2015 2016
Phil Smith
Learning outcome LO1 1. Understand the concepts of web application development. (Assignment 1)
Previously We looked at types of users. Site analysis Accessibility Legislation
Today Functionality: functions, eg shopping cart, reserve order, manage user profile, web content management, upload files Scripting languages: server side eg ASP (Active Server Pages), ASP.NET, PHP (Hypertext Preprocessor), JSP (Java Server Pages), Cold Fusion, Perl, Java Applet, Flash; advantages eg faster processing time, data processing, data storage; client side eg JavaScript, VBScript Security: security requirements, eg user accounts, account restrictions, procedures for granting and revoking access, terms of use, system monitoring
Advantages and Disadvantages of Websites Focus on business need. There are several advantages and disadvantages to having a website for your business or limited company. In the modern age, more and more businesses are getting online. Research from Direct Line for Business found that eight million people in the UK are operating as an 'online business from home', either reselling goods for a profit or making their own products to sell. (Feb 2016)
Advantages and Disadvantages of Websites If you don t take your business onto the World Wide Web, you could miss out on potential customers, sales and profits.
Advantages of Websites The first and perhaps most obvious advantage of a business website is the potential for reaching a wider audience. The internet is used by literally millions of people, all of them are looking for something and some of them might be looking for you! Another advantage of having a website is your business information and details about your products and services can be accessed by anyone, no matter where they are on the planet or what time of day it is. The internet is online 24 hours a day, 7 days a week. So even if your business isn t open your website will be!
Advantages of Websites With a website, customers can easily access information about your business. They can see what products or services you sell, your prices, your location and much more. Whatever you decide to tell them, they can find it with a few clicks of a mouse. Once a website is designed, you can keep it up to date to be relevant to your business and encourage more visitors (and potential sales). More and more people are using a blog to promote their business. In fact, research shows that Businesses That Blog Get More Traffic.So using a blog to keep content fresh and attract attention could mean a big difference to your business.
Advantages of Websites You may think of the advantages of a website in terms of advertising and publicity for your business. The costs of having a business website are actually quite low. Having a website for your business is not just an advantage; it s an essential way to protect your business brand online.
Disadvantages of Websites There are a few disadvantages of having a website for your business. Generally though, they are outweighed by numerous advantages. Reliability The information on your website might be unreliable if not updated on a regular basis. You need to ensure that changes are made when necessary and have a disclaimer with regards to the reliability of the information contained within.
Disadvantages of Websites A website that crashes is no good to anyone. This is a serious disadvantage for a business. If your website is constantly crashing or unavailable then people will not be able to find information about your business and you could miss out on potential sales. An unreliable connection could also mean a plummet in a websites search engine ranking. This is the reason why You Need Good Webhosting For Your Business.
Disadvantages of Websites Because of the nature of the internet and the sheer number of businesses already on the World Wide Web, you may find it difficult to reach the right target audience with your website. Competition within your market may be strong and the battle for the illusive No.1 spot on Google maybe a difficult one, against a wealth of other businesses in your sector.
Disadvantages of Websites We all hate spam. The internet equivalent of junk mail. This is one of the disadvantages of a website which can cause you some grief. With a contact form or your e mail address published on your website, you ll soon find your inbox filling up with spam e mails unless you useformguard or a captcha tool.
Disadvantages of Websites Having a website risks attracting bad publicity. If a customer is unhappy with your service or products, then they may feel the need to vent their frustrations online and reference your website in their review/comments. This could be potentially damaging, hurting both your reputation and your search engine ranking.
Disadvantages of Websites Then of course there are Denial of service attacks. Sql injection Phishing etc
Functionality What can websites offer? Functions of web sites shopping cart reserve order (wish lists) manage user profile (for order tracking) web content management (static, dynamic, content, web controls upload files Data files PDF Web pages Web components (e.g. Twitter bootstrap files)
Functionality web content management (static, dynamic content, web controls. Static web pages need to be updated offline inside the actual page template which then has to be re uploaded. Dynamic web pages get their content in real time usually from a database. Changes need only be made in the database, usually by a back end application. Web controls are small panels of dynamic content which can communicate with other panels. This is a feature of Microsoft sharepoint.
Task 1 List the functions used in your web application from unit 14. Is your site static or dynamic?
Scripting languages Server side scripting ASP (Active Server Pages) uses vbscript. ASP.NET (Managed code) PHP (Hypertext Preprocessor) JSP (Java Server Pages) Cold Fusion (creates an exe, similar to activex) Perl Java Applet Flash; advantages e.g. faster processing time, data processing
Scripting languages client side JavaScript, VBScript
Task 2 Setting up our database in MySql. There are three ways we can get our tables and data from Microsoft Access in MySql on the hosting site. 1. Manually 1. Create the same tables in MySql using phpmyadmin. 2. Then either key in the data or 3. Attempt to export the data from Access and then imort into the relevant table in MySql.
Security security requirements user accounts, (Login, profiles) account restrictions (limits based upon level of privilege) procedures for granting and revoking access (Admin rights) terms of use, system monitoring (log files etc) Prevention of cyber attacks.
