Online Examination System Implementation Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This chapter will focus on the details that concern the implementation phase of this online examination system. A discussion on the technologies and the tools used will be done first. It will be shown that researching on the various existing technologies is an invaluable investment in the first phases for every project. Then the choices made for the development of this particular application will be justified. In the next section, the development of some of the features of particular importance for this project will be discussed in detail. We will discuss what is their purpose, which technologies were developed to implement them, and any problems associated with them. Example code will be presented as well.

6.1 Programming languages and other tools used

6.1.1 General criteria for choosing technologies

Deciding which programming languages and which tools to use is a responsible task that needs to be carefully done in the beginning of every software application project, since choosing to use tools that are not appropriate for the application will inevitably have negative affects in the quality of the final product, in the total costs and might cause significant delay in the delivery of a product that meets the desirable criteria. More specifically, choosing inappropriate tools might result in the need for changing them in the middle of the development life cycle. In that case, a whole chain of other consequences and extra expenses might occur, such as:

Researching again for more appropriate technologies and tools

Extra costs for purchasing them if they are not open source or provided free of charge

Change on services purchased or even vendors if they do not support the new technologies (for example, the server on which the hosting plan has been purchased might not be supporting of the new programming language decided)

Training on the new tools might be needed for the developer

Transferring or rewriting the previous work and code might need a lot of time and effort

All of the above can cause significant delays and throw the project out of the time schedule

Client dissatisfaction and disappointment might come as a consequence of all these factors

For all of these reasons, before stepping to the implementation phase of this project's development life cycle, careful attention was paid and significant effort was put on evaluating the various programming languages and other technologies commonly used for web based applications. The tools that would get finally chosen needed to meet the following criteria:

To support the implementation of all the technologies and features that were needed in order to meet the requirements and specifications set in the design phase

To be in compliance with other rules defined by the client. In that case, the system under development is part of the author's thesis submitted in fulfillment of his masters degree, and thus it is meant to be an authentic work. Ideally all the code should be written from scratch and in consequence the use of ready frameworks or code libraries that provide many of the desired features was found inappropriate, with one exception made for including open source JavaScript libraries to enhance the interface

The expertise and knowledge required for development using these tools should match the level of the author's skills and experience. For tools that the author had not used before, the initial learning curve should be rather easy and quick. Otherwise the possibility of not being able to deliver in time would be rather high

The features that the tools and programming languages themselves provide should facilitate quick development of web based applications. As in the previous criterion, not doing so would increase the possibility of not meeting the deadline for this project. For example, a programming language like C would be inappropriate as web development would be very slow

To meet the budget available for purchasing them. In this case, they should either be free or provided by the university

To be compatible with any other existing technologies or services that had to be used for one reason or another. For example, the hosting provided by the university iss on an Apache server and every tool needed to provide modules for communicating with the Apache server. Also they should support the operating system installed on the server and if any installation of software would be needed, this should be in compliance with the university's rules

To be able to be part of a group of technologies that communicate easily with each other, since many different requirements and specifications were set that is difficult to meet with only one tool

Following is a brief description of the programming languages of choice for this project and the reasons that they were chosen for.

6.1.2 PHP

"PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML" (, 2010). The main reasons for choosing PHP, amongst other candidates (ASP, Perl, Java), were:

As a server-side scripting language, PHP is appropriate for implementing all of the features that have to do with retrieving / storing data to the database, execute logical or other manipulations on them, facilitating session management and embedding

It integrates very easily with the technologies that are used for the implementation of the interface and any client-side scripting needed, namely HTML, CSS and JavaScript

It tightly integrates with the Apache server, which is the web server that site would be hosted on

Free of charge and no installation needed as it had already been installed in the university's machine

Good MySQL support: interacting with the database is easy and straitforward

There is a huge community of users that makes learning the language and finding solutions to common problems easy

The learning curve is one of the quickest among programming languages. Simplicity is one of PHP strongest features

It is the simplicity of the language together with the fact that it is a scripting language that can be embedded in HTML that makes iterations between coding and testing phases, either on a small or a large scale, very easy. That is an important requirement of modern web development, as discussed in the chapter about methodologies in software engineering

