"xcelmind" <xc*************@mail.codecomments.comwrote in message
news:xc*************@mail.codecomments.com...
>
Hello Dev. Guru,
I want to at this time introduce myself. I am Stanley Ojadovwa by name.
I'm a freelance and a newbie in web application development. I'm
currently using ASP as my application server technology with Microsoft
access as my database source.
Access (aka MS Jet) is a poor choice for multi-user database applications.
If at all possible, you would be well-advised to use SQL Express, which is
free just like Jet is, but is a much more stable and capable database
engine.
Just as I have introduced myself, I'm a newbie in web application
development. I'm currently working on an application that will allow
students to check their results and admission status online, but they
will have to get a PIN Number or Code before they will be able to do
exactly that.
Now, what I have in mind is that a student will enter their names,
examination numbers and the PIN Code into a form and then click on the
submit button. The feedback after clicking on submit is that the
particular student examination records and status are queried from
that database and displayed for that student to see.
Validation Rules:
The application must display only the records that belong to that
student.
The PIN Code entered by the student must correspond to the one already
stored in the database.
The application must be in a way that the PIN Code cannot be used by
more than one student. That is if another student wants to use that PIN
Code, an error message should appear telling the student that the pin
code has been used by another student depending on how or what message
you want to display.
That is not a secure design! A message that tells the user their chosen PIN
is already in use, effectively gives away the secret half of some other
student's credentials! Anyone that knows the names of the other students
only needs to try each of them with the PIN s/he now knows in in use -- and
is guaranteed access to someone else's data in the course of such an attack.
Also, name is a poor choice for a login value, no guarantee of uniqueness.
Email is a better choice, otherwise, allow the user to choose a login (this
would be where you must prompt for another value to enforce uniqueness.)
If forcing unique PINs is intended as a work-around for same-named students,
it is an extremely poor tactic. Login is the public [or semi-private] half
of the credentials pair. Password is the exclusively private half. For
sensitive data, nothing should *ever* divulge the password to *anyone*. For
data that isn't really sensitive, mechanisms to recover a password by
sending it to its owner have become fairly accepted, but secure applications
will only provide a way to reset the password.
This authentication model is in place in litteraly thousands (if not
millions) of applications; it's proven and accepted. You'd likely be
further ahead to work-around the reasons you want to alter the model, and
leave the model itself intact.
The PIN Code must not be used for more than a specified number of
times.
Why?
Now that was a brief overview of the kind of application I want to
develop. However, I'm having problem with its development. I decided to
write to see if there is a way you can help me out. You might have seen
the source code for such an application before now, please send it to
me or you may want to help me by writing a quick one of such
application, or a anything you have in mind regarding the application.
Anyway, I have gone ahead with its development. I will give a brief
idea of how far I have gone. What I did was to create a database with
three tables namely; PIN, LOGIN and RESULT. The PIN table contains all
the pin numbers which will be entered by the webmaster such that when
Wait, the webmaster enters the PINs? What, then the user gets it on a slip
of paper handed-out in class, or via snail-mail? Eeesh, if you absolutely
must go this way, at the very least, cut the web admin people a break by
generating PIN values.
the student enters a particular pin code it will query that table to see
if the pin exist else it will tell the student that it is an invalid pin
code. If the pin exist in the PIN table the form input should be
submitted to the LOGIN table and then store the input in a cookies and
then be directed to another page which will query the RESULT table based
on the information stored in the cookies to bring out the particular
student's information.
Two tables unnecessarily complicates design, input and function. A single
table that stores login, password, and any other details that describe the
user, is a more workable design. You then query that one table for a row
with both login and password fields that match the submitted values... but
that's a generality...
To be efficient your design must consider some environmental factors, like
the source of results data, and how it will be associated with students.
Surely each student already has some unique identifier assigned by the
school; presumably results will be linked using that?
So [based on my assumptions] the scenario should be something like this:
1. A conceptual account exists for each student by virtue of enrollment;
2. Each account needs to be "activated" before it can be used to access
account-specific content to, prevent unauthorized access before credentials
have been established;
3. The process of activation involves verifying that the user is who he says
he is, and then establishing credentials;
3.a. Verification involves user input of info that will be known or
available to each respective student while at the same time, not commonly
known or available to others (test numbers from one or a few recent tests
should be a good fit here)
3.b. When establishing credentials, assign a login value if you absolutely
must, but let the user set the password.
4. Once an account is activated, users can view results;
4.a. Why not just list all available results in a list, so the user can
click a link, rather than needing some number;
As for whatever implememtation difficulties you may be having, you'll get
more answers if you provide:
1. A description of the problem; i.e., the error message, or what its not
doing that you think it should;
2. Just enough code to show the context of the problem (noting which line
throws the error, if any);
3. Which behavior or aspects you're having difficulty understanding;
-Mark
To avoid to much details visit www.jambonline.org for a
sample of the kind of application I'm talking about.
I will really appreciate if I get a response from you regarding this
application. Thanks for your understanding and support.
See you at the top!
Stanley
Note: Below is a copy of the place I'm having a problem. I want to add
the form input into the login table if it does not already exist and
then direct them to Query_result page where their result will then be
sorted from the RESULT table. Also if the input is in the login table
already they should be redirected to Query_result page.
Incase you want a sample of the database, you can send me an email so
that I can attach it to the email back to you.I have already attached
some of the pages i have developed
+----------------------------------------------------------------+
| Attachment filename: prosessresult.txt |
|Download attachment:
http://www.codecomments.com/attachme...postid=3480939 |
+----------------------------------------------------------------+
--
xcelmind
------------------------------------------------------------------------
Posted via http://www.codecomments.com
------------------------------------------------------------------------