Reference no: EM131465901

Pseudo-code for A2 - Session-based version of Assignment

See A2-diagram.pptx for click animated diagram showing relation between the different scripts below. Under 302-videos refer to video P05C for discussion of session-variables-protected-access-redirects-02.  P02.4H video has discussion of the HTTP headers exchanged.

During initial development: use simple stubs for scripts, especially to verify the redirect behaviors work as intended.

Section I - Login Gatekeeper - session-based

Login.html - Form with fields for name and password and radio button choice as "admin" or "user"

Login.php

0. Run the session_start command.  (This could be done later but it is simpler to do it here due to certain subtleties related to sending output to the browser.)

1. Get form data and use get_type (modified) to sanitize it.

The get_type function in Login.php for the Login.html form data is simpler than the similar function for the A1 form in Assignment01 because there are fewer elements to check.  (Eventually I will describe that the new get_case should use mysql_real_escape_string to make the input safe, which entails applying that function to all the form inputs.)

If it's the admin choice, call the new version of the admin function (which redirects to Login.html if bad.)

If it's a customer choice, call the new version of the user function (which redirects to Login.html if bad.)

Thus if a credentials test fails, redirect to Login.html using: PHP header function with a brief delay (at most 2 seconds!) for visual/pedagogical effect, print explanatory comment(which will appear briefly because of the delayinthe redirect)and exitscript.

2. You only get this far only if the request wasvalid.

3. Define the session variables to protect access to the restricted scripts.

Set $_SESSION ["logged_in"]  to true if thecredentialswere valid in both cases.

Set $_SESSION["state"] to "admin" or "user" depending on the radio choice in Login.html

4. Redirect to either admin.php or user.php (these are not the admin & user functions; they are separate scripts) but include a delay and a print explanation:

If form choice was admin then redirect header is to admin.php and exit thecurrentlogin.php script.

If form choice was user then redirect to user.php scriptwith brief delay/print explanation and exit this script

Section II - Admin Handler Script

admin.php

1. The admin.php script checks $_SESSION ["logged_in"]  and $_SESSION["state"] for "admin" to see if the request to run the script is authorized.

2. If request is not authorized, then redirect with message and delay to Login.html /exit.

3. If request is authorized, then continue script and use get_A and get_T for admin to display DB tables.

Section III A - The Script that presents the Customer deposit/withdraw Form

user.php

1. The user.php script checks $_SESSION ["logged_in"]  and $_SESSION["state"] for "user" to see if the request to run the script is authorized.

2. If the page request is not authorized, then redirect with message and delay to Login.html /exits.

3. Note that the Form in this page (after some initial PHP code) is not even reached or displayed in browser if the above exit at (2) occurs.

If the page request is authorized, then:

1. Greet the user by name.

2. Display the user's current_balance from $_SESSION["current_balance"].

3. After/outsidethe PHP section of the page define a form with:

a. Input field for amount of transaction

b. radio buttons with 'D' or 'W' choice for transaction

c. action = "transact.php" for thesession script that handles the transaction

d. checkboxto receive mail copy of results

Section III B - The Script that handles the customer deposit/withdraw form - transact.php

As usual the transact.php script checks $_SESSION ["logged_in"]  and $_SESSION["state"] to prevent unauthorized access to the script (thisalso excludes the administrator.)If authorization fails proceed like for the admin script to redirect.  If authorization succeeds the script continues with an IF-ELSE processing section -- which is followed by a few HTML hyperlinks (this is after the initial "<?php ... ?>" section.)Get the choice and amount data from the form and use mysql_real_escape_string for SQL injection protection.

If choice is 'W' and amount > current_balance then print warning message

ElseDo the following (1-3):

1. If choice is 'D' then

a. Define/execute SQLs  to log the transaction to T  and update A table's current_balance.

b. Increment $_SESSION["current_balance"] by amount.

c. Display/printin browserthe unique updated A row and the new T row using get_A and get_T.

2. If choice is 'W' then

a. Define/execute SQLs  to log transaction to T  table and update A table's current_balance

b. Decrement $_SESSION["current_balance"]  by amount.

c. Print the unique updated A row and  the new T row and to browser, etc as in (2) above.

3. As usual useget_A and get_Tto capture the results for a possible mail message, based on the form's checkbox.  Send mail if the box is checked.

AFTER the transact.php page's <?php ?>section above:

1. Define a hyperlink in the (HTML section of the page) which the user can click to go back to the user.php script.  The session will then still continue and user.php will present a new form.

2. Optionally, for the bonus question below you can define another hyper link to an additional session script that completely logs out the session. You have to research for yourself how the logout script works.

Other Required Features-use hashed customer passwords in Accounts and the mysql_real_escape_string function to protect against  SQL injection.

CHALLENGES and Supplemental problems -

Use external JS library including the <script> element with a src attribute to refer to the JS library file. Javascript .js files libraries facilitate shared code.  Do this for a simplified version of your original JS function from Assignment01 which checks the fields of login.html form for non-empty trimmed data and that some radio button is selected.

Style sheets uniformize a web site's look.  Use an external CSS style sheet to contain your own style rules and referenced by an html Link tag with its href attribute set to refer to the css stylesheet file. Use HTML labels and styles to indent the input fields in a uniform way by placing the description text for the field inside a label.  Make the text boxes vertically aligned by giving the labels a fixed width using css rules.

Use a pre-existing professional stylesheet like bootstrap to control form and output layouts.

Use  mysqli prepared statements for inserts and /or updates.  These are secure against SQL injection and can have faster performance if a script executes similar SQL statements repeatedly.  Prepared statements prevent the kind of distorted SQL parse trees that occur with SQL injection.

Use PHP Program Data Objects  (PDOs) to interface with database.  (The advantage of PDO syntax is that it is DB portable and works across MySQL, Oracle, etc.)

Logout script: allow the customer to click another link on the transact.php page that leads to a script that logs the browser out from the session.  The hyperlink should link to another PHP script in the session which terminates the session and eliminates the associated session cookie in the browser.  Include snapshots of session cookie exchanges in Chrome developer tools to trace the PHPSESSID cookie's exchanges and the session's final termination based on a logout request.

Attachment:- Assignment File.rar