给已有的网页增加一个评论系统,允许用户添加评论。需要注意的是security以及filter功能的实现。
Overview
This week, you will add a threaded commenting system to your project, and implement some basic security and filtering features for commenting. Specifically, you will need to create a database to store comments, read/write to the database, and implement basic filtering & security features for user comments. Additionally, you will be submitting your final project proposal.
Again the following info will be for PHP and MySQL, but feel free to use other languages you like. However, for this assignment, we are limiting you to use some form of SQL database.
Part 0: Final Project Proposal
Summary
For the last four weeks of the semester, you will work on a Final Project of your choice. For this week, you must submit a project proposal electronically as a PDF to your moderator by the start of your section.
There are no restrictions on what language, frameworks, or tools that you use, but your project:
- Cannot be any work you are getting paid for
- Cannot be any project or assignment for another course you are currently taking
- Must have clear, concrete objectives for each week
- Must include tools for testing, as this will be part of each week’s requirements
The proposal should be a PDF containing a summary of the project, your motivation for the project, and specific requirements for each week. Specifically, your proposal should include:
- Description/summary of project and your motivation for choosing this project
- Technical information about your project & specifications
- Planned final features
- Detailed timeline, including requirements week by week
We realize that it is difficult to plan your project week by week without actually implementing it, but this is a key part of the design process.
Caveats
In addition to individual final projects, we will allow
- Group projects (up to 3 students) - with approval from the moderators of the involved students
- Open Source or existing projects - subject to special approval from the TAs or professor Woodley
With either of these special cases, you must very clearly define your contributions specifically. For group projects, all moderators involved must be emailed the same proposal, and this proposal should clearly define the contributions of each member individually.
Before contacting the course staff with ideas for either one of these types of projects, you must have a clear description of what you plan on contributing individually, as grading each week is done on an individual basis.
Format and Examples
We expect you to follow a predefined format for your project proposals. The required format can be found here: Template.docx, Template.pdf
The following is an example of group proposal that follows this format: Example.pdf.
Updating Your Proposal
Each week, your actual progress may differ from your planned progress. We understand that this may happen, and as you implement your project each week, you should update your proposal as well. This may include any changes to technologies for your project. Stay in communication with your moderator – ask before making in drastic changes to your proposal in following weeks, and send him or her any updates to your proposal.
Part I: Database Design
If you are unfamiliar with SQL, we suggest you go through the W3 Schools SQL tutorial before continuing. Unlike previous iterations of this assignment you are strictly required to use a form of SQL database.
If you are not using LAMP stack and PHP, your framework will use other database structures. Make sure to read up on how they work and be able to describe how you designed your database to your moderator.
First, you will need to decide how you want to store your data in the database. Think about what table(s) you need and what columns each of those tables needs to have.
Feel free to use the PHPMyAdmin that is built into cPanel to construct your tables and play around with your design, but however you initially create your database, remember to include the SQL statement(s) that generated your schema in SVN (i.e. in your README or separate SQL files).
Hint for Comment Schema
There are many ways to implement comments in your database, but consider taking a tree-based approach using nested sets (preferred) or by just directly storing ids for each comment, and adding a field for the parent and/or child id of a comment.
Part II: Implement Commenting
The second step this week is to create some basic forms and display pages to show your comments. You will need to add to your content generated last week to add the information to your main portfolio page to allow it to interface with your comments.
Use CSS to style these pages and make them look presentable. How can you indicate that a comment is in reply to another? How do you place the tree of comments on a single page? Take a look at the comment pages on sites like Slashdot and Reddit for inspiration. If the template you used last week included some styling for comments, feel free to use that for this week’s styling.
Part III: Lock things Down
Next, secure your portfolio against malicious user input to comments. Using techniques such as prepared statements and proper string escaping, secure your code at minimum against SQL Injection Attacks and Cross-site Scripting Attacks. Use the internet to find resources about how to accomplish these goals with PHP.
Part IV: Filter Comments
For the last step, you will need to implement a basic content filtering system. You will need to compile a list of “red flag” words/phrases and acceptable replacement words/phrases. This list must have at least 5 entries, but feel free to add as many as you would like. When a user enters a comment with a “red flag” word or phrase, it should be automatically replaced with the corresponding replacement word. Store your “red flag” words/phrases and their corresponding replacements in the database.
Testing
For this week, write automated unit tests to test your commenting and security features. That is, you should have some test code that creates comments, replies to comments, checks for proper filtering, checks for proper SQL injection attack prevention, etc. Your tests should work by invoking the scripts you wrote to post comments, then verify they are properly placed in the database.