Security security requirements user accounts, (Login, profiles) E commerce sites need to ensure payment is secure. Use of registration is the norm User enters an email address and password. User is sent an email requesting activation (proves email is valid) User clicks on link in email to activate their account. User can then login.
Security account restrictions. Some users(usually back office workers) can have elevated access rights (Admin). These types of users can have access to all application registrations for various purposes. On blogs and forums some users may have Admin rights (access all areas) Moderator rights (limited rights to certain parts of the application) These are limits based upon level of privilege
Security procedures for granting and revoking access Usually reserved for users with full admin rights. Can for example Suspend registrations and logins. Remove registrations and logins. Reset a users password. Add new registrations and logins. Grant and revoke access to parts of the applications. etc
Security terms of use. Many blog, chat, forums have a terms of use policy which usually the new user will have to accept before being allowed onto the system. E.g. http://www.mywebapplication.com/terms of use/
Security Why is it so important to have written terms and conditions in place when you do business? Here are the seven main reasons. 1. Written terms and conditions help to create certainty as to the agreement. 2. Written terms and conditions help to minimise legal disputes and the chances of you being taken to court. 3. Written terms and conditions help you to cover all of the important matters and not overlook the things that are less obvious. 4. Written terms and conditions help you to enforce your agreement. 5. Written terms and conditions help you to provide good customer service. 6. Written terms and conditions help to avoid mismatched expectations. 7. Written terms and conditions help you comply with the law. http://realbusiness.co.uk/article/12861 why you shouldnt do business without terms and conditions
Security System Monitoring Websites and blogs are becoming an integral part of your brand and business. We live in an information and knowledge economy that values finding information in an increasingly web world. Google will penalize your search results ranking if your site is slow and produces a poor experience for the user. In many industries over 90% of purchasing decisions start with an online search. These two facts alone highlight the importance of ensuring your website is both online and is performing well. If you cannot be found because your website is down you lose credibility, customer leads and sales. http://www.monitor.us/free monitoring features/website uptimemonitoring
Security Prevention of cyber attacks. Clean Browser input. Do not put all files in the root folder. Validate all input on the server. Log suspicious errors.
Clean browser input The problem: Input containing special characters such as! and & could cause the web server to execute an operating system command or have other unexpected behaviour User input stored on the server, such as comments posted to a web discussion program, could contain malicious HTML tags and scripts. When another user views the input, that user's web browser could execute the HTML and scripts.
Clean browser input The solution: never trust any input from a browser. strip unwanted characters, invisible characters and HTML tags from user input
Clean browser input Example Check if the "url" input of the "POST" type exists If the input variable exists, sanitise (take away invalid characters) and store it in the $url variable http://www.w3ååschøøools.com/ becomes http://www.w3schools.com/ PHP has functions to help (so called helper functions) http://php.net/manual/en/filter.filters.sanitize.php e.g. FILTER_SANITIZE_ EMAIL "email" Remove all characters except letters, digits and!#$%&'*+ =?^_`{ }~@.[].
Don t put everything in the html directory on the server The problem Every file in the HTML directory can be accessed by a web browser if the URL is known. If you had a file called dbconnect.php that contained the login details for the database, the name could be easily guessed and then a hacker could navigate directly to it. The solution Put all data files in a directory outside the html directory or its subfolders.
Use POST instead of GET The problem GET sends all form input to the web application as part of the URL If this is a user name or password it can be read http://www.example.com/cgibin/cart.cgi?username=jsmith&password=puppy The solution POST method sends form input in a data stream The data is not visible in the browser location window and is not recorded in web server log files
Validate on the server A hacker can save an HTML form, disable the embedded Javascript which does validation use the modified form to submit bad data back to the web application. the application expects all input validation to have already been done by the web browser and therefore doesn't double check the input
Validate on the server The solution Make sure the server script validates all input. Use Browser scripting for dropdown lists, mandatory entry and basic validation e.g. number entered into a number field.
Log suspicious errors The problem web applications are frequently attacked by hackers Without error logging, you may not know you are being attacked. The solution trap and recover from errors, but also log events that may indicate an attack.
Log suspicious errors Evidence of attack attempts to access a non existent file or one the browser doesn't have privileges to read Detect if a form is submitted with GET instead of POST Forms submitted without required fields (hacker may be using a false copy of the form) Input with.. suggests an attacker is trying to access files with a relative path Requests from multiple IP addresses suggest a denial of service attack
Further reading cross site scripting SQL injection See http://php.net/manual/en/function.htmlentities.php http://www.php.net/manual/en/security.database.sql injection.php
Task 3 Add a users table to your database. E.g. CREATE TABLE user ( userid int not null auto_increment, primary key(userid), loginname varchar(20) not null, password varchar(20) not null, firstnames varchar(50) not null, surname varchar(50), ); Populate your user table with a few logins using phpmyadmin.
Task 4 Add a new field to the users table. Name this field adminuser, make the default 0 (zero) and its datatype is Boolean. Modify one of your users to add a 1 to the adminuser field. This user will have admin rights in your new dynamic application.
Finally You can now do Assignment 1.
What have we learnt today? Over to you?