This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This chapter will focus on the details that concern the implementation phase of this online examination system. A discussion on the technologies and the tools used will be done first. It will be shown that researching on the various existing technologies is an invaluable investment in the first phases for every project. Then the choices made for the development of this particular application will be justified. In the next section, the development of some of the features of particular importance for this project will be discussed in detail. We will discuss what is their purpose, which technologies were developed to implement them, and any problems associated with them. Example code will be presented as well.
6.1 Programming languages and other tools used
6.1.1 General criteria for choosing technologies
Deciding which programming languages and which tools to use is a responsible task that needs to be carefully done in the beginning of every software application project, since choosing to use tools that are not appropriate for the application will inevitably have negative affects in the quality of the final product, in the total costs and might cause significant delay in the delivery of a product that meets the desirable criteria. More specifically, choosing inappropriate tools might result in the need for changing them in the middle of the development life cycle. In that case, a whole chain of other consequences and extra expenses might occur, such as:
Researching again for more appropriate technologies and tools
Extra costs for purchasing them if they are not open source or provided free of charge
Change on services purchased or even vendors if they do not support the new technologies (for example, the server on which the hosting plan has been purchased might not be supporting of the new programming language decided)
Training on the new tools might be needed for the developer
Transferring or rewriting the previous work and code might need a lot of time and effort
All of the above can cause significant delays and throw the project out of the time schedule
Client dissatisfaction and disappointment might come as a consequence of all these factors
For all of these reasons, before stepping to the implementation phase of this project's development life cycle, careful attention was paid and significant effort was put on evaluating the various programming languages and other technologies commonly used for web based applications. The tools that would get finally chosen needed to meet the following criteria:
To support the implementation of all the technologies and features that were needed in order to meet the requirements and specifications set in the design phase
The expertise and knowledge required for development using these tools should match the level of the author's skills and experience. For tools that the author had not used before, the initial learning curve should be rather easy and quick. Otherwise the possibility of not being able to deliver in time would be rather high
The features that the tools and programming languages themselves provide should facilitate quick development of web based applications. As in the previous criterion, not doing so would increase the possibility of not meeting the deadline for this project. For example, a programming language like C would be inappropriate as web development would be very slow
To meet the budget available for purchasing them. In this case, they should either be free or provided by the university
To be compatible with any other existing technologies or services that had to be used for one reason or another. For example, the hosting provided by the university iss on an Apache server and every tool needed to provide modules for communicating with the Apache server. Also they should support the operating system installed on the server and if any installation of software would be needed, this should be in compliance with the university's rules
To be able to be part of a group of technologies that communicate easily with each other, since many different requirements and specifications were set that is difficult to meet with only one tool
Following is a brief description of the programming languages of choice for this project and the reasons that they were chosen for.
"PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML" (php.net, 2010). The main reasons for choosing PHP, amongst other candidates (ASP, Perl, Java), were:
As a server-side scripting language, PHP is appropriate for implementing all of the features that have to do with retrieving / storing data to the database, execute logical or other manipulations on them, facilitating session management and embedding
It tightly integrates with the Apache server, which is the web server that site would be hosted on
Free of charge and no installation needed as it had already been installed in the university's machine
Good MySQL support: interacting with the database is easy and straitforward
There is a huge community of users that makes learning the language and finding solutions to common problems easy
The learning curve is one of the quickest among programming languages. Simplicity is one of PHP strongest features
It is the simplicity of the language together with the fact that it is a scripting language that can be embedded in HTML that makes iterations between coding and testing phases, either on a small or a large scale, very easy. That is an important requirement of modern web development, as discussed in the chapter about methodologies in software engineering
It is widely supported by most of the web servers today, whether Windows or Unix / Linux based, and works well with most of the dominant technologies that are used for web development today so it makes for an excellent choice for future extensibility and maintenance
"MySQL is a Relational Database Management System (RDBMS)" (wikipedia.org, 2010). Reasons for choosing to use it include:
It provides all the features needed for implementing a relational database, storing and retrieving data, as needed for this software application
It works great with PHP, the server side scripting language of choice
It is easy to use and has a small learning curve
It is free and no installation was needed as it was already installed in the university's server
Supported by most servers, so there will be no compatibility problems in the case of moving the software to another server
6.1.4 HTML / CSS
AJAX is more a way of using a set of tools or technologies, rather than the technologies themselves. Normally in a web application the process of displaying data implies that the user makes a request to the server, the server executes any logic or data processing needed to respond to the request, and the server's response is sent back to the user's browser to be displayed. This process is done in a strictly sequential order and the user has to wait for the whole cycle to be complete before proceeding to another action. With AJAX the scenes changes by introducing asynchronous requests to the server. That means that the user no longer has to wait for the response but can continue using the page and possibly send more requests while waiting. In this application, the use of the AJAX technology was important for implementing the feature of regularly updating the record in the database where the time used by the student is stored, without affecting the user's experience at all.
6.2 Implementation of specific features
This section will describe in detail the process of implementing some of the security issues that was found important to include in this online examination system, as discussed in earlier chapters.
