Announcements

• Course Announcment
• Textbooks
• Computer Access
• Class dates: Wed, May 16 through Wed, June 20.
  See the Academic Calendar for details.

Class notes

• HTML and xHTML
  • The script makehtml.pl.
  • Tables
• Cascading Style Sheets
  • Why CSS?
  • Box Model
  • Floats: Introduction.
  • Floats I: Float placement.
  • Floats II: Float drops.
  • Floats III: Float overflow.
• PHP
  • phpinfo.php (the src)
  • helloworld.php (the src)
  • boom.php (the src)
  • starsofstars.php (the src)
  • Length Conversion (the src)
• Forms and HTTP
  • Request a personalized letter (the src)
  • Forms, HTTP GET and POST, URL's.
  • Encoding format for a GET
  • Protocol trace of a PUT
  • Debugging, Looping scripts
  • Code injection and XSS
• MySQL and Relational Databases
  • Three-tiered apps.
  • The relational database and normal forms
  • Notes on relational database
  • An introduction to MySQL and PHP data connectors
  • CRUD: create, update, delete
    • CRUD master script
    • main panel
    • update panel
    • CSS
    • Table description
    • Screen shot
  • SQL injection attacks
  • Script injection attacks
• Sessions and Authentication
  • All about Cookies
  • Monitoring cookies and HTTP headers
  • The PHP Sessions mechanism and example2164
  • HTTP authentication
• Certificates and Payment systems
  • Public key cryptography
  • Certs and Openssl, setting up Apache.
  • DNS and Virtual Hosts
  • Configuration of DNS, firewall and Apache for a virtual domain.
  • Overview of payment systems
    • Interchange fee
    • CVV2
    • Rules for Visa Merchants
    • Bibit and Authorize.net
• Digital rights management
  • Classes taught by Scott Moskowitz of BlueSpike.
• Client side scripting and AJAX
  • Introduction
  • Some sample Javascript programs.
  • DOM Sample Code
  • DOM Introduction
  • An example of AJAX, hit counter (In PHP but currently down).
  • A working AJAX hit counter using Google App Engine, in Python, as a Hit Counter Web Service.

Assignments

• HTML and CSS:
  • Read the book Head First: HTML.
  • Do a web page using 4.01 HTML strict and CSS external style sheet. (example solution)
• PHP:
  • Read the book Web Database Applications, the discussion of 3-tiered applications and the PHP tutorial.
  • Do a PHP script which produces an n-by-n checkerboard of m-by-m squares of *'s. Here is an example.
    Hint: Use monospace font, and adjust line-height.
  • Modify Length Conversion and its style sheeet, improving it.
• PHP/MySQL:
  • Find an SQL injection attack against the CRUD application.
  • Modify the CRUD application to neutralize all such attacks.
  • Add the ability to update multiple records, perhaps with a chain of update screens and preview.
  • Add MD5 hashed passwords with random salt.
  • Create a XSS using the CRUD application. I.e., inject into the database HTML which when (eventually) rendered will be a script.
• Web authentication:
  • Read Dos and Don'ts by Kevin Fu, et. al.
  • Read A Guide to Web Authentication Alternatives, Jan Wolter
  • Read some background information on CAS.
  • Log into MyUM using CAS. What cookies are passed?
  • Using the IE and the Firefox browsers, how can these cookies be deleted?
  • What should be the proper operation of these cookies? Which cookies need to be kep secret? Which cookies when deleted should end the session?
• Payment systems
  • Read documentation from Authorize.Net.
  • Follow PHP examples.
  • Read about PCI DSS.
  • Read Rules for Visa Merchants.
  • Write a payment client, on hold until account created
• Read papers about DRM, for tomorrow's class.
• Javascript
  • Read Learnng Javascript or the Core JavaScript 1.5 Guide and some DOM introduction.
  • Write a javascript to calculated interest rate from payment and principal.
  • Write a javascript to verify the checksum of an entered credit-card number.
  • Write a javascript to do expanding menus, and include in your earlier project for a webpage.

References

• HTML 4.01 Specification
• CSS 2.1 Specification
• PHP Tutorial and Reference Manual
• MySQL Reference Manual
• JavaScript reference
• Standrd ECMA-262: ECMAScript Language Specification 3ird edition.
• Document Object Model in Mozilla
• AJAX documentation.
• RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
• RFC 2396: Uniform Resource Identifiers (URI): Generic Syntax
• RFC 2109: HTTP State management. I.e. Cookies! (See also RFC 2965.)
• RFC 1034: DNS.
• Jemima Pereira's 4096 Color Wheel
• More Crayon's color cube, based on the RGB square.
• The 216 web colors arranged by VisiBone.
• Signal vs. Noise
• Getting Real, development by 37signals.
• John Maeda
• My first bookmark for typography
• Position is Everything: Modern browser bugs explained.
• A List Apart: the art and industry of web sites.
• REST: Representational State Transfer.
• A relation model of data for large shared data banks, E. F. Codd. Comm ACM 13(6) June 1970. pp 377-387.
• The Third Manifesto by Darwen and Date. About relational databases.
• Introduction to Data Modeling with the relational model explained.
• Dos and Don'ts of Client Authentication on the Web by K. Fu, E. Sit, K. Smith and N. Feamster.
• The Failure of Client Authentication the Web by Kevin Fu.
• Defeating Script Injection Attacks with Bowser-Enforced Embedded Policies, T. Jim, N. Swamy and M. Hicks, WWW 2007, 2007.
• CAS: the central authentication system.
• A Guide to Web Authentication Alternatives, Jan Wolter
• Introducing SSL and Certificates using SSLeay by Frederick Hirsch.
• OpenSSL Command-Line HOWTO
• PCI Security Standards Council
• Rules for Visa Merchants
• Dojo: JavaScript Toolkit
• Prototype: a JavaScript Framework

References for Digital Rights Management

• The Darknet and the Future of Content Distribution, by Biddle, England, Peinado and Willman. (PDF)
• Introduction - Digital Rights Management, Scott Moskowitz.
• The evolution of price discrimination in transportation and its implications for the Internet, A. M. Odlyzko.
• Cryptography and Competition Policy - Issues with Trusted Computing, Ross Anderson.
• Trusted Computing, Peer-To-Peer Distribution, and the Economics of Pirated Entertainment, Schechter, Greenstadt, Smith.
• Supreme Court Decision in the case of MGM v. Grokster.
• On the (im)possibility of obfuscating programs, Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan and Yang. Crypto 2001.
• Bandwidth as Currency, Scott Moskowitz.
• Architectures for forensic watermarking in A/V products, Joseph E. Oren.