Category:I702 Web Application Programming

From ICO wiki
Jump to navigationJump to search


Intro

This course is 5 ECTS and it's mandatory for CSE students. Other ITC students may also attend and CSE students who comprehend Estonian can follow the I244 lectures.

The main point of this course is to get to know the software stack that is used to build modern web applications and by the end of the course being able to write a web application and if we'll have enough time - to deploy it on a (virtual) server and defend it. Deduplicate your work and combine the work of this course with Python and Research Project courses.


  • Progress visible in Git from day one
  • Possible scenarios to pass the course:
    • classic: Build a simple mobile-frindly webshop with shopping cart using PHP, MySQL, Apache, Ubuntu.
    • Substitute a component (see below) you don't like and do the same
    • Scratch your own itch, develop something that largely makes use of following technologies and it is relevant to you
    • Extend WordPress, Joomla etc to build a website for your customer, eg. when you're working already
    • Pick a project idea from Python course page, there are several ideas which more or less constitute as web apps.
    • Find an interesting web application that's participating on Google Summer of Code, get to know the community, prepare for participation on GSoC and successfully finish the GSoC.
  • If this is your first experience with this sort of stuff make sure you go HTML & CSS, JavaScript, jQuery and SQL tracks on CodeAcademy and start with simply creating your homepage :)
  • For page layouts check Twitter Bootstrap


Lecture/lab #1

Lecture recording #1, lecture recording #2

Use following as barebone for your PHP application, check here for semantic tags of HTML5:

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8"/>
    <meta name="description" content="Introduction to this guy's website">
    <title>This goes into the titlebar</title>
    <link rel="css/style.css" type="text/css"/>
    <script type="text/javascript" src="js/main.js"></script>
  </head>
  <body>
    <header>
      Your shop name goes here
    </header>
    <nav>
      Navigation links go here
    </nav>
    <section>
      Product items go here
    </section>
    <article>
      The actual content goes here
      <?php echo "This, is hellõu from PHP!"; ?>
    </article>
    <aside>
      Context specific links go here
    </aside>
    <footer>
      Footer goes here
    </footer>
  </body>

</html>

Use phpMyAdmin to create a table for your web shop's products:

CREATE TABLE IF NOT EXISTS `lauri_products` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(30) NOT NULL,
  `description` text NOT NULL,
  `price` decimal(10,2) NOT NULL,
  PRIMARY KEY (`id`)
);

Listing items from MySQL database can be implemented with mysqli:

<ul>
  <?php

    $conn = new mysqli("localhost", "test", "t3st3r123", "test");
    $results = $conn->query(
      "SELECT id,name,price FROM lauri_products;");

    while ($row = $results->fetch_assoc()) {
      ?>
        <li>
          <a href="description.php?id=<?=$row['id']?>">
            <?=$row["name"]?></a>
            <?=$row["price"]?>EUR
        </li>
      <?php
    }

    $conn->close();

  ?>
</ul>

Description page:

<a href="index.php">Back to product listing</a>

<?php
$conn = new mysqli("localhost", "test", "t3st3r123", "test");
$statement = $conn->prepare(
  "SELECT `name`, `description`, `price` FROM" .
  " `lauri_products` WHERE `id` = ?");
$statement->bind_param("i", $_GET["id"]);
$statement->execute();
$results = $statement->get_result();
$row = $results->fetch_assoc();
?>

<span style="float:right;"><?=$row["price"];?>EUR</span>
<h1><?=$row["name"];?></h1>

<p>
  <?=$row["description"];?>
</p>

Occasionally you might want to get all rows from a table, this can be achieved with fetch_all method:

<ul>
  <?php
 
    $conn = new mysqli("localhost", "test", "t3st3r123", "test");
    $results = $conn->query(
      "SELECT id,name,price FROM lauri_products;");
    $rows = $results->fetch_all(MYSQLI_ASSOC); // Pull ALL results
    $conn->close();
     
    foreach ($rows as $row) {
      ?>
        <li>
          <a href="description.php?id=<?=$row['id']?>">
            <?=$row["name"]?></a>
            <?=$row["price"]?>EUR
        </li>
      <?php
    }
  ?>
</ul>

Lecture/lab #2

Place the header and footer in different files header.php and footer.php and include them like this:

<?php
require_once "config.php";
include "header.php";
$conn = new mysqli(DB_SERVER, DB_USER, DB_PASS, DB_NAME);
if ($conn->connect_error)
  die("Connection to database failed:" .
    $conn->connect_error);
$conn->query("set names utf8"); // Support umlaut characters
?>
<!-- Page specific stuff goes here -->
<? include "footer.php" ?>

