HW04: LD: CSRF, Update, Delete due Tue 13 Feb 13:20
Allowed and Disallowed Resources
In completing this assignment you MAY use/access the following resources:- The JavaScript Command Sheets handed out in Web 1 (and also available here: https://josephus.hsutx.edu/classes/all/javascriptcommandsheets/.
- Examples and sample code found here: https://josephus.hsutx.edu/classes/w2/source/.
- The VSCode editor with appropriate syntax highlighting and formatting plugins. You may not use any plugins that generate code, however.
- Video instructions provided in Canvas as part of this course. You MAY NOT USE any other video resources.
- The course notes that accompany the video instructions which can be found here: https://docs.google.com/presentation/d/113px2eo6b2rltW0cKty7782GpEFIYA4WyFlhE6ye5G4/edit?pli=1#slide=id.p
- The official JavaScript Documentation found here: https://developer.mozilla.org/en-US/docs/Web/JavaScript.
- The official PHP Documentation found here: https://www.php.net/docs.php
- The official jQuery Documentation found here: https://api.jquery.com/
- Any handouts provided by the instructor as part of this course.
- Your own course notes
- Your instructor
- Discussions about the assignment with other students as long as you never look at the code produced by another student and you never receive instructions about solving the homework. That is, discussions need to be about concepts and understanding the technologies and not about how to solve the particular problem posed in this assignment.
You may NOT use/access:
- Resources not expressly listed above, including, but not limited to, the following ...
- Source code not provided as part of this assignment. (Obviously, this includes, but is not limited to, source code written by other students whether current or in the past).
- Code-generating tools (of which ChatGPT is one example).
- Any web sites not directly linked to from the homework assignment.
Failure to abide by these guidelines will result in a zero for the assignment and the incident will be reported to the university provost as a violation of the university academic integrity policy. A second incident of academic dishonesty (whether from this course or another computer science course) will result in an F in the course.
Details
At the end of this assignment your book selling application should have the following functionality:- delete-book.php
- This page will be called if the user clicks the delete button on a book detail page. This page will not display anything. Instead it will accept a book id as a parameter and will attempt to delete the specified book. After successful completion you should redirect to the home page. You should include code to send the following error conditions to error.php: (a) cannot connect to database, (b) query parameter not sent or not valid, (c) delete command fails.
- modifying a book
- This action is trigged if the user clicks the update button on a book detail page. You will simply link to the add-book.php page and pass the book's id as a query parameter. Most of the code in add-book.php will work for the modify action. In places where you need unique behavior your can use the existence of a query parameter to determine whether an add or modify was requested.
- adding CSRF protection
- Remember that CSRF attacks only apply to write actions. Depending on how you approach some things you may need to convert links to forms with post actions in order to provide the CSRF token to the page that will do the saving. In my case delete-book.php needed the token passed in the post array so I made that link a form action. Since add-page.php had its own form I handled the CSRF token in the form on that page.
Needed Queries
DELETE FROM yourschema.books WHERE book_id=12To delete the book whose id is 12.
UPDATE sergeant.books SET title='Greetings', condition=4, price='9.99' WHERE book_id=12To update the book whose id is 12 to have the specified title, condition, and price.