Resource
Contact
Secure web application for a book retail organization
Client Overview
Since protecting sensitive data such as credit card number, user password, post code etc becomes significant important, a secure web application is required by our customer. The delivery should include both web application source code and a report including specification of user configuration, user interface introduction etc. It took a group of 3 RayooTech Elites 4 months working to finish the whole project.
Functionality analysis
Following the vendee's business specification, the project has been divided into 3 parts. The first one is web site part which will allow new users to create and to manage user account. The second one is web search part. It will allow user to search what they are interested in. The third one is SSL model part. It is an interface to general a pair of keys to encrypt secret data.
Web site part flow
The web site part is the basic part. The web site will allow user to input user information to create user account. The exiting users can login in the system, change user information and edit order list. If the user can not pass the authentication, it will feed back postscript information, and advise user to create an account if the user is new.
After user has created account, he can edit user account. After updating the information successfully, the browser will go back to my account part. User can check the order list if the user has logged in. If the user has made an order before, user can check the order or cancel the order. If there is no order, it will tell user that the order list is empty. User can edit user information. User can change password, credit card number and address and so on. After managing user account, user can log out the system.
Web search part flow
Web search part allows user to search the books which the user is interested in. If the user has logged in, the system will allow user to make an order of the book which the user likes. If the user has not logged in, the system only feed back the search result. When user clicks the book name, only the book details will come out.
SSL Model flow
Actually, SSL demo part is a part to generate a pair of keys for asymmetric encryption. 128 bits encryption is used to encrypt sensitive data for example, Credit card number, post code number etc.
-
General keys
In this project, SSL is used to protect user credit card number. SSL contains public key and private key. The SSL model part will allow user to create his own keys. The SSL model part contains an interface. After user enter the information such as passphrase, countryName, stateOrProvinceName, localityName, organizationName, organizationalUnitName, commonName and emailAddress to generate public key and private key, the system will create a customized pair of keys.
“passphrase” is used to general private key and decrypt data which is encrypted by using public key. “countryName, stateOrProvinceName, localityName, organizationName, organizationalUnitName, commonName and emailAddress” is used to create public key.
-
Reuse keys
After user input enough information, the public key and private key will be created. Those keys are in pairs, private keys come from different pairs can not be used to decrypt. On the demo page, a string will be used to test how those keys work.
The keys will be saved to different files. The private key will be stored in private.pem and the public key will be saved in publickey.pem.
Technologies used in the program
-
PHP
The project is based on PHP programming language which is very popular nowadays. PHP is easy for any developers who are familiar with Perl, C and Java and so on. PHP provide user freedom to use object-oriented constructs in PHP 5. Although PHP is good for beginners, there are still some problems when user are programming. Some functions are different in different editions of PHP. Such as DOM functions and so on. In the project, at beginning the DOMXML page was written in PHP5, but I changed it to PHP4 later because the XSLT processor is not installed on PHP5.
-
JavaScript
JavaScript is used to friendly give feed back to client. Because it runs on client, it will not cost the resource of the computer. The speed of feed back will be very fast. It is often been used to implement client validation when there is a form submitted. However, user can turn the JavaScript off on the browser. So although JavaScript can do some client side validation, it is not reliable; server side validation is needed. In this project, on the register page, the validation part is written in JavaScript. When user submits the form, before data processing, there is a server validation part. So the validation part can protect database from SQL query attacks.
-
XML & XSLT
XML is used in the project. XSLT is used to transfer XML data into HTML web page. XSLT is powerful to display XML data, because in XML, encryption can be used and XSLT can write both HTML code and JavaScript code. However, it is difficult to write the XSLT which contains both HTML and JavaScript. It is not easy for beginners to debug the XML and XSLT. In the project XSLT is used to write the table in the body of the HTML page only. The rest part (guide line and foot bar) is written by PHP script.
-
MYSQL
MYSQL is used to store user information for cost management issue, the information to general keys, books’ details and customer orders, etc.
Evaluation
After 4 months developing, all the functionalities have been implemented. Followed the contract, the sources code and a brief induction has been sent to the vendee.