php - logic summary Connect to database; Exit if admin password wrong; Get grades.html data & sanitize with mysql_real_escape_string if ( Rnum( $user, "") == 0) { send message saying user must be registered before grading then exit ; } if ( Gnum( $user, $course ) == 0 ) { insert initial GRADES row for $user, $course pair with zero or default values for the other fields ; } if (A1 box checked) update (don't insert) A1 & A1S using SQL Update command for that user/course if (A2 box checked) update (don't insert) A2 &A2S using SQL Update command for that user/course if ($Partic != "") Update Partic value by adding form value $Partic to DB value Partic for that user/course Update Total by adding A1, A2, Partic Update percent: Update GRADES Set Percent = 100*Total / 150 for that user/course only

12 grades.php logic - another summary Connect to database. Get/check administrator password and exit if it's wrong. Otherwise: Get grades.html data and clean it with mysql_real_escape_string if ( Rnum( $username, $email="" ) == 0) send message to browser that user must be registered before getting grades and then exit. if ( Gnum( $username, $course ) == 0 ) add an initial row to GRADES for $username, $course pair – with zero or suitable default values for other fields. //GRADES updates – applies only to row where user & course match form fields if (A1 box checked) update A1 and A1S Similarly for A2 //Participation, Total, Percent Updates - only to row where user & course match form fields if ($Partic != "") Update Partic value - by adding form value to GRADES column value Update Total - by adding all row's grade and participation values Update % - by using Update to Set Percent = 100*Total / 150 where user = etc grades.html form does not have an email field so $email value is taken as empty. Rnumtherefore just checks if user is registered

13 HTML: html5 slider & output element/oninput event in grades.hml to input grades PHP: checkboxes used to signal slider has a new grade - otherwise grades.php ignores slider input. FEATURES of grades.php and grades.html Make simple change to retrieve.php to handle encrypted user pwd in REGISTERED. grades.html: Administrator can change grades (not a user) so grades.php only provides service if password is admin's password. For simplicity, can test against a plaintext password for administrator like Asgt01. For extra credit: you can use an sha1 hashed entry for 'admin' (which can be kept as a faux user in REGISTERED.) The admin password stored in REGISTERED can be entered manually using phpMyAdmin. Update entries in GRADES using values from grades.html. Echo inputs to browser. Programmer-defined functions help implementation: Rnum($user, email="") : used to verify user is registered Gnum ($user, $course) : used to check if need to add initial row for $user/$course inserted in GRADES Later slides show how to implement and use these! Participation: updated by adding its value on grades.html using SQL Update. Total and Percent: updated by appropriate SQL Update statements. A1/A1s and A2/A2s: updated only if their checkboxes are checked.

14 Points-off Check List - UNDER CONSTRUCTION See next slide for late submission and other rules PointsRequirement 5Correctly defined HTML REGISTRATION form 7Correctly defined HTML GRADES form 5Use mysql_real_escape_string, filter_input and htmlspecialchars for IO 5 Correctly define and apply Javascript function to confirm instructor password entry. 5 In PHP, hashed admin password must prevent scripts from displaying data if password is wrong. Also retrieve.html should work with hashed user passwords. 5 Correctly define and apply user-defined functions for registration and grading. Place function definitions in include file. 5 Correctly handle REGISTRATION insert. Use mysql_real_escape_string to sanitize the data for both PHP scripts:. 10 Correctly handle GRADES UPDATE for A1 and A2 grades and their dates, participation, total grades and percent calculations. 3Your statement on assignment: what you learned, difficulties, time-spent on assignment, etc.

15 LATE SUBMISSION - Rules when assignment is handed in late 1 day late => 5 points off 2 days late => 10 points off 2 days to 5 days late => 15 points off More than 5 days late => no credit HONOR CODE: RULES FOR WORKING TOGETHER [you can work solo or in authorized pairs only – see following] Authorized Partners – 2 persons max, only one can be the senior partner, the other must be the designated junior partner who can get at most 85% of points and no extra credit; the assignment must be submitted by one email with both students identified in the email. The senior partner's points may also be limited. Must acknowledge partnership by a joint email submission – else you violate honor code rules; if any submitted assignments are recognizably joint work but not identified as such then that will be reported as an Honor code violation.

16 Legend for HTML GRADES Update Form Password submit Username Course A1 Additive Partic Pts A1S A2 A2S Note: As usual align labels. A1, its slider and its box are left aligned. A1S & its field are right aligned. Same for A2. use Note the Parallel layout

17 Interesting link on Password Strength http://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase

Download ppt "ASSIGNMENT 02 – Week of Nov 16 th IDEAS SQL insert and update statements Programmers-defined functions in PHP PHP safe IO functions: mysql_real_escape_string."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the: course is a PowerPoint demonstration intended to introduce.

MY NCBI (module 4.5). MODULE 4.5 PubMed/How to Use MY NCBI Instructions - This part of the: course is a PowerPoint demonstration intended to introduce.
PHP II Interacting with Database Data. The whole idea of a database-driven website is to enable the content of the site to reside in a database, and to.

PHP II Interacting with Database Data. The whole idea of a database-driven website is to enable the content of the site to reside in a database, and to.
HTML Forms. collect information for passing to server- side processes built up from standard widgets –text-input, radio buttons, check boxes, option lists,

HTML Forms. collect information for passing to server- side processes built up from standard widgets –text-input, radio buttons, check boxes, option lists,
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
NMED 3850 A Advanced Online Design February 25, 2010 V. Mahadevan.

NMED 3850 A Advanced Online Design February 25, 2010 V. Mahadevan.
1 CSI 101 Elements of Computing Fall 2009 Lecture #4 Using Flowcharts Monday February 2nd, 2009.

1 CSI 101 Elements of Computing Fall 2009 Lecture #4 Using Flowcharts Monday February 2nd, 2009.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.

PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.
WDMD 170 – UW Stevens Point 1 WDMD 170 Internet Languages eLesson: Working with Forms in JavaScript (NON-audio version) © Dr. David C. Gibbs 2003-04.

WDMD 170 – UW Stevens Point 1 WDMD 170 Internet Languages eLesson: Working with Forms in JavaScript (NON-audio version) © Dr. David C. Gibbs
HTML Tables and Forms Creating Web Pages with HTML CIS 133 Web Programming Concepts 1.

HTML Tables and Forms Creating Web Pages with HTML CIS 133 Web Programming Concepts 1.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
CST 200 - JavaScript Validating Form Data with JavaScript.

CST JavaScript Validating Form Data with JavaScript.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Dr. Mogeeb A. A. Mosleh E-mail.

Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Dr. Mogeeb A. A. Mosleh .
Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.

Application Development Description and exemplification of server-side scripting language for server connection, database selection, execution of SQL queries.
JavaScript Form Validation

JavaScript Form Validation
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Similar presentations

Ads by Google