The Website

A CSS three-column layout was implemented for the front page.

Displaying the Information

As all the content of the website was held in a database, a common series of commands was used to retrieve the information and display it in the appropriate place on the page. These commands are displayed below:

$result = mysql query("SELECT top right FROM text");
while ($line = mysql fetch array($result, MYSQL ASSOC)) {
foreach ($line as $col value) {
echo "$col value";}}

The php command mysql query was executed to retrieve the field 'top right' from the 'text' table. A 'while loop' then cycled around the database retrieving the relevant data and putting it in an array. A 'for loop' then retrieved each item from the array and displayed it on the screen. This procedure was then implemented within the HTML, and CSS was then used to format the text.

The Feedback Form

The only input within the website was the feedback form. Input was discouraged from the beginning, for users do not like inputting their information and there are security issues attached to input.

The feedback form asked the users for their name, email and comments. The only validation performed was on the comments, so as to ensure that they did not send an empty form. If there were no comments in the feedback form, an error message appeared prompting them to do so. On submit, the name, email and feedback were sent to the feedback table in the database, where they could be viewed on the internal system.

Errors

Upon making an error, the user would be taken back to the page to change their account details. A flag variable was used to identify the error.

Security

There were two main concerns with regard to security. The first was relevant to the internal system, where a user could possibly enter the address of a page within the system and avoid having to login, which would enable them to damage the website. This was solved by including an if statement within each of the internal pages, saying:

if (isset($ SESSION['usr session']))
{ Page }
else
{ require('login/error.php');

The isset command in PHP determines whether the session usr session is set, i.e. if the user had logged in. If the user had not logged in, they are redirected to an error page telling them that they must do so.

The second security issue was with SQL injections in PHP. This is a common way in which hackers could perform their own queries on the database, for a character such as "`" could be used to enable another query to be written. PHP solves this problem by using two functions: mysql_escape_ string and add_slashes. Both insert a "/" before certain potentially damaging symbols. The difference between them is that mysql_escape_string is specifically designed for MYSQL queries whereas add_slashes is more generic. It was therefore decided that mysql_escape_string would be implemented to protect the database from SQL injections and the function strip slashes would be used to remove the slashes when displaying the text on the screen.