Labratory

Securing Information Systems

From the three triads of security (confidentiality, Integrity and availability) it is a common practice to use
encryption authentication and auditing for achieving confidentiality of a system. Some of the popular methods of
authentications includes login using passwords, fingerprints, barcode readers etc..

What techniques can be used to achieve integrity and availability of information?

In this chapter we will see how you can achieve confidentiality through authentication, authorization and
encryption. In addition to that a simple login monitoring table which can be used for security auditing is
discussed using PHP.

Confidentiality

A. Authentication using Logins

i. Creating and Designing a Login Form

1. Create your own folder under C:\xampp\htdocs\

2. Copy the following folders (bootstrap CSS and JavaScript) under the folder you created. (Take the
folders from your teacher or download it from bootstrap official cite)
- data
- dist
- js
- less
- vendor
3. Create a new php file using your Dreamweaver and save it as index.php inside the folder you
created.
4. Insert the line of code below the <meta charset="utf-8"> tag.

Course Page
1
 <meta name="viewport" content="width=device-width, initial-scale=1">

5. Below your </title> tag, link the following CSS.

<link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">

<link href="vendor/metisMenu/metisMenu.min.css" rel="stylesheet">

<link href="vendor/bootstrap-social/bootstrap-social.css" rel="stylesheet">

<link href="dist/css/customized.css" rel="stylesheet">

<link href="vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">

6. Before the </body> tag, add the following scripts.

<script src="vendor/jquery/jquery.min.js"></script>

<script src="vendor/bootstrap/js/bootstrap.min.js"></script>

<script src="vendor/metisMenu/metisMenu.min.js"></script>

<script src="dist/js/customized.js"></script>
7. Insert the following html tags inside the <body> ….</body> tags.

<div class="container">
<div class="row">
<div class="col-md-5 col-md-offset-3">

<!-- Here you will put the Panel -->

</div>
</div>
</div>

8. Designing the Panel. Insert the following tags inside the <div class="col-md-4">

<div class="panel panel-default">

<div class="panel-heading">Please Sign-In</div>
<div class="panel-body">
<form action = "<?php $_PHP_SELF ?>" method = "POST" >

</form>
</div>
Course Page
2
 <div class="panel-footer">Please type your Username and Password</div>
</div>

9. Inserting the Username label and textbox. Insert the following tags inside the <form> tag.

<div class="form-group">
<label for="Username"> Username:</label>
<input type="text" class="form-control" name=" txtusername " placeholder="Enter
Username">
</div>

10. Inserting the Password label and textbox. Insert the following tags after the username
group.

<div class="form-group">
<label for=" Password "> Password:</label>
<input type="password" class="form-control" name=" txtpassword " placeholder="Enter
Password">
</div>

11. Inserting the Submit and Reset Button. Insert the following tags after the password group.

<div class="form-group">
<button type="submit" class="btn btn-default" name="submit">Submit</i></button>
<button type="reset" class="btn btn-default" name="reset">Reset</button>
</div>

ii. Creating Login Database table

Course Page
3
 1. Create the following Database and Table using PhpMyAdmin as shown above
Database Name: myDB
Table Name: tblLogin

2. Insert the following records in tblLogin

ID Username password usertype

1 Tariku e358efa489f58062f10dd7316b65649e user
2 Sosina 03c7c0ace395d80182db07ae2c30f034 user
3 Markos 6f8f57715090da2632453988d9a1501 administrator
b

Note:
e358efa489f58062f10dd7316b65649e = md5(‘t’)
03c7c0ace395d80182db07ae2c30f034= md5(‘s’)
6f8f57715090da2632453988d9a1501b= md5(‘m’)

3. Open index.php from the files you have created

4. Insert the following php script before <!DOCTYPE html>
//Using Procedural

<?php
session_start();
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "myDB";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
if (isset($_REQUEST['submit']))
{
extract($_REQUEST);
$uname = mysqli_real_escape_string($conn,$_POST['txtusername']);
$pword= md5(mysqli_real_escape_string($conn, $_POST['txtpassword']));
$sql="SELECT * from tbllogin WHERE username='$uname' and password='$pword'";

$result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0)
{
$row=mysqli_fetch_assoc($result);
if($row['usertype']=='administrator')
Course Page
4
 {
$_SESSION['ID'] = $row['ID'];
$_SESSION['username'] = $row['username'];
header("location: adminpage.php");
}
else if($row['usertype']=='user')
{
$_SESSION['ID'] = $row['ID'];
$_SESSION['username'] = $row['username'];
header("location: userpage.php");
}
else
{
echo'<script language="javascript">';
echo'alert ("Invalid User Type")';
echo'</script>';
}
}
else
{
echo'<script language="javascript">';
echo'alert ("Invalid User name and password!! please try again!!")';
echo'</script>';
}
}
mysqli_close($conn);
?>

