Wednesday, 30 April 2014

Register Process

I started of the register process by 


I then went ahead and started validating the fields, here I checked various factors:
  • All fields have been filled in, if they are not (==  "") then the echo message will notify them
  • Email fields 1 and 2 (email and confirm email) need to match if they don't (!=) another echo will notify them about this error. Here I carried out the same process for password 1 and 2 (password and confirm password)


  • I also verified the emails to see if they were valid address, important for the process of activating accounts
  • I used a hmac for the password encryption
  • sha512 was used although it is not the best method combining it with bcrypt and salt would enforce it
  • The unique key created for the website was linked to this section as it is the unique character set for the password security
  • I then create a prepare statement that checks to see if the email and chosen username exist within the database if they do they will need to change the details 

  • After all the validations are made a try catch block is created where a prepared statement executes the query that inserts all the information inserted within the form onto the database
  • The last usersid from the login table is gathered so that the system allocated the next usersid to the new registered individual
  • This id is stored within the activation table along with the users unique token, this id and token are set within the email activation link therefore only valid once and for that user


Monday, 28 April 2014

Register Page: Key

The register page was too simple in terms of the ability to add security therefore other fields were added to the form:
  • confirm email address
  • confirm password
Both of these extra fields would enable the ability to create queries that check various elements and enforces them:
  • checks passwords match
  • checks emails match
  • checks all fields are filled in
  • checks to see of the email exists within the database

This process undertook a large portion of this terms time as I had to read up a lot on PDO luckily there were several YouTube tutorials that went through the stages of developing prepare statements, bind values and executing them. These video not only speeded up production time as they gave me an insight of what needed to be done it also helped me learn through a piratical process.

Key
I started of by creating the key, this is part of the password securing method that will work alongside the hmac and bcrypt.


I run this code on the browser to produce the unique key for this website, this key was then saved onto a text file in the textfiles folder. 


I then developed a .htaccess that secures the file with the sensitive information from being accessed by unauthorised personnel.




Sources
Price, I. (2013). PHP Lesson: PDO: Error Handling, Try/Catch, Querying Database Results. [video] Available at: https://www.youtube.com/watch?v=ncrjieoiTrg&index=2&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: Getting Organized. [video] Available at: https://www.youtube.com/watch?v=iZlasj41KSY&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84&index=4 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: Introduction To Prepared Statements. [video] Available at: https://www.youtube.com/watch?v=bvxid3DoLjE&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84&index=5 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: More Error Handling. [video] Available at: https://www.youtube.com/watch?v=ybVwU9rg32Q&index=3&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: More On Prepared Statements. [video] Available at: https://www.youtube.com/watch?v=dJ7NAD4IZMg&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84&index=6 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: OOP Explained, How To Create A Simple Class. [video] Available at: https://www.youtube.com/watch?v=TUtblDPw9UI&index=7&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84 [Accessed 28 Apr. 2014].

Price, I. (2013). PHP Lesson: PDO: Transactions. [video] Available at: https://www.youtube.com/watch?v=6jWzMnmGsvk&index=8&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84 [Accessed 28 Apr. 2014].

Saturday, 26 April 2014

Converting conninfo.php to PDO

Since I am adapting the project to PDO one of the important adaptations was to the conninfo.php file that connects and access the database. Within PDO is the procedure is slightly differently however it is not a drastic change therefore by following a quick tutorial I was able to adapt this document fairly quickly.



Sources
Price, I. (2014). PHP Lesson: PDO: Connecting To A Database. [video] Available at: https://www.youtube.com/watch?v=cbiLi0CBHNM&list=PL0BBakFmJ-JlELdmy9LX7c_l7V4XMad84 [Accessed 26 Apr. 2014].

Friday, 18 April 2014

jQuery Password Strength Checker

Apart from echoing out messages about functions and processes that the user has requested it is also important to add such feedback within other sections. I decided to implement a password strength checker within the register form using a jQuery function. The purpose of this is as the user enters their chosen password the system with provide them with feedback as to how safe and effective it is, not only does it show the user but also encourages them to adapt it if it is a weak combination. The process was quite quick as the register form had already been developed, I only needed to add an id name to the password field and referenced it on the jQuery function at the top of the page. I then download the jQuery script, saving it to my js folder with the rest of the jQuery functions, this document was linked to the web pages through the script tag. I used a tutorial as a guideline as it was just an addition to the rest of the functionality




Wednesday, 16 April 2014

Converting from PHP MySQL to PDO

Since the process of this term requires security implementation in order to protect the users and sensitive information I went ahead and looked into the most efficiency processes and methods. I had previous;y come across PDO however I did not consider it until I read about how it is more effective in terms of security and protecting data:

  • Object Orientated API
  • Prepare Statements help to protect from MySQL injection 1st order, parameters used within bind values protect 2nd order injections
  • Prepared statements do not allow the MySQL string to be executed and implemented within the website
  • API handles database processes in a separate layer 
Looking at these pointers I decided to take a risky step and adapt my project to PDO this will be time consuming however I feel that it is a better method to use. 

The next few weeks I will be working on various areas of my project:
  • The report
  • security (register and login)
  • file downloads
  • file sharing 
I will follow the time plan I developed and presented in VIVA 2 in order to be able to finish the last sections of my project however I am aware that the short time frame and the amount of work that needs to be done might result in an unfinished project.