6.2.1 Prevention of SQL injection
An online examination system involves heavily the process of storing user defined data on a database or using them to make queries into the database. This mainly done by the use of forms in the login page and during taking an examination when the student submits answers to the questions. If proper care is not taken, the student might submit SQL code instead of the answer to a question and if this code is used to execute a query into the database the results can be unforeseeable. This is something that needs to be avoided all costs. The usual way for preventing SQL injections is to escape dangerous characters from the input provided by the user. With PHP this is very easy since it provides a specific function for that: mysql_real_escape_string($string).
As a simple example, let's suppose we have a login form where the username is required. Normally a query is executed as following:
// get the username submitted in the form
$username = $_POST['username'];
//define the query
$query = "SELECT * FROM Users WHERE username='$username'"
// execute the query
to prevent SQL injection the username needs to be escaped prior to the query:
$username = mysql_real_escape_string($_POST['username']);
PHP makes SQL injection really simple. Notice that in the implementation of this online examination, SQL injection was used only in the login functionality as a demonstration of the technique. Ideally it needs to be used anywhere that user defined data are used for constructing SQL queries.
6.2.2 CSRF protection
A vulnerability that is very common in the web today, but is not taken into account in software applications designed for online examination systems is what is known as a CSRF attack. On a web application all actions initiated by the user are done by making a request to the server that runs a script that performs the desired action. Usually the script requires some input data submitted by a form. For example, if the administrator wants to delete a students account he might submit a form that contains the ID number of the student that is to be deleted.
Most browsers support navigation with having several tabs or windows open, and moreover the user session is not deleted before it expires or the browser is restarted. That has the consequence that if a user, after logging in a website, visits a web page that unknowingly to the user send a request to the first website with instructions to execute some action, the action will be executed because the request comes from the same browser and session that the user has already been given the appropriate permissions. The user might not have approved of that action and might not even realize it happened.
As an example in the case of an online examination system, a student can submit a script that calls a server-side script that deletes another student's account instead of an answer to the question. When the examiner or the administrator logs in and visits the web page where the student's answer are displayed, the script might execute, the request is sent to the browser and this might result in deleting the other student's account.
This form of attack can be easily be prevented by using the technique presented by Zeller and Felten (2008). Several techniques have been presented by many developers but the following technique is the most simple and effective and it adds only minimal extra delay in the processing of the form. The technique is essentially to generate a unique, extremely difficult to guess keyword for each user session. The keyword can even be unique for each individual form, if extra security is required. It is then stored to the user session either in a cookie on the user's computer or on the server, which is even more secure. It is also passed as an input to the form that is used for requesting the desired action, but it needs to be a hidden input since the user does not need to be aware of it. When a request is sent to the server by submitting the form, the keyword that was stored in the session is compared with the corresponding value submitted in the request, and if the value do not match the request is rejected. A simple example of the code used with PHP is given below:
// generate a unique keyword
$_SESSION['csrf-keyword'] = sha1(uniqid(rand(), true));
// contain it in the form as a hidden input
<input type="hidden" name="csrf-keyword" value="<?php echo $_SESSION['csrf-keyword'] ?>" />
// when the a request is submitted to the server, compare the values
if ($_SESSION['csrf-keyword'] == $_POST['csrf-keyword'])
// execute action here
As with protection for SQL injection, CSRF protection was implemented only for the login forms in this software application to demonstrate the technique. Ideally it should be implemented in all forms that initiate an action that requires special permissions in order to be executed.
6.2.3 Sensitive data encryption
Even if a web application is properly secured for all the major attacks, there is always the danger that someone manages to get unauthorized access to the server. There are several methods that crackers use to attack servers and this quite common in servers where system administration and configuration is not carefully done. If that happens it is quite possible that the unauthorized access to the database will happen and sensitive data stored in it will be retrieved.
To avoid this situation, sensitive data can be stored in the database in an encrypted form. Encrypting data involves transforming them with the use of a special algorithm into a new form of data. The new data resulted are not readable unless they know how exactly they were encrypted. Several encryption algorithms exist, ranging from simple to complicated and from less to more secure. In our this online examination system a simple but secure method for encrypting the user's passwords has been implemented. PHP provides several functions for encrypting data and the task becomes easy, as demonstrated below:
$password = sha1($password . $key);
where sha1 is the encryption function and $key is a unique key that makes encryption stronger. The timestamp of the moment the user was created can be used as a unique key, to make sure that the resulted encrypted password will be unique even if more than one users request using the same password.
The encrypted function is then stored into the database. When a user tries to login to the website, the password send with the request is encrypted in the same way and compared with the value stored in the database. If they match, validation is successful. Notice that even though in this application encryption was used only for the passwords in order to demonstrate the technique, all sensitive data can be stored encrypted where extra security is required.
6.2.4 Regular asynchronous update of the exam's time
One of the problems often encountered in online examination systems is that if anything happens while a student is taking an examination that stops this process, the student's session is lost. There is not information as of when this happened and the student will have to take the exam again. There are many cases where this can happen: the server might crash, there might be a power failure, the operating system or the browser might unexpectedly crash. The student might even intentionally close the browser or force the computer to shutdown and then claim a power failure in order to get a second chance for taking the test. This could be unfair for other students that had only one opportunity to take the same examination.
One of the important ideas that this work proposes is the implementation of a mechanism that stores the time that a student has used on a record in the database for each test he / she is taking. The record is regularly updated while the student is taking the test. This way if anything interrupts the session, when the student tries to start the same examination the time already used is retrieved from the database and the clock continues counting down from the moment that it had stopped.