……………………………….. Please use one of it ……………………………………………………

//using Object oriented

<?php session_start();
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "myDB";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn-> connect_error) {
die("Connection failed: " . $conn-> connect_error);
}
if (isset($_REQUEST['submit']))
{
extract($_REQUEST);
$uname = mysqli_real_escape_string($conn,$_POST['txtusername']);
$pword= md5(mysqli_real_escape_string($conn, $_POST['txtpassword']));
$sql="SELECT * from tbllogin WHERE username='$uname' and password='$pword'";
$result = $conn->query($sql);
if ($result->num_rows > 0)
{
$row = $result->fetch_assoc();
if($row['usertype']=='administrator')
{
$_SESSION['ID'] = $row['ID'];
Course Page
5
 $_SESSION['username'] = $row['username'];
header("location: adminpage.php");
}
else if($row['usertype']=='user')
{
$_SESSION['ID'] = $row['ID'];
$_SESSION['username'] = $row['username'];
header("location: userpage.php");
}
else
{
echo'<script language="javascript">';
echo'alert ("Invalid User Type")';
echo'</script>';
}
}
else
{
echo'<script language="javascript">';
echo'alert ("Invalid User name and password!! please try again!!")';
echo'</script>';
}
}
$conn->close();
?>

iii. Securing and Customizing the admin page

1. Open the php file you have created as adminpage.php previously

2. Creating Security in the adminpage.php. Put this lines of codes before <!doctype html>

<?php
session_start();
if(!isset($_SESSION["username"]))
{
header("Location: index.php");
}
?>

2. Insert the line of code below the <meta charset="utf-8"> tag.

<meta name="viewport" content="width=device-width, initial-

scale=1">

3. After your </title> tag, link the following CSS.

<link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">

<link href="vendor/metisMenu/metisMenu.min.css" rel="stylesheet">

<link href="vendor/bootstrap-social/bootstrap-social.css" rel="stylesheet">

<link href="dist/css/customized.css" rel="stylesheet">

Course Page
6
 <link href="vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">

4. After the </body> tag, add the following scripts.

<script src="vendor/jquery/jquery.min.js"></script>

<script src="vendor/bootstrap/js/bootstrap.min.js"></script>

<script src="vendor/metisMenu/metisMenu.min.js"></script>

<script src="dist/js/customized.js"></script>

5. Insert the following html tags inside the <body> ….</body> tags.

<div class="wrapper"> <!--start of wrapper-->

</div> <!-- end of wrapper-->

6. Inserting the NavBar. Insert the following tags after the <!--start of wrapper -->

<nav class="navbar navbar-default navbar-fixed-top" role="navigation"> <!--start NavBar -->

</nav><!--end of NavBar -->

7. Inserting the NavBar Header. Insert the following tags after the <!--start NavBar -->.
<!-- Header -->
<div class="navbar-header">
<a class="navbar-brand" href="index.html">Week
End</a>
</div>
<!--end of header -->

Course Page
7
 8. Inserting the Right NavBar. Insert the following tags after the <!--end of header
-->.

<ul class="nav navbar-nav navbar-right"> <!-- start of Right Navbar -->

</ul><!-- end of the Right NavBar-->

9. Inserting the My Account and Logout Button. Insert the following tags after the
<!-- start of the Right NavBar-->
<!-- My Account Button -->
<li><a href="#"><span class="glyphicon glyphicon-user"></span> My
Account</a></li>

<!-- Logout Button -->

<li><a href="logout.php"><span class="glyphicon glyphicon-log-in"></span>
Logout</a></li>

Note: loghout.php is not defined yet!

10. Create a new php page and save it as logout.php after substituting the whole
content with below.

<?php
session_start();
session_destroy();
header("location:index.php");
?>
 Integrity

B. Creating Auditing table - Integrity

When ever users login to the system details of the users should be registered for auditing, to
do so simply create a table tbluserlog as follows.

After creating the table modify the php code in the index page for login as follows.

//Using Procedural

<?php
session_start(); //
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "myDB";
// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
if (isset($_REQUEST['submit']))
{
extract($_REQUEST);
$uname = mysqli_real_escape_string($conn,$_POST['txtusername']);
$pword= md5(mysqli_real_escape_string($conn, $_POST['txtpassword']));
$sql="SELECT * from tbllogin WHERE username='$uname' and password='$pword'";

$result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0)
{

$row=mysqli_fetch_assoc($result);
 if($row['usertype']=='administrator')
{
$_SESSION['ID'] = $row['ID'];
$_SESSION['username'] = $row['username'];
//for auditing
$uip=$_SERVER['REMOTE_ADDR'];
mysqli_query($conn,"insert into tbluserlog(username,userip) values('".
$_SESSION['username']."','$uip')");
header("location: adminpage.php");
}
else if($row['usertype']=='user')
{
$_SESSION['ID'] = $row['ID'];
$_SESSION['username'] = $row['username'];
//for auditing
$uip=$_SERVER['REMOTE_ADDR'];
mysqli_query($conn,"insert into tbluserlog(username,userip) values('".
$_SESSION['username']."','$uip')");
header("location: userpage.php");
}
else
{
echo'<script language="javascript">';
echo'alert ("Invalid User Type")';
echo'</script>';
}
}
else
{
echo'<script language="javascript">';
echo'alert ("Invalid User name and password!! please try again!!")';
echo'</script>';
}
}
mysqli_close($conn);
?>

Assignment(30%) -individual
Display contents of the userlogin table inside the admin page.

C. Availability (20%) -group

Write a php code and integrate with the above assignment
1. A php code that can backup the project.
2. A php code that can be used to restore the backuped file as it was.