It is widely supported by most of the web servers today, whether Windows or Unix / Linux based, and works well with most of the dominant technologies that are used for web development today so it makes for an excellent choice for future extensibility and maintenance

6.1.3 MySQL

"MySQL is a Relational Database Management System (RDBMS)" (, 2010). Reasons for choosing to use it include:

It provides all the features needed for implementing a relational database, storing and retrieving data, as needed for this software application

It works great with PHP, the server side scripting language of choice

It is easy to use and has a small learning curve

It is free and no installation was needed as it was already installed in the university's server

Supported by most servers, so there will be no compatibility problems in the case of moving the software to another server

6.1.4 HTML / CSS

HyperText Markup Language (HTML) is the most commonly used language for displaying information in a browser, sent over the HTTP protocol. It is supported by all browsers today, it is easy to learn and use and it integrates well with server-side and client-side scripting languages (such as PHP and JavaScript) that are commonly used in web development. It is so commonly used that there is almost no other alternative option. Cascading Style Sheet (CSS) is the language used for defining the formatting and appearance of the elements of a document described in the HTML markup language.

6.1.5 JavaScript

The most common use of JavaScript is as a client-side scripting language that is employed for developing dynamic web pages. It is used for enhancing the interfaces creating with HTML and CSS by introducing interactive elements. As a client-side language it executes in the browser and it is fast since it does not require a request to and a response from the server.

6.1.6 Dreamweaver

Dreamweaver is a software application designed to facilitate professional web development. It supports several scripting languages, including PHP and JavaScript, and features a rich text editor for coding with syntax highlighting, and a immediate display of the results in a built-in browser. Although it is a proprietary software application and it is not free, it was one of the applications provided by the university.

6.1.7 AJAX

AJAX is more a way of using a set of tools or technologies, rather than the technologies themselves. Normally in a web application the process of displaying data implies that the user makes a request to the server, the server executes any logic or data processing needed to respond to the request, and the server's response is sent back to the user's browser to be displayed. This process is done in a strictly sequential order and the user has to wait for the whole cycle to be complete before proceeding to another action. With AJAX the scenes changes by introducing asynchronous requests to the server. That means that the user no longer has to wait for the response but can continue using the page and possibly send more requests while waiting. In this application, the use of the AJAX technology was important for implementing the feature of regularly updating the record in the database where the time used by the student is stored, without affecting the user's experience at all.

6.2 Implementation of specific features

This section will describe in detail the process of implementing some of the security issues that was found important to include in this online examination system, as discussed in earlier chapters.

6.2.1 Prevention of SQL injection

An online examination system involves heavily the process of storing user defined data on a database or using them to make queries into the database. This mainly done by the use of forms in the login page and during taking an examination when the student submits answers to the questions. If proper care is not taken, the student might submit SQL code instead of the answer to a question and if this code is used to execute a query into the database the results can be unforeseeable. This is something that needs to be avoided all costs. The usual way for preventing SQL injections is to escape dangerous characters from the input provided by the user. With PHP this is very easy since it provides a specific function for that: mysql_real_escape_string($string).

As a simple example, let's suppose we have a login form where the username is required. Normally a query is executed as following:

// get the username submitted in the form

$username = $_POST['username'];

//define the query

$query = "SELECT * FROM Users WHERE username='$username'"

// execute the query


to prevent SQL injection the username needs to be escaped prior to the query:

$username = mysql_real_escape_string($_POST['username']);

PHP makes SQL injection really simple. Notice that in the implementation of this online examination, SQL injection was used only in the login functionality as a demonstration of the technique. Ideally it needs to be used anywhere that user defined data are used for constructing SQL queries.

6.2.2 CSRF protection

A vulnerability that is very common in the web today, but is not taken into account in software applications designed for online examination systems is what is known as a CSRF attack. On a web application all actions initiated by the user are done by making a request to the server that runs a script that performs the desired action. Usually the script requires some input data submitted by a form. For example, if the administrator wants to delete a students account he might submit a form that contains the ID number of the student that is to be deleted.

Most browsers support navigation with having several tabs or windows open, and moreover the user session is not deleted before it expires or the browser is restarted. That has the consequence that if a user, after logging in a website, visits a web page that unknowingly to the user send a request to the first website with instructions to execute some action, the action will be executed because the request comes from the same browser and session that the user has already been given the appropriate permissions. The user might not have approved of that action and might not even realize it happened.