Make sure session is started in header.php:

<?php
session_start();
if (!array_key_exists("cart", $_SESSION)) {
    $_SESSION["cart"] = array();
}
?>

Also create config.php, DO NOT commit this to the Git repository below:

<?php
// This is site specific configuration! Do not commit this to Git!
define("DB_SERVER", "localhost");
define("DB_USER",   "test");
define("DB_PASS",   "t3st3r123");
define("DB_NAME",   "test");
?>

In the product description page place "Add to cart" button:

<form method="post" action="cart.php">
  <input type="hidden" name="id" value="<?=$_GET["id"];?>"/>
  <input type="submit" value="Add to cart"/>
</form>

Create cart.php for adding items to the cart and displaying the shopping cart contents:

$product_id = intval($_POST["id"]);
if (array_key_exists($product_id, $_SESSION["cart"])) {
    $_SESSION["cart"][$product_id] += 1;
} else {
    $_SESSION["cart"][$product_id] = 1;
}
var_dump($_SESSION["cart"]);

Set up your Git, you'll have to do this again if you change computer:

git config --global user.name "$(getent passwd $USER | cut -d ":" -f 5)"
git config --global user.email $USER@itcollege.ee
git config --global core.editor "gedit -w -s"

Create a repository at Github and in your source code tree:

git init
git remote add origin git@github.com:user-name/repo-name.git
git add *.php js/*.js css/*.css
git commit -m "Initial commit"
git push -u origin master

Add .gitignore, README.md files. Check out if it looks more or less like this.


Lecture/lab #3

This time we improved our shopping cart code and applied some styling to the website.

Exercises:

  • When adding items to cart, make it possible to select count of items using a combobox.
  • Add grand total calculation for the shopping cart.
  • Split your CSS files to three: common design, design for displays and design for printers, check out page source of this


Lecture/lab #4

Set up database table for user accounts:

CREATE TABLE IF NOT EXISTS `lauri_users` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `email` varchar(64) NOT NULL,
  `password` varchar(256) NOT NULL,
  `first_name` varchar(64) NOT NULL,
  `last_name` varchar(64) NOT NULL,
  `phone` varchar(20) DEFAULT NULL,
  `dob` date NOT NULL,
  `salutation` varchar(5) DEFAULT NULL,
  `vatin` varchar(12) DEFAULT NULL,
  `company` varchar(64) DEFAULT NULL,
  `country` char(2) NOT NULL,
  `address` varchar(256) DEFAULT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `email` (`email`)
);


Form for entering the data:

<form method="post" action="regsubmit.php">
  <div>
    <label for="email">E-mail</label>
    <input type="email" name="email" required/>
  </div>
  <div>
    <label for="password">Password</label>
    <input type="password" name="password" required/>
  </div>
  <div>
    <select name="country">
      <option value="ee">Estonia</option>
      <option value="lt">Latvia</option>
      <option value="lv">Lithuania</option>
    </select>
  </div>
  <div>
    <label for="phone">Telephone number</label>
    <input type="tel"/>
  </div>
  <div>
    <label for="vatin">VAT indication number</label>
    <input type="text" pattern="([A-Z0-9]{4,14})?$"/>
  </div>
  <div>
    <label for="dob">Date of birth</label>
    <input type="date" name="dob" placeholder="dd/mm/yyyy" required/>
  </div>
  <div>
    <label for="first_name">First name</label>
    <input type="text" name="first_name" required/>
  </div>
  <div>
    <label for="last_name">Last name</label>
    <input type="text" name="last_name" required/>
  </div>
  <div>
    <input type="submit"/>
  </div>
</form>

PHP code for processing submission:

require_once "config.php";
include "header.php";
$conn = new mysqli(DB_SERVER, DB_USER, DB_PASS, DB_NAME);
if ($conn->connect_error)
  die("Connection to database failed:" .
    $conn->connect_error);
$conn->query("set names utf8");

$statement = $conn->prepare(
"INSERT INTO `lauri_users` (
    `email`,
    `password`,
    `first_name`,
    `last_name`,
    `phone`,
    `dob`,
    `salutation`,
    `vatin`,
    `company`,
    `country`,
    `address`)
VALUES (?, PASSWORD(?), ?, ?, ?, ?, ?, ?, ?, ?, ?)");

# whenever you get "call to a member function ... on a non-object" this means something
# is failing **before** that line so you have to manually check for errors like this:
if (!$statement) die("Prepare failed: (" . $conn->errno . ") " . $conn->error);

