In completing this assignment you MAY use/access the following resources:
You may NOT use/access:
- Resources not expressly listed above, including, but not limited to,
the following ...
- Source code not provided as part of this assignment. (Obviously, this
includes, but is not limited to, source code written by other students
whether current or in the past).
- Code-generating tools (of which ChatGPT is one example).
- Any web sites not directly linked to from the homework assignment.
Failure to abide by these guidelines will result in a zero for the assignment
and the incident will be reported to the university provost as a violation of
the university academic integrity policy. A second incident of academic
dishonesty (whether from this course or another computer science course) will
result in an F in the course.
Begin by creating an error.php that we can use to handle errors. Have the
page accept a query parameter named error that holds an error code. On the error
page you can look at the code to determine the appropriate message. If a database
connection attempt fails, redirect to this page and pass an error code of
db_connect
. The error page should translate the code into a meaningful
message.
You will add a “Book Detail” page that will display the title, price, and
condition of a book along with an update button and a delete button. The two
buttons will not be functional for this assignment. To accomplish this you will
make each book title on the home page a link that passes the book's database id
number as a query parameter in the URL. The “Book Detail” page will extract
the book id and look it up. If no matching book is found it should display
an appropriate error message. If the book id is missing from the URL or
the id is not valid you should redirect to error.php with an appropriate
code / error message.
Also, the application as it sits now allows anything to be entered in the form
and will attempt to save it to the database. We will address this by adding
server-side santization, validation, and security fixes. Also, you will You need
to modify your handling of form data as follows:
- Always strip leading and trailing whitespace from every form element
(including checkboxes and select elements).
- Numeric data should be checked that it is numeric and in the proper
range.
- Condition should be a 1-digit integer in the range 1 to 4.
- Price should be numeric in the range 0.01 to 999.99. A value of
12 or 12.2 should be accepted from the form, but should be written
to the database as 12.00 or 12.20, respectively. If more than 2
decimal places are given it should be rounded to the nearest penny.
- Title should contain at least 1 character.
- If any of the data is not valid then display a helpful error message
under the offending element.
- When storing values you should properly handle SQL injection
concerns where applicable.
- When displaying values you should properly handle XSS concerns where
applicable.
- All queries that contain data from the user should utilized the
pg_query_params
command (instead of pg_query
).
- To remove trailing/leading whitespace look at:
trim()
- Look at the function
is_numeric()
to see if a string (form
data is always a string) is numeric (might have sign/decimal place, but
is a number)
- To see if a value is an integer you probably want
ctype_digit()
- Look at
number_format()
to get a number to have exactly
2 decimal places.