Web Page Design- Content Analysis

profilewostinabin2
Week6-Lectureslides-20200617.zip
Home>Information Systems homework help>Web Page Design- Content Analysis

Chapter E6 Week6.pptx

WPDD202: Webpage Design & Development

Version 2 – 18th December 2015

Kent Institute Australia Pty. Ltd.

ABN 49 003 577 302 CRICOS Code: 00161E RTO Code: 90458 TEQSA Provider Number: PRV12051

1

Chapter 6E

Interface design, security

What Is a User Interface?

The user interface (UI) is everything designed into an information device with which a person may interact. This can include display screens, keyboards, a mouse and the appearance of a desktop. It is also the way through which a user interacts with an application or a website.

What Is a Web Interface?

A user interface that is implemented in the form of a Web page and can be navigated using a standard Web browser. 

The user interface

Web browsers have become the de-facto standard user interface to databases

Enable large numbers of users to access databases from anywhere

Avoid the need for downloading/installing specialized code, while providing a good graphical user interface

JavaScript, Flash and other scripting languages run in browser, but are downloaded transparently

Examples: banks, airline and rental car reservations, university course registration and grading, an so on.

The World Wide Web

The Web is a distributed information system based on hypertext.

Most Web documents are hypertext documents formatted via the HyperText Markup Language (HTML)

HTML documents contain

text along with font specifications, and other formatting instructions

hypertext links to other documents, which can be associated with regions of the text.

forms, enabling users to enter data which can then be sent back to the Web server

Uniform Resources Locators

In the Web, functionality of pointers is provided by Uniform Resource Locators (URLs).

URL example:

http://www.acm.org/sigmod

The first part indicates how the document is to be accessed

“http” indicates that the document is to be accessed using the Hyper Text Transfer Protocol.

The second part gives the unique name of a machine on the Internet.

The rest of the URL identifies the document within the machine.

The local identification can be:

The path name of a file on the machine, or

An identifier (path name) of a program, plus arguments to be passed to the program

E.g., http://www.google.com/search?q=silberschatz

HTML and HTTP

HTML provides formatting, hypertext link, and image display features

including tables, stylesheets (to alter default formatting), etc.

HTML also provides input features

Select from a set of options

Pop-up menus, radio buttons, check lists

Enter values

Text boxes

Filled in input sent back to the server, to be acted upon by an executable at the server

HyperText Transfer Protocol (HTTP) used for communication with the Web server

Sample HTML Source Text

<html>

<body>

<table border> <tr> <th>ID</th> <th>Name</th> <th>Department</th> </tr> <tr> <td>00128</td> <td>Zhang</td> <td>Comp. Sci.</td> </tr> ….

</table>

<form action="PersonQuery" method=get> Search for: <select name="persontype"> <option value="student" selected>Student </option> <option value="instructor"> Instructor </option> </select> <br> Name: <input type=text size=20 name="name"> <input type=submit value="submit">

</form>

</body> </html>

Display of Sample HTML Source

Web Servers

A Web server can easily serve as a front end to a variety of information services.

The document name in a URL may identify an executable program, that, when run, generates a HTML document.

When an HTTP server receives a request for such a document, it executes the program, and sends back the HTML document that is generated.

The Web client can pass extra arguments with the name of the document.

To install a new service on the Web, one simply needs to create and install an executable that provides that service.

The Web browser provides a graphical user interface to the information service.

Common Gateway Interface (CGI): a standard interface between web and application server

Server-Side Scripting

Server-side scripting simplifies the task of connecting a database to the Web

Define an HTML document with embedded executable code/SQL queries.

Input values from HTML forms can be used directly in the embedded code/SQL queries.

When the document is requested, the Web server executes the embedded code/SQL queries to generate the actual HTML document.

Numerous server-side scripting languages

JSP, PHP

General purpose scripting languages: VBScript, Perl, Python

Client Side Scripting

Browsers can fetch certain scripts (client-side scripts) or programs along with documents, and execute them in “safe mode” at the client site

Javascript

Macromedia Flash and Shockwave for animation/games

VRML

Applets

Client-side scripts/programs allow documents to be active

E.g., animation by executing programs at the local site

E.g., ensure that values entered by users satisfy some correctness checks

Permit flexible interaction with the user.

Executing programs at the client site speeds up interaction by avoiding many round trips to server

Client Side Scripting and Security

Security mechanisms needed to ensure that malicious scripts do not cause damage to the client machine

Easy for limited capability scripting languages, harder for general purpose programming languages like Java

E.g., Java’s security system ensures that the Java applet code does not make any system calls directly

Disallows dangerous actions such as file writes

Notifies the user about potentially dangerous actions, and allows the option to abort the program or to continue execution.

JavaScript

Javascript very widely used

forms basis of new generation of Web applications (called Web 2.0 applications) offering rich user interfaces

Javascript functions can

check input for validity

modify the displayed Web page, by altering the underling document object model (DOM) tree representation of the displayed HTML text

communicate with a Web server to fetch data and modify the current page using fetched data, without needing to reload/refresh the page

forms basis of AJAX technology used widely in Web 2.0 applications

E.g. on selecting a country in a drop-down menu, the list of states in that country is automatically populated in a linked drop-down menu

Interface design and Security: SQL Injection

SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS). Since an SQL Injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

Password Leakage

Never store passwords, such as database passwords, in clear text in scripts that may be accessible to users

E.g. in files in a directory accessible to a web server

Normally, web server will execute, but not provide source of script files such as file.jsp or file.php, but source of editor backup files such as file.jsp~, or .file.jsp.swp may be served

Restrict access to database server from IPs of machines running application servers

Most databases allow restriction of access by source IP address

Audit Trails

Applications must log actions to an audit trail, to detect who carried out an update, or accessed some sensitive data

Audit trails used after-the-fact to

detect security breaches

repair damage caused by security breach

trace who carried out the breach

Audit trails needed at

Database level, and at

Application level

kent.edu.au Kent Institute Australia Pty. Ltd. ABN 49 003 577 302 ● CRICOS Code: 00161E ● RTO Code: 90458 ● TEQSA Provider Number: PRV12051

20

20