$statement->bind_param("sssssssssss",
    $_POST["email"],
    $_POST["password"],
    $_POST["first_name"],
    $_POST["last_name"],
    $_POST["phone"],
    $_POST["dob"],
    $_POST["salutation"],
    $_POST["vatin"],
    $_POST["company"],
    $_POST["country"],
    $_POST["address"]);

if ($statement->execute()) {
    echo "Registration was successful! <a href=\"index.php\">Back to main page</a>";
} else {
    if ($statement->errno == 1062) {
       // This will result in 200 OK
       echo "This e-mail is already registered";
    } else {
       // This will result in 500 Internal server error
       die("Execute failed: (" .
           $statement->errno . ") " . $statement->error);
    }
}

Lecture/lab #5

Login form for our web shop:

<form action="login.php">
  <input type="text" name="user"/>
  <input type="password" name="password"/>
  <input type="submit" value="Log in!"/>
</form>


Create login.php:

// This is login.php, here we check if user provided proper credentials
var_dump($_POST); // This is just to check that the data gets to server
include "config.php";

// This is copy-paste from description.php!
$conn = new mysqli(DB_SERVER, DB_USER, DB_PASS, DB_NAME);
if ($conn->connect_error)
  die("Connection to database failed:" .
    $conn->connect_error);

$conn->query("set names utf8");

$statement = $conn->prepare(
"SELECT * FROM lauri_users 
WHERE email = ? AND password = PASSWORD(?)"); // I PROMISE I WILL NEVER USE THIS IN PRODUCTION

$statement->bind_param("ss", $_POST["user"], $_POST["password"]);
$statement->execute();
$results = $statement->get_result();
$row = $results->fetch_assoc();

if($row) {
    echo "Login successful, hello " . $row["first_name"];
    $_SESSION["user"] = $row["id"]; // This just stores user row number!
} else {
    echo "Login failed";
}

Note that in production you should follow guidelines on storing passwords in safe manner, such as PBKDF2!

In index.php navigation bar:

if (array_key_exists("user", $_SESSION)) {
   echo "Hello" . $_SESSION["user"];
   // Put link to logout.php here
} else {
   // Show the login form above
}

For logging out create another file logout.php:

session_start();
unset($_SESSION["user"]);
header("Location: index.php");

Exercises:

  • Create changepassword.php where use could change their password

Lecture/lab #6: SQL foreign keys and join queries

This time we added two database tables for storing orders.

Database table for orders, again use phpMyAdmin to import it:

CREATE TABLE IF NOT EXISTS `lauri_orders` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `created` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  `shipped` timestamp NULL DEFAULT NULL,
  `paid` timestamp NULL DEFAULT NULL,
  `shipping_address` text,
  `user_id` int(11) NOT NULL,
  PRIMARY KEY (`id`)
);

Also add many to many relationship between order and products belonging to a particular order:

CREATE TABLE IF NOT EXISTS `lauri_order_products` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `order_id` int(11) NOT NULL,
  `product_id` int(11) NOT NULL,
  `count` int(11) NOT NULL,
  `unit_price` decimal(10,2) NOT NULL,
  PRIMARY KEY (`id`)
);

Populate both tables with some arbitrary data and verify you get sensible output with SQL snippets below.

Following SQL query lists orders belongin to a certain user:

select
  `lauri_orders`.`id` as `order_id`,
  `lauri_orders`.`shipping_address` as `shipping_address`,
  `lauri_orders`.`created` as `created`
from
  `lauri_orders`
where
  `lauri_orders`.`user_id` = 2

Following SQL query joins data from two tables to generate list of items belonging to a certain order:

select
  -- The format here is `table_name`.`column_name` as `Whatever you want to call it`
  `lauri_order_products`.`id` as `order_product_id`,
  `lauri_order_products`.`product_id` as `product_id`,
  `lauri_products`.`name` as `product_name`,
  `lauri_order_products`.`unit_price` as `order_product_unit_price`,
  `lauri_order_products`.`count` as `order_product_count`,
  `lauri_order_products`.`unit_price` * `lauri_order_products`.`count` as `subtotal`
from
  `lauri_order_products`
join
  `lauri_products`
on
  -- We select all rows from lauri_order_products table and then
  -- try to find a matching row based on following condition
  `lauri_order_products`.`product_id` = `lauri_products`.`id`
where
  `lauri_order_products`.`order_id` = 1

Add database indexes so we could rapidly search by these columns:

ALTER TABLE `lauri_orders` ADD INDEX (`user_id`);
ALTER TABLE `lauri_order_products` ADD INDEX (`product_id`);
ALTER TABLE `lauri_order_products` ADD INDEX (`order_id`);

