CS 4250 Project Part 7

Demos: you must send me a link to your website by 5pm on Friday, May 19, 2017.

(Subject line of "cs4250, project part 7", exactly. You should send the link / URL early; I will not visit your website until the deadline.) Remember to include the name of your project/group in the email message.

The goal of this part of the project is to interface your database with a programming language and to make it web-accessible. This is the stage where you embed your database into a complete application. The programming language that I recommend is PHP, a popular, server-side scripting language. Executable commands are embedded via special tags in the source of the web page. (See the class lecture notes for more details.) PHP has been installed on the P 288 machines. Using PHP, the MySQL database that you have created can be accessed via the web, using a webserver installed on hopper.csustan.edu. Before detailing the assignment itself, it may be helpful to read the following FAQs:

FAQ: Can we do this part of the project from our own computer/web server but still access the MySQL database server on hopper.csustan.edu?

Answer: No. Due to security constraints, you can access the MySQL database server on hopper.csustan.edu only from machines in P 288, either by logging in directly or by using the web interface you will create in this part of the project.

Note that if you write your PHP scripts to connect to "localhost" (as shown on the MySQL handout that contains your MySQL password) and test them by connecting to an installation of MySQL on your own machine, then porting the scripts to a P288 machine for project submission should be fairly straightforward.

FAQ: Can we use our own database server and web server?

Answer: Yes. You are welcome to do the project completely on your own computer. Notice that this part of the project involves having a DBMS (MySQL, PostgreSQL, Oracle, SQL server etc.) and drivers for accessing the database from the programming language you will use to implement your web interface. Depending on how you choose to demo your web interface, your computer may also need to be internet-accessible (so that people -- your project partners, your professor -- can access the web pages that are stored in your computer via the world wide web). In addition, you may need to install PHP (if you decide to use PHP for your web interface), and a web server that you can operate on your computer. In short, if your setup allows one to create web pages and make them publicly accessible on the WWW, you are in good shape.

If you choose this option, you take full responsibility for ensuring that your machine supports all the desired functionalities. I will not be able to accommodate any last minute requests for extensions because something is not working. I provide this option for your convenience, so that you can take advantage of any already existing setup for your project. Do not attempt this unless you are absolutely positively sure of what you are doing. We do not have the resources or the manpower to provide technical support and help in debugging. At the end of the day, I will grade it just like every other project.

FAQ: Can we use Ruby-on-Rails/AJAX/Javascript/substitute-the-latest-buzzword-here/ for the project?

Answer: Certainly! However, should you decide to use <insert buzzword here>, you are on your own. We do not have facilities to support these in the lab, nor to provide technical support.

The sysadmin verified that PHP and Ruby should work, and that is all. (Ruby on Rails may or may not.) If you choose to use Ruby, contact the professor ASAP, since some security-related adjustments will need to made to your user account. (That is the full extent of the technical support we will provide for using Ruby.)

FAQ: What is an SQL injection attack?

Answer: SQL injection attacks are a common way for malware to invade DBMSs via the code a web site uses to interact with its database. (Wikipedia's SQL injection page)

Test your SQL injection prevention on SQL queries that use "LIKE", if you implement the prevention technique on the ad-hoc query part of your project web page.

(Note the our system administrator required you to do to set appropriate file permissions does not "count" as SQL injection-prevention, for this part of this assignment.)

Preparatory Steps:

Style Guide for your Application

What I want to see at the end of the day is a single web page that provides a nice interface to your database. Feel free to do more fancy and creative things, but do so only after completing this "core" requirement. Here is a style guide for what this page should look like. If you look at the template carefully, notice that we are only querying the database. We are not doing any inserts, updates or deletes. (That's one direction to look at, if you are aiming to be creative.)

Some how-tos of scripting

Help with PHP

Here are some good documentation resources:

There are different ways in which you can access the MySQL database from your PHP program.

Should you find another good PHP/scripting/MySQL documentation/help WWW page, please let me know and I will add a link here for the whole class to benefit from.

What you should turn in:

One team member from your project should send the URL for your web page, where I can access your application. This can be done by sending email to Dr. Thomas. Notice that this URL could be located on hopper.csustan.edu or on some server that you run yourself. If you choose the latter option, then it is your responsibility to make sure that the server is up and running when I try to access your web page.

I will not grade until May 19th, so it is ok if the URL you send leads to a largely non-functional page at the time you send the URL. (The page should be functional by the 19th, however.)

In addition, you need to compile a project report about 6--8 pages in length, plus source code appendices. More on this below.

Project point distribution:

  1. (30 points) Does everything work correctly and do all the buttons and links that I click indeed do what they are expected to do. I will see if you are really accessing the database dynamically and are not just "looking up" the data from some ready made source. I will ensure this by typing ad-hoc queries. You will also need to make sure that all query results have column names neatly presented and that data is clearly tabulated.

    Submit your source code (.zip file) to the CS Homework system along with the report (next item), or include the source code as appendices to your project report. (The actual source source code must be submitted, not a link to some other web site.)

  2. (15 points) A project report where you summarize all parts of your project in a single document. If possible, include snapshots of your web interface. This report can be easily created by cut-and-pasting (corrected versions of) all the previous reports that you submitted, making sure you include the E/R diagram, the details about normalization, your relational schema and the queries you created in the previous part of the project. Include the role of each team member in the project. Clearly identify the scope of everybody's contribution. If there were any problems during the course of the project (due to less than complete participation by some team member), identify them.

    Portable Document Format (PDF) format preferred for your report. MS Word or plain text also acceptable.

    Include your answer to the next question in the document, too.

    Submit your report to the CS Homework system.

  3. (2 points) Explain whether or not somebody who is truly working in the domain of your application would use your web-enabled database, or if there is something missing or intrinsically complex that will deter them from using it. (Is your web-enabled database not powerful enough for the real world, or too complicated for the real world?) For example, if you are in the books domain, would a bookseller use your database? It would be ideal if you had access to a real application domain person; you could just ask him/her to visit your web page and give you feedback. Alternately, look at "similar" systems or web pages and see if they are doing something differently and if your approach is better (or worse) and why. Include your answer to this question in your project report.

    Please note that there is no "right" answer to this question nor will you be penalized for saying that there is something missing from your project. What I want to see is if you can discuss your domain, your database, and the implications of the design and implementation decisions you made in your system for the application domain that you have chosen.

  4. (3 points) Identify, in English, where I can find, in your source code, one (or more) safety checks to the code that interacts with your database, to prevent some type of SQL injection attacks. These do not need to be complicated; I just want you to illustrate your understanding of the danger of SQL injection by blocking some possible attack. (A simple if-statement, in the correct location, will be sufficient.)
  5. (5 points) Neatness, presentation, grammar, style, consistency etc.
  6. (15 points) Implement some extra functionality. In your project report, clearly list exactly what you have implemented and how we can test it. Note that you must implement some extra functionality, to have a chance of getting up to 15 points. Here are some suggestions for this step:
  7. (Extra Credit points) If the extra functionality is remarkable, you can get up to 15 points of extra credit, depending on how complex your application is.
Last modified: April 23, 2017