Web Design Small Cover

Buy the PDF of
Web Design:
A Complete Introduction

See the book at amazon.co.uk or amazon.com

Related Site

Web Security Topics

Related Books

Secure Communication Cover

Securing A Server Cover

Answers to Exercises, Chapter 8

Test Questions

  1. The languages most often used for server-side computation in Web applications are dynamically typed and implemented by interpretation, while mainstream languages are usually statically typed and compiled. Server-side languages feature automatic storage management, built-in regular expression pattern-matching and extensive libraries which include database functions. The dynamic typing (facilitated by interpretive implementation) and automatic storage management make programming easier for people such as Web designers and system administrators, whose main job may not be programming. The pattern-matching is especially useful for extracting information from text, which is what server-side scripts do much of the time, while the libraries provide ready-made code for commonly encountered tasks and a convenient interface to the databases which underlie the majority of Web applications.
  2. A web site entirely devoted to a blog is one example of a site that could be built on a CMS. An online shop is an example of a site that could use a CMS, for the product catalogue and so on, but would require additional software, to handle billing and payment, etc. A search engine is an example of a site that couldn't be based on a CMS, since it builds its pages from index data that is collected automatically and stored for efficient access. (This site could have been built on a CMS, but in fact it wasn't.)
  3. Database normalization is only concerned with ensuring that the database behaves sensibly when data is added, deleted or changed. If none of these operations occur, normalization is not relevant, and it might make more sense to use a database structure that makes common queries as fast as possible. So, if the database (or some tables within it) is set up to contain a large quantity of data that never subsequently changes, for instance, dates of birth or the results of a large statistical survey that was only carried out once, it might be a good idea to organize it to optimize performance instead of normalizing it.
  4. In our glossary application it was convenient to combine the generation of the form and response into a single script because we wanted to display the form again together with the definitions. This is a fairly common situation, but it is not the only possibility, and it is common practice to use a single script in most circumstances. The main reason for this is convenience. It ensures that all the logic for the form-handling is in one place. It also prevents requests being made directly to the script that creates the response, which would require additional checking and error handling code.
  5. As soon as the PHP processor encounters the beginning of the XHTML markup, it sends the response headers. If an error occurs after that, it is not possible to redirect to an error page by sending a location header. Instead, a corrupt response will be sent, with a location header in the body, where it doesn't belong. Therefore, all function calls that might generate an error must occur before the beginning of the XHTML.
  6. The easiest way for malicious users to interfere with a database is by fooling the application into sending a query that it didn't mean to. This can be done by including characters in a value sent in a request which, when interpolated into a legitimate query, will terminate that query, and then append the malicious code, which comprises a second database query. This will usually require the presence of a " or ' character to close a string, and a ; to terminate the first query. Calling mysql_escape_string puts \ characters in front of " and ', so that they are not treated as string terminators, and become part of the original query string. (If you don't follow this, just make a point of calling mysql_escape_string whenever you build a query from data received in an HTTP request.)

    Other measures you can make to increase the security of your database include always ensuring that user names and passwords for accessing the database are only recorded in files that cannot be accessed by the Web server, and that scripts do not connect to the database as a user with admin privileges. (Your site administrator will probably ensure that the server process runs with a low level of privileges.) You should also verify, wherever possible, that data that has been received in a request has the expected format. (For instance, if a positive integer is expected, the data should only consist of digits, if a number representing a month is required, the value should lie between 1 and 12, and so on.)

  7. To get the terms displayed in strict alphabetical order, you need to ignore the case of letters while you sort them. There are several ways you could go about doing this. The hardest would be to replace the call to ksort at the top of page 487 with a call to your own sorting function, which you wrote to use case-insensitive comparisons. The easier way is to look under Array Functions in the PHP manual. Here you will discover that there is an alternative to ksort called uksort, which takes a second argument, which is a function to be used to compare the keys while performing the sorting operation. The manual explains that 'The comparison function must return an integer less than, equal to, or greater than zero if the first argument is considered to be respectively less than, equal to, or greater than the second.' So here is an unsophisticated function that does case-insensitive comparison by first converting its arguments to lower-case:
    function lc_cmp($a, $b) {
    	$aa = strtolower($a);
    	$bb = strtolower($b);
    	if ($aa == $bb) {
            return 0;
        return ($aa > $bb) ? 1 : -1;
    which can be used by replacing the original call to ksort by
    uksort($counts, lc_cmp);
    This is the code used in the live version of the glossary.

Discussion Topics: Hints and Tips

  1. First and foremost, you need to consider availability. In a real project, there will often be constraints on what languages are available on the server. It's no use deciding that Ruby is ideal for your project if the site is going to be hosted on a machine that does not have Ruby installed and does not allow you to install it. If you are managing the server yourself, you have greater freedom. In that case, you must consider the experience and knowledge of your programming team, whether any libraries provide the necessary functions for your application and whether the language itself allows you to write robust and maintainable code. Fashion should not determine your choice.
  2. This debate came to prominence when Ruby on Rails started to attract attention. You can read one side of the debate in the RoR book. A Google search for 'Configuration vs convention' or 'Convention over configuration' will turn up a lot of blog commentary on the topic. Don't expect any definitive answers. This is a complex issue, and your views may change as you gain experience in Web programming. One consideration which may not be obvious is that development tools can hide the details of configuration files, but conventions are something you are stuck with.
  3. Creating each page's navbar by hand is not the only alternative to generating them dynamically from a database. See Chapter 11's brief description of site templates. For each possible way of creating navbars, think about what you would have to do if you needed to add items to the navbar after the initial site design has been implemented.
  4. Try to determine the reasons commonly given by users who refuse cookies and see whether they are justified. The only reliable way to determine whether a user is accepting cookies is to try to set one and then see whether you can read it back. Read the section on Session Handling Functions in the PHP manual to find out about an alternative way of keeping track of visitors.

Practical Tasks: Hints and Tips

  1. We chose phpBB as the example for this task because it is widely used and sites based on it are easily identifiable. However, you can use any other Open Source application instead, as long as it claims to allow you to customize it. What you tend to find is that it is easy to change certain aspects, like the colours and the site logo. Many systems even provide simple interactive editors for changing these things. However, if you want to integrate the system with your own site, adding your navbars and so on, things often become much harder.
  2. The page reference in this question should be to page 493, not 489. Sorry. Take care when writing your PHP code that writes JavaScript that any characters in the JavaScript code which have special meanings within a PHP string are escaped.
  3. If you're not sure where to start this task, approach it in stages. Begin by writing a script that runs through the array of values in a request and just writes them to a simple XHTML document. Modify your form to invoke this script, so that you can see how the data from the form is being delivered to the script. Then get your script to pick out the values you want and embed them in a simple page. Next, add markup to the page and write a stylesheet to present it nicely. Finish off by combining the form and script.
  4. It is advisable to separate the database design from the scripting. Design the tables on paper, check they are normalized, then using a database client, such as phpMyAdmin create the tables and add some data by hand. Then formulate the queries you will need to retrieve and insert data, and, still using the database client, check that they work as intended. Then embed the queries in a script that just does the data manipulation. (This will essentially be the model, in MVC terms.) When you have that working, you can go on to integrate it with the script from the previous exercise. We have left this task open-ended. Extending it beyond the brief in the first paragraph will allow you to combine your database and programmng skills with design.