Transcript PowerPoint

We will cover in this lecture
 A first look at issues related to
 Security
 Maintenance
 Scalability
 Simple Three Layer Architecture
 Module Road Map
 Assignment 1 Road Map/Claims for Credit
Internet Software
 Not web sites!
 We experience the web as users there is much more
behind the scenes we are interested in
 Some things we are interested in
 Security
 Maintenance
 Scalability
The DVD Swap Shop
 Used on the first year to teach programming
 Written in VB.NET
 Uses some of the concepts we teach in this module
 However it suffers from much poor design
 Available for download from the module web site /
blackboard
 We shall look at a quick demo of what the program
does
Security Issues
 The standard login for the program is
 User name
 Password
[email protected]
password123
 What happens if we use the following?
 User name
 User name
hi' or '1'='1
hi' or '1'='1
SQL Injection Attacks
 SQL is a language designed for querying database
 It stands for Structured Query Language
 Most commonly abbreviated to
 SQL or Sequel (as in Sequel Server)
 We are going to use SQL later in this module and you
will be learning it in a parallel module so it won’t do
any harm to show you a little SQL now
The Offending SQL
 select * from Users where EMail = '" & EMail & "' and
UserPassword = '" & Password & "'"
 With the following account
 [email protected]
 password123
 This concatenates to …
 select * from Users where EMail = '[email protected]'
and UserPassword = 'password123'
The Injection Attack
 select * from Users where EMail = '" & EMail & "' and
UserPassword = '" & Password & "'"
 With the following “account”
 hi' or '1'='1
 This concatenates to …
 select * from Users where EMail = 'hi' or '1'='1' and
UserPassword = 'hi' or '1'='1'
How it Works
 The single speech mark has terminated the string early
 Since 1 always equals 1 we return all of the records
 There are more than zero records so it logs the user in
as the first account
 The first user on any system is often the administrator
 This is not a lesson on SQL injection attacks
 it does server to illustrate the vulnerabilities of poor
architecture
Maintenance
 DVD Swap Shop built on Access
 Not the best choice for an internet application
 Change to another database e.g. SQL Server
 DVD.MDB becomes DVD.MDF
The Problem
Web page 1
Database Name
Web page 2
Database Name
Conduit Class
Database
Web page 3
Database Name
Web page 4
Database Name
100 page site with ten references to the database per page = 1000 changes
to the code!
Scalability
 How many of you have FaceBook or Twitter on your
phone?
 How would we modify the DVD swap shop so there is a
phone app that does the same?
 Re-design the pages
 However what do we do about the functionality?
Compare the Following Pages
Other Issues to Think About
 Dealing with International Markets
 Dealing with Different Computer Platforms
Dealing with International
Markets
Amazon Search
Dealing with Different Computer
Platforms
 Mobile Apps - Apple/Android/WinMo 7 & 8
 Tablet computers e.g. iOS / Windows 8/ Android
 Windows Computers
 Linux machines
 Servers running Apache / IIS
 What is the technology that makes it possible to
support such a range of platforms?
Simple Three Tier Architecture
Presentation
(Interface)
Middle Tier
Business Logic
(Objects/Classes)
Data Layer
Database
Some Benfits
 The interface has no knowledge of the structure of the
database
 Middle tier handles communication of data
 Database may be switched with no impact on interface
 All functionality in the middle tier
 This means we may bolt on many different interfaces
Multiple Interfaces Single System
Presentation
(Interface)
Web browser
Middle Tier
Business Logic
(Objects/Classes)
Data Layer
Database
Presentation
(Interface)
Mobile phone app
The big plus here is that if we change the functionality of the middle tier, any
applications that are built on it instantly benefit.
Life is Never that Simple!
 Module Road Map
Assignment 1 Road Map
Claims for Credit
 One interesting aspect of this module is that you have the
facility of claiming credit for work that is not complete.
 If I were you I would make a start ASAP on creating parts of
the system and then claiming credits for them from your
tutor.
 This will help you in two ways
1. You may start obtaining your module marks
2. You may get feedback on work even if it is half baked