Add foreign key constraints to bind one table to another:

ALTER TABLE `lauri_orders`
  ADD CONSTRAINT `user_fk` FOREIGN KEY (`user_id`) REFERENCES `lauri_users` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION;
ALTER TABLE `lauri_order_products`
  ADD CONSTRAINT `product_fk` FOREIGN KEY (`product_id`) REFERENCES `lauri_products` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION,
  ADD CONSTRAINT `order_fk` FOREIGN KEY (`order_id`) REFERENCES `lauri_orders` (`id`) ON DELETE CASCADE ON UPDATE NO ACTION;

You should end up with a database schema like this:


Exercises:

  • Add orders.php for showing a list of orders belonging to a certain user. Copy boilerplate code from description.php.
  • Add orderdetail.php for listing items in a particular order. Use GET parameter 'id' to specify order id. Copy boilerplate code from description.php.
  • Split your CSS files to three: common design, design for displays and design for printers, check out page source of this.

Extra: Web server configuration and SSL

This time we discussed a bit devops - how to set up web server on your machine to serve your web application.

You can use any Ubuntu/Debian based machine and simply do:

sudo apt-get install apache2 libapache2-mod-php5 php5-mysqlnd

After that you can simply place files under /var/www/html and point your web browser to the IP address of the machine, which in case of your laptop is http://localhost

The easiest way to set up and manage a MySQL database is by installing phpMyAdmin:

sudo apt-get install phpmyadmin mysql-server

Password for the root database user is asked, remember to save this for later! Open up http://localhost/phpmyadmin and log in with username root and the same password. Remember that MySQL root user is distinct from the operating system user root!

Katrin will show you how to install and manage Ubuntu in Operating systems course.

To tweak Apache configuration file following directories:

/etc/apache2/sites-enabled/
/etc/apache2/conf-enabled/
/etc/apache2/mods-enabled/

After tweaking you need to restart the server of course:

service apache2 restart


To fake a domain name on your personal machine you can modify the hosts file and then point your web browser to that file:

127.0.0.1 mycoolwebsite.com


Exercises, these you can do only on your personal machine at the moment:

  • Set up Apache 2 web server with two virtual hosts
  • Set up ID-card authentication for your website and attempt to grab the isikukood (national identification number) in the PHP code

Lecture/lab #7: Uploading files

We basically have two options for uploading files to server:

  • Use BLOB datatype for the column
  • Store filename in varchar field and move the file to an uploads directory

This is an example implementation for the latter. It calculates the SHA1 checksum of the file and appends the original file name extension. This way the files are deduplicated as well :)

<html>
  <body>
    <form method="post" enctype="multipart/form-data">
      <input type="text" name="product_title"/>
      <input type="text" name="product_description"/>
      <input type="file" name="product_image" required/>
      <input type="file" name="product_thumbnail"/>
      <input type="submit"/>
    </form>
    <!-- You also need:
    mkdir uploads
    chmod 777
    -->
    <?php
    if (array_key_exists("product_image", $_FILES)) {
      $finfo = finfo_open(FILEINFO_MIME_TYPE);
      $mimetype = finfo_file($finfo, $_FILES["product_image"]["tmp_name"]);
      if ($mimetype != "application/pdf") die("Go away!");

      $checksum = sha1(file_get_contents(
        $_FILES["product_image"]["tmp_name"])) . "." .
        pathinfo($_FILES["product_image"]["name"], PATHINFO_EXTENSION);
      if (!file_exists("uploads/" . $checksum)) {
        copy(
          $_FILES["product_image"]["tmp_name"],
          "uploads/" . $checksum);
      }
    }
    ?>
    <p>Mimetype was: <?= $mimetype; ?></p>
    <p>Checksum was: <a href="uploads/<?=$checksum;?>"><?=$checksum;?></a>
    <p>Filename was: <?=$_FILES["product_image"]["name"];?></p>
    <p>File stored at: <?=$_FILES["product_image"]["tmp_name"];?></p>
  </body>
</html>

Lecture/lab #7: JavaScript and CSS selectors

This will simply load the file from given URL and place the response into #content

// In HTML we only have <button id="update_cart">Update cart</button> to trigger update
// and <div id="shopping_cart">Initially empty</div> for placing the shopping cart in the webpage

// Wait page to be loaded and then associate click event
document.addEventListener("DOMContentLoaded", function() {
  document.querySelector("#update_cart").addEventListener(
   "click", updateCart
  );
});

// This only defines updateCart function, but it does not run it!
function updateCart() {
  var request = new XMLHttpRequest();
  request.open('GET', 'cart.php', true);