As an example in the case of an online examination system, a student can submit a script that calls a server-side script that deletes another student's account instead of an answer to the question. When the examiner or the administrator logs in and visits the web page where the student's answer are displayed, the script might execute, the request is sent to the browser and this might result in deleting the other student's account.

This form of attack can be easily be prevented by using the technique presented by Zeller and Felten (2008). Several techniques have been presented by many developers but the following technique is the most simple and effective and it adds only minimal extra delay in the processing of the form. The technique is essentially to generate a unique, extremely difficult to guess keyword for each user session. The keyword can even be unique for each individual form, if extra security is required. It is then stored to the user session either in a cookie on the user's computer or on the server, which is even more secure. It is also passed as an input to the form that is used for requesting the desired action, but it needs to be a hidden input since the user does not need to be aware of it. When a request is sent to the server by submitting the form, the keyword that was stored in the session is compared with the corresponding value submitted in the request, and if the value do not match the request is rejected. A simple example of the code used with PHP is given below:

// generate a unique keyword

$_SESSION['csrf-keyword'] = sha1(uniqid(rand(), true));

// contain it in the form as a hidden input

<input type="hidden" name="csrf-keyword" value="<?php echo $_SESSION['csrf-keyword'] ?>" />

// when the a request is submitted to the server, compare the values

if ($_SESSION['csrf-keyword'] == $_POST['csrf-keyword'])


// execute action here


As with protection for SQL injection, CSRF protection was implemented only for the login forms in this software application to demonstrate the technique. Ideally it should be implemented in all forms that initiate an action that requires special permissions in order to be executed.

6.2.3 Sensitive data encryption

Even if a web application is properly secured for all the major attacks, there is always the danger that someone manages to get unauthorized access to the server. There are several methods that crackers use to attack servers and this quite common in servers where system administration and configuration is not carefully done. If that happens it is quite possible that the unauthorized access to the database will happen and sensitive data stored in it will be retrieved.

To avoid this situation, sensitive data can be stored in the database in an encrypted form. Encrypting data involves transforming them with the use of a special algorithm into a new form of data. The new data resulted are not readable unless they know how exactly they were encrypted. Several encryption algorithms exist, ranging from simple to complicated and from less to more secure. In our this online examination system a simple but secure method for encrypting the user's passwords has been implemented. PHP provides several functions for encrypting data and the task becomes easy, as demonstrated below:

$password = sha1($password . $key);

where sha1 is the encryption function and $key is a unique key that makes encryption stronger. The timestamp of the moment the user was created can be used as a unique key, to make sure that the resulted encrypted password will be unique even if more than one users request using the same password.

The encrypted function is then stored into the database. When a user tries to login to the website, the password send with the request is encrypted in the same way and compared with the value stored in the database. If they match, validation is successful. Notice that even though in this application encryption was used only for the passwords in order to demonstrate the technique, all sensitive data can be stored encrypted where extra security is required.

6.2.4 Regular asynchronous update of the exam's time

One of the problems often encountered in online examination systems is that if anything happens while a student is taking an examination that stops this process, the student's session is lost. There is not information as of when this happened and the student will have to take the exam again. There are many cases where this can happen: the server might crash, there might be a power failure, the operating system or the browser might unexpectedly crash. The student might even intentionally close the browser or force the computer to shutdown and then claim a power failure in order to get a second chance for taking the test. This could be unfair for other students that had only one opportunity to take the same examination.

One of the important ideas that this work proposes is the implementation of a mechanism that stores the time that a student has used on a record in the database for each test he / she is taking. The record is regularly updated while the student is taking the test. This way if anything interrupts the session, when the student tries to start the same examination the time already used is retrieved from the database and the clock continues counting down from the moment that it had stopped.

The exact mechanism that we propose is as following: after a student starts an examination, an asynchronous request is sent to the server using JavaScript. This request contains two parameters, the time left until the end of the test and the ID of the record in the database that it is stored. The request then calls a server-side PHP script that updates the record. This way both the request and the script to be called are very small request and the mechanism is fast. The problem is solved effectively and no problem arises if the examination is interrupted for any reason.