Secure Web-Based Systems Fall Test 1

Transcription

1 Secure Web-Based Systems Fall 2016 CS 4339 Professor L. Longpré Name: Directions: Test 1 This test is closed book and closed notes. However, you may consult the special cheat sheet provided to you with this test. Total time limit 1 1/3 hour (80 minutes). You can answer each question on the exam sheets. Attach separate sheets if needed. Problems weighed as marked. There is a maximum of 110 points.

2 1. (12 pts) (a) Transform the UTEP word in the following html page into a link that goes to Welcome to UTEP! Welcome to <a href=" (b) Change the line The following line... web site. into a comment. The following line should lead to the UTEP web site. Welcome to UTEP! <!--The following line should lead to the UTEP web site.--> Welcome to UTEP! (c) Change the following to display a bulleted list of items, one item per line. I like the following drinks: black coffee, green tea, pink lemonade, orange juice. I like the following drinks: <ul> <li>black coffee, <li>green tea, <li>pink lemonade, <li>orange juice. </ul>

3 (d) Make the form use the post method and add a button that sends the user to the page check name.php. <form> Name: <input type="text" name="name"> </form> <form action="check_name.php" method="post"> Name: <input type="text" name="name"> <input type="submit"> </form>

4 2. (15 pts) Fill the html table below that would display the following: <table border = "2"> </table> <tr> <th rowspan = "2"> Student Name </th> <th colspan = "3"> Student data </th> </tr> <tr> <th>id</th> <th> </th> <th>major</th> </tr> <tr> <td>abraham Lincoln</td> <td> </td> <td>alincoln@utep.edu</td> <td>political Science</td> </tr> <tr> <td>benjamin Franklin</td> <td> </td> <td>bfranklin@utep.edu</td> <td>physics</td> </tr> <tr> <td>blaise Pascal</td> <td> </td> <td>bpascal@utep.edu</td> <td>computer Science</td> </tr>

5 3. (10 pts) (a) How do you get information from a form that is submitted using the get method? i. form->get(); ii. mysqli_get(); iii. $_GET[]; (b) In PHP you can use both single quotes ( ) and double quotes ( ) for strings: i. True ii. False (c) What is the correct way to create a function in PHP? i. function myfunction() ii. new_function myfunction() iii. create myfunction() (d) What is the correct way to add 1 to the $count variable? i. $count =+1 ii. $count++; iii. count++; iv. ++count (e) What is a correct way to add a comment in PHP? i. <comment>...</comment> ii. <! > iii. *\...\* iv. /*...*/

6 4. (25 pts) Write two files: request_form.php and result.php that implement the following. The request_form.php displays a form with two fields and a submit button. The first field is labeled table name, and the second field is labeled ID. By clicking the button, the user is led to the result.php page. The result.php page first connects to the database. Assume a file called login.php exists and contains the host name, database name, user name and password. If one of the fields has not been filled by the user, an appropriate error message is displayed. Otherwise, the program connects to the database, and searches for a record in the table selected by the user with the ID field having a value equal to the value provided by the user.the table should have a field named ID. If the query fails, and appropriate message is displayed. If the query succeeds, but no record matches the ID, an appropriate message is displayed. <!--request_form.php--> <form action="result.php" method="post"> table name: <input type="text" name="tname"><br/> ID: <input type="text" name="id"><br/> <input type="submit"> </form> <?php //result.php require_once login.php ; $conn = new mysqli($hn, $un, $pw, $db); if ($conn->connect_error) die($conn->connect_error); if (isset($_post[ tname ])) $table_name = $conn->real_escape_string($_post[ tname ]); if (isset($_post[ id ])) $id = $conn->real_escape_string($_post[ id ]); if ($table_name == $id == ) die("you need to select the table name and the id"); $query = "SELECT * FROM $table_name WHERE id=$id"; $result = $conn->query($query); if (!$result) die("did not find the record"); $row = $result->fetch_assoc(); foreach ($row as $field_name => $value) echo "$field_name: $value<br/>"; echo "<br/>"; $result->close(); $conn->close();?>

7 5. (20 pts) What is displayed by following page? <?php $head = <<<_END <head><title>user Data</title></head> <h1>value List</h1> <p> <ul>\n _END; $n0="abraham"; $n1= Blaise ; $n2="abraham.blaise"; $n3=3; $n4=4; $n5=5; $v[0]=$n0+1; $v[1]="$n0.$n1"; $v[2]= $n1.$n2 ; $v[3]=$n0.$n2; $v[4]=$n3+$n4; $v[5]="$n4+$n5"; $v[6]= $n5+$n6 ; echo $head; foreach($v as $index => $value) echo " <li>$index: $value</li>\n"; echo " </ul>"; echo " </p> "?> (Notice: is a normal single quote.) (Notice: $v[0]=$n0+1; causes a warning on PHP7, but not in PHP5.)

8 6. (16 pts) Describe what each of the following function does and give a relevant example. stripslashes($string); Returns a string with backslashes stripped off. (\ becomes and so on.) Double backslashes (\\) are made into a single backslash (\). htmlentities($string); All characters which have HTML character entity equivalents are translated into these entities. mysqqli::real_escape_string($string); Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection strip_tags($string); Returns a string with all NULL bytes, HTML and PHP tags stripped from a given string.

9 7. (12 pts) Write PHP code that emulates the following java class and methods. public class ExpressionString private char[] e; private int i; char currentchar; public ExpressionString(String s) e = s.tochararray(); reset(); public void reset() i=-1; advance(); public void advance() if (i<e.length) i++; if (i<e.length) currentchar=e[i]; else currentchar=. ;

10 <?php class ExpressionString private $size; private $e; private $i=-1; $currentchar=. ;?> function ExpressionString($s) $this->size = strlen($s); $this->e = str_split($s); $this->reset(); function reset() $this->i = -1; $this->advance(); function advance() if ($this->i<$this->size) $this->i++; if ($this->i<$this->size) $this->currentchar = $this->e[$this->i]; else $this->currentchar =. ; function getcurrentchar() return $this->currentchar; function getindex() return $this->i;