HW03: Sanitize, Validate, Secure due Tue 06 Feb 13:20
Allowed and Disallowed Resources
In completing this assignment you MAY use/access the following resources:- The JavaScript Command Sheets handed out in Web 1 (and also available here: https://josephus.hsutx.edu/classes/all/javascriptcommandsheets/.
- Examples and sample code found here: https://josephus.hsutx.edu/classes/w2/source/.
- The VSCode editor with appropriate syntax highlighting and formatting plugins. You may not use any plugins that generate code, however.
- Video instructions provided in Canvas as part of this course. You MAY NOT USE any other video resources.
- The course notes that accompany the video instructions which can be found here: https://docs.google.com/presentation/d/113px2eo6b2rltW0cKty7782GpEFIYA4WyFlhE6ye5G4/edit?pli=1#slide=id.p
- The official JavaScript Documentation found here: https://developer.mozilla.org/en-US/docs/Web/JavaScript.
- The official PHP Documentation found here: https://www.php.net/docs.php
- The official jQuery Documentation found here: https://api.jquery.com/
- Any handouts provided by the instructor as part of this course.
- Your own course notes
- Your instructor
- Discussions about the assignment with other students as long as you never look at the code produced by another student and you never receive instructions about solving the homework. That is, discussions need to be about concepts and understanding the technologies and not about how to solve the particular problem posed in this assignment.
You may NOT use/access:
- Resources not expressly listed above, including, but not limited to, the following ...
- Source code not provided as part of this assignment. (Obviously, this includes, but is not limited to, source code written by other students whether current or in the past).
- Code-generating tools (of which ChatGPT is one example).
- Any web sites not directly linked to from the homework assignment.
Failure to abide by these guidelines will result in a zero for the assignment and the incident will be reported to the university provost as a violation of the university academic integrity policy. A second incident of academic dishonesty (whether from this course or another computer science course) will result in an F in the course.
Details
Begin by creating an error.php that we can use to handle errors. Have the page accept a query parameter named error that holds an error code. On the error page you can look at the code to determine the appropriate message. If a database connection attempt fails, redirect to this page and pass an error code ofdb_connect. The error page should translate the code into a meaningful
message.
You will add a “Book Detail” page that will display the title, price, and condition of a book along with an update button and a delete button. The two buttons will not be functional for this assignment. To accomplish this you will make each book title on the home page a link that passes the book's database id number as a query parameter in the URL. The “Book Detail” page will extract the book id and look it up. If no matching book is found it should display an appropriate error message. If the book id is missing from the URL or the id is not valid you should redirect to error.php with an appropriate code / error message.
Also, the application as it sits now allows anything to be entered in the form and will attempt to save it to the database. We will address this by adding server-side santization, validation, and security fixes. Also, you will You need to modify your handling of form data as follows:
- Always strip leading and trailing whitespace from every form element (including checkboxes and select elements).
- Numeric data should be checked that it is numeric and in the proper range.
- Condition should be a 1-digit integer in the range 1 to 4.
- Price should be numeric in the range 0.01 to 999.99. A value of 12 or 12.2 should be accepted from the form, but should be written to the database as 12.00 or 12.20, respectively. If more than 2 decimal places are given it should be rounded to the nearest penny.
- Title should contain at least 1 character.
- If any of the data is not valid then display a helpful error message under the offending element.
- When storing values you should properly handle SQL injection concerns where applicable.
- When displaying values you should properly handle XSS concerns where applicable.
- All queries that contain data from the user should utilized the
pg_query_paramscommand (instead ofpg_query).
Some Suggestions
- To remove trailing/leading whitespace look at:
trim() - Look at the function
is_numeric()to see if a string (form data is always a string) is numeric (might have sign/decimal place, but is a number) - To see if a value is an integer you probably want
ctype_digit() - Look at
number_format()to get a number to have exactly 2 decimal places.