In completing this assignment you MAY use/access the following resources:
You may NOT use/access:
- Resources not expressly listed above, including, but not limited to,
the following ...
- Source code not provided as part of this assignment. (Obviously, this
includes, but is not limited to, source code written by other students
whether current or in the past).
- Code-generating tools (of which ChatGPT is one example).
- Any web sites not directly linked to from the homework assignment.
Failure to abide by these guidelines will result in a zero for the assignment
and the incident will be reported to the university provost as a violation of
the university academic integrity policy. A second incident of academic
dishonesty (whether from this course or another computer science course) will
result in an F in the course.
Here are some actions to take:
- In the web2db database you'll need to add a new table to your
schema as follows:
CREATE TABLE book_users (
user_id SERIAL,
email VARCHAR(1000) NOT NULL,
name VARCHAR(1000) NOT NULL,
password VARCHAR(1000) NOT NULL,
PRIMARY KEY (user_id)
);
- Create a login form in login.php. This page should have a self posting form
that accepts email and password. The page should also include a link that invites
a user without an account to sign up.
- Create signup page (signup.php) with these fields: email, name, password,
and confirm password. The form should be self posting and should that
trims all user input and verifies that the email has a valid format, the
name exists, the password has at least 10 characters, and the two password
fields match. If passing all those checks then the password should be
hashed and the new account created. Then the user should be sent back to
the login form. Be sure to address SQL injection issues. (In the future
when outputing the name we'll need to filter for XSS). Why aren't we
concerned about CSRF? NOTE: We won't worry about requiring the email address
to be unique.
A query to create a new account:
INSERT INTO yourschema.book_users (email, name, password)
VALUES ('fun@fun.com', 'Fred', 'hashedpassword')
- Once the signup page is working create a couple of accounts and then go to
your database and modify the
created_by
field in the books table
to match one or more of the user ids of the new account. This can be done
through the web interface.
- Provide action to the login form that will verify the the email exists in the
database and the password matches the store password. If all is good then store
the user's id in the session. IMPORTANT: By default PHP does not encrypted its
session data (yikes). We'll deal with that issue when we start using a framework.
If login fails give a proper error message and represent the form.
A query to pull info from the book_users
table by email:
SELECT user_id, email, name, password FROM yourschema.book_users WHERE email='fun@fun.com'
- Provide a logout action in logout.php. After logging out simply return
to the home page. If a user is logged in then the login button should be
replaced with a logout button.
- Protect pages/actions as follows:
- Any visitor who is not logged in should be allowed to
visit the home page. They should not, however, be allowed to add a
book, or to view page detail, or to execute any of the actions
launchable from those pages. This enforcement should include
modification of the interface to remove buttons as well as logic in
the actions themselves to check for and prevent such actions. It is
highly recommended that you make the changes to the interface last
so you can more easily verify the rules are being enforced.
- Any logged in user should be allowed to view books on the home
screen, view book details, and add new books. When a user adds
a new book be sure to modify the insert query to include the
created_by
field and set it to that user's id.
- A logged in user cannot modify for delete a book that
doesn't belong to them. This, of course, needs to be enforced
in the code and in the interface.
- The book detail page should now include the owner's email address. To
obtain this you'll need to modify the query that pulls book information
to look like this:
SELECT book_id,title,condition,price,email FROM sergeant.books INNER JOIN
sergeant.book_users ON (books.created_by=book_users.user_id) WHERE book_id=12