  // This is an example of callback
  request.onload = function() {
    // This function runs once response has been received
    if (request.status >= 200 && request.status < 400) {
      document.querySelector("#shopping_cart").innerHTML =
        request.responseText;
    }
  };

  // This will only start the request
  request.send();
}

Form submission is fairly easy with vanilla JavaScript as well, of course jQuery's $.post is a bit simpler:

function removeItem() {
  console.info("Going to remove product with id from cart:", this.dataset.product_id);

  var formData = new FormData();
  formData.append("id", this.dataset.product_id);
  formData.append("count", -1);

  var request = new XMLHttpRequest();
  request.open('POST', 'cart.php', true);
  request.send(formData);
}

The dataset.product_id comes from the data- attributes, you can automatically generate these in cart.php:

<button id="
  data-product_id="1"
  onClick="removeItem">Remove item</button>

Extra: real-time communications with nchan

This time we did some connection juggling with nchan, see demo here. Feel free to integrate it to your web shop customer support :)

Chatroom HTML:

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8"/>
    <title>This goes into the titlebar</title>
    <script type="text/javascript" src="js/main.js"></script>
  </head>
  <body>
    <h1>Chatroom</h1>
    <div>Messages go here</div>
    <input id="name" type="text" placeholder="Nick goes here"/>
    <input id="msg" type="text" placeholder="Your msg goes here"/>
    <button onClick="sendMessage();">Go!</button>
  </body>
</html>

Chatroom JavaScript:

// EventSource is sort of like a class
var source = new EventSource("http://push.koodur.com/ev/chatroom");

// Here we associate a function with the event of message coming in
source.onmessage = function(event) {
  console.log("Received server-sent event:", event.data);
  document.querySelector("div").innerHTML +=
      "<br/>" + event.data;
 
}

function sendMessage() {
  var request = new XMLHttpRequest();
  request.open('POST', 'http://push.koodur.com/pub?id=chatroom', true);
  var data = document.querySelector("#name").value + ": " +
	document.querySelector("#msg").value;
  console.info("About to send:", data);
  request.send(data);
}


Python client example:

import requests
# requests is performing HTTP request
r = requests.get("http://push.koodur.com/ev/chatroom",
	headers={"Accept": "text/event-stream"}, stream=True)

for line in r.iter_lines():
    print "Got line:", line

If you want to set up nchan server yourself the configuration in /etc/nginx/sites-enabled/blah

server {
    listen 80;
    listen 443 ssl;
    server_name push.koodur.com;

    location /pub {
        nchan_publisher http;
        #allow 185.94.112.76; # Whitelist this IP address for publishing
        nchan_channel_id $arg_id;
        add_header Access-Control-Allow-Origin http://enos.itcollege.ee;
    }

    location ~ "^/lp/(.*)" {
        nchan_subscriber longpoll;
        nchan_channel_id $1;
    }

    location ~ "^/ev/(.*)" {
        nchan_subscriber eventsource;
        nchan_channel_id $1;
    }
}

Requirements

Following are the requirements for the traditional+modern web application:

  • It doesn't look terrible a'la jurandi kodukas.
  • Makes use of WebFonts
  • Makes use of HTML5 input types
  • Makes use of CSS3 styling
  • Makes use of JavaScript additional user input validation.
  • Makes use of server side programming language (eg PHP, node.js, Python, Ruby)
  • Makes use of a database eg (MySQL, Postgres or NoSQL) in a safe manner, avoids SQL injections.
  • Mobile friendly, same web application has to work comfortably on desktop, phones and tablets as well.
  • Makes use of cookies for sessions.
  • Conforms to standards, use W3C Validation Service to check.
  • Can be used by visually impaired people, this usually means the web application has to be usable from a text-based web browser such as links, lynx or w3m.



Optional features


  • Estonian ID-card login
  • Social network login buttons
  • Use nchan or node.js etc for implementing real-time communication between the server and web browser using EventSource or WebSockets.


Deployment on school infrastructure


Traditional PHP+MySQL can be deployed on enos.itcollege.ee:

  • if you're using Windows computers at school simply place the PHP files under H:\public_html
  • if you're using Ubuntu computers at school simply place the PHP files under ~/Documents/public_html
  • if you're using Windows remotely use PuTTY, WinSCP or Swish to connect to enos.itcollege.ee with your school credentials
  • if you're using Ubuntu remotely, press Ctrl-L in file browser and enter sftp://user@enos.itcollege.ee/home/user/public_html

Use phpMyAdmin on http://enos.itcollege.ee/phpmyadmin to administer the database, the username is test and password is t3st3r123

This category currently contains no pages or media.