给已有的网页增加一个评论系统,允许用户添加评论。需要注意的是security以及filter功能的实现。
Overview
This week, you will add a threaded commenting system to your project, and
implement some basic security and filtering features for commenting.
Specifically, you will need to create a database to store comments, read/write
to the database, and implement basic filtering & security features for user
comments. Additionally, you will be submitting your final project proposal.
Again the following info will be for PHP and MySQL, but feel free to use other
languages you like. However, for this assignment, we are limiting you to use
some form of SQL database.
Part 0: Final Project Proposal
Summary
For the last four weeks of the semester, you will work on a Final Project of
your choice. For this week, you must submit a project proposal electronically
as a PDF to your moderator by the start of your section.
There are no restrictions on what language, frameworks, or tools that you use,
but your project:
- Cannot be any work you are getting paid for
- Cannot be any project or assignment for another course you are currently taking
- Must have clear, concrete objectives for each week
- Must include tools for testing, as this will be part of each week’s requirements
The proposal should be a PDF containing a summary of the project, your
motivation for the project, and specific requirements for each week.
Specifically, your proposal should include: - Description/summary of project and your motivation for choosing this project
- Technical information about your project & specifications
- Planned final features
- Detailed timeline, including requirements week by week
We realize that it is difficult to plan your project week by week without
actually implementing it, but this is a key part of the design process.
Caveats
In addition to individual final projects, we will allow
- Group projects (up to 3 students) - with approval from the moderators of the involved students
- Open Source or existing projects - subject to special approval from the TAs or professor Woodley
With either of these special cases, you must very clearly define your
contributions specifically. For group projects, all moderators involved must
be emailed the same proposal, and this proposal should clearly define the
contributions of each member individually.
Before contacting the course staff with ideas for either one of these types of
projects, you must have a clear description of what you plan on contributing
individually, as grading each week is done on an individual basis.
Format and Examples
We expect you to follow a predefined format for your project proposals. The
required format can be found here: Template.docx, Template.pdf
The following is an example of group proposal that follows this format:
Example.pdf.
Updating Your Proposal
Each week, your actual progress may differ from your planned progress. We
understand that this may happen, and as you implement your project each week,
you should update your proposal as well. This may include any changes to
technologies for your project. Stay in communication with your moderator – ask
before making in drastic changes to your proposal in following weeks, and send
him or her any updates to your proposal.
Part I: Database Design
If you are unfamiliar with SQL, we suggest you go through the W3 Schools SQL
tutorial before continuing. Unlike previous iterations of this assignment you
are strictly required to use a form of SQL database.
If you are not using LAMP stack and PHP, your framework will use other
database structures. Make sure to read up on how they work and be able to
describe how you designed your database to your moderator.
First, you will need to decide how you want to store your data in the
database. Think about what table(s) you need and what columns each of those
tables needs to have.
Feel free to use the PHPMyAdmin that is built into cPanel to construct your
tables and play around with your design, but however you initially create your
database, remember to include the SQL statement(s) that generated your schema
in SVN (i.e. in your README or separate SQL files).
Hint for Comment Schema
There are many ways to implement comments in your database, but consider
taking a tree-based approach using nested sets (preferred) or by just directly
storing ids for each comment, and adding a field for the parent and/or child
id of a comment.
Part II: Implement Commenting
The second step this week is to create some basic forms and display pages to
show your comments. You will need to add to your content generated last week
to add the information to your main portfolio page to allow it to interface
with your comments.
Use CSS to style these pages and make them look presentable. How can you
indicate that a comment is in reply to another? How do you place the tree of
comments on a single page? Take a look at the comment pages on sites like
Slashdot and Reddit for inspiration. If the template you used last week
included some styling for comments, feel free to use that for this week’s
styling.
Part III: Lock things Down
Next, secure your portfolio against malicious user input to comments. Using
techniques such as prepared statements and proper string escaping, secure your
code at minimum against SQL Injection Attacks and Cross-site Scripting
Attacks. Use the internet to find resources about how to accomplish these
goals with PHP.
Part IV: Filter Comments
For the last step, you will need to implement a basic content filtering
system. You will need to compile a list of “red flag” words/phrases and
acceptable replacement words/phrases. This list must have at least 5 entries,
but feel free to add as many as you would like. When a user enters a comment
with a “red flag” word or phrase, it should be automatically replaced with the
corresponding replacement word. Store your “red flag” words/phrases and their
corresponding replacements in the database.
Testing
For this week, write automated unit tests to test your commenting and security
features. That is, you should have some test code that creates comments,
replies to comments, checks for proper filtering, checks for proper SQL
injection attack prevention, etc. Your tests should work by invoking the
scripts you wrote to post comments, then verify they are properly placed in
the database.
