Overview of Web Development and its components

1) HTML

 HTML stands for Hyper Text Markup Language

 HTML is the standard markup language for creating Web pages
 HTML describes the structure of a Web page
 HTML elements are the building blocks of HTML pages
 HTML consists of a series of elements
 HTML elements tell the browser how to display the content
 HTML elements label pieces of content such as "this is a heading", "this is a paragraph",
"this is a link", etc.

HTML Elements

An HTML element is a start tag and an end tag with content in between:

<h1>This is a Heading</h1>

Start tag Element content End tag

<h1> This is a Heading </h1>

<p> This is paragraph. </p>

HTML Attributes

 HTML elements can have attributes

 Attributes provide additional information about the element
 Attributes come in name/value pairs like charset="utf-8"

A Simple HTML Document

<!DOCTYPE html>
<html lang="en">

<meta charset="utf-8">
<title>Page Title</title>

<body>
<h1>This is a Heading</h1>
<p>This is a paragraph.</p>
<p>This is another paragraph.</p>
</body>

</html>
HTML Document Structure

Below is a visualization of an HTML document (an HTML Page):

<html>

<head>

<title>Page title</title>

</head>

<body>

<h1>This is a heading</h1>

<p>This is a paragraph.</p>

<p>This is another paragraph.</p>

</body>

</html>

Note: Only the content inside the <body> section (the white area above) is displayed in a
browser.

HTML Headings

HTML headings are defined with <h1> to <h6> tags.

<h1> defines the most important heading. <h6> defines the least important heading:

Example
<h1>This is heading 1</h1>
<h2>This is heading 2</h2>
<h3>This is heading 3</h3>

HTML Paragraphs

HTML paragraphs are defined with <p> tags:

Example
<p>This is a paragraph.</p>
<p>This is another paragraph.</p>

HTML Links

HTML links are defined with <a> tags:

Example
<a href="https://www.w3schools.com">This is a link</a>

The link's destination is specified in the href attribute.

HTML Images

HTML images are defined with <img> tags.

The source file (src), alternative text (alt), width, and height are provided as attributes:

Example
<img src="img_w3schools.jpg" alt="W3Schools" style="width:120px;height:150px"

HTML Buttons

HTML buttons are defined with <button> tags:

Example
<button>Click me</button>

HTML Lists

HTML lists are defined with <ul> (unordered/bullet list) or <ol> (ordered/numbered list) tags,
followed by <li> tags (list items):

Example
<ul>
<li>Coffee</li>
<li>Tea</li>
<li>Milk</li>
</ul>

HTML Tables

An HTML table is defined with a <table> tag.

Table rows are defined with <tr> tags.

Table headers are defined with <th> tags. (bold and centered by default).

Table cells (data) are defined with <td> tags.

Example
<table>
<tr>
 <th>Firstname</th>
<th>Lastname</th>
<th>Age</th>
</tr>
<tr>
<td>Jill</td>
<td>Smith</td>
<td>50</td>
</tr>
<tr>
<td>Eve</td>
<td>Jackson</td>
<td>94</td>
</tr>
</table>

2) CSS
 CSS stands for Cascading Style Sheets
 CSS describes how HTML elements are to be displayed on screen, paper, or in other
media
 CSS saves a lot of work. It can control the layout of multiple web pages all at once
 External stylesheets are stored in CSS files

CSS Example
<style>

body {background-color:lightblue; text-align:center;}

h1 {color:blue; font-size:40px;}
p {font-family:verdana; font-size:20px;}

</style>

CSS Syntax

A CSS rule consists of a selector and a declaration block:

The selector points to the HTML element to style (h1).

The declaration block (in curly braces) contains one or more declarations separated by
semicolons.
Each declaration includes a CSS property name and a value, separated by a colon.

In the following example all <p> elements will be center-aligned, red and have a font size of 32
pixels:

Example
<style>
p {font-size:32px; color:red; text-align:center;}
</style>

Same example can also be written like this:

<style>
p{
font-size: 32px;
color: red;
text-align: center;
}
</style>

External Style Sheet

A CSS style sheet can be stored in an external file:

mystyle.css
body {background-color: orange; font-family:verdana}
h1 {color: white;}
p {font-size: 20px;}

External style sheets are linked to HTML pages with <link> tags:

Example
<!DOCTYPE html>
<html>
<link rel="stylesheet" href="mystyle.css">
<body>

<h1>My First CSS Example</h1>

<p>This is a paragraph.</p>

</body>
</html>
 Inline Style
Example
<!DOCTYPE html>
<html>
<link rel="stylesheet" href="mystyle.css">
<body>

<h1>My First CSS Example</h1>

<p>This is a paragraph.</p>
<p style="font-size:25px">This is a paragraph.</p>
<p style="font-size:30px">This is a paragraph.</p>
</body>
</html>

3) JavaScript
JavaScript is the Programming Language for the Web.

JavaScript is a lightweight, interpreted programming language. It is designed for creating

network-centric applications. It is complimentary to and integrated with Java. JavaScript is very
easy to implement because it is integrated with HTML. It is open and cross-platform.

JavaScript can update and change both HTML and CSS.

JavaScript can calculate, manipulate and validate data.

JavaScript variables can be:

 Numbers
 Strings
 Objects
 Arrays
 Functions

JavaScript Variables

JavaScript variables are containers for storing data values.

In this example, x, y, and z, are variables:

Example

<!DOCTYPE html>

<html>

<body>
<h2>JavaScript Variables</h2>

<p>In this example, x, y, and z are variables.</p>

<p id="demo"></p>

<script>

var x = 5;

var y = 6;

var z = x + y;

document.getElementById("demo").innerHTML ="The value of z is: " + z;

</script>

</body>

</html>

o/p

JavaScript Variables

In this example, x, y, and z are variables.

The value of z is: 11

From the example above, you can expect:

 x stores the value 5

 y stores the value 6
 z stores the value 11

JavaScript Numbers

JavaScript has only one type of number. Numbers can be written with or without decimals.

Example
<!DOCTYPE html>

<html>

<body>

<h2>JavaScript Numbers</h2>

<p>Numbers can be written with or without decimals:</p>

<p id="demo"></p>

<script>

var x = 3.14;

var y = 3;

document.getElementById("demo").innerHTML = x + "<br>" + y;

</script>

</body>

</html>

o/p
JavaScript Numbers

Numbers can be written with or without decimals:

3.14
3
MySQL Database

With PHP, you can connect to and manipulate databases.

MySQL is the most popular database system used with PHP.

What is MySQL?

 MySQL is a database system used on the web

 MySQL is a database system that runs on a server
 MySQL is ideal for both small and large applications
 MySQL is very fast, reliable, and easy to use
 MySQL uses standard SQL
 MySQL compiles on a number of platforms
 MySQL is free to download and use
 MySQL is developed, distributed, and supported by Oracle Corporation
 MySQL is named after co-founder Monty Widenius's daughter: My

The data in a MySQL database are stored in tables. A table is a collection of related data, and it
consists of columns and rows.

Databases are useful for storing information categorically. A company may have a database with
the following tables:

 Employees
 Products
 Customers
 Orders

PHP + MySQL Database System

 PHP combined with MySQL are cross-platform (you can develop in Windows and serve
on a Unix platform)

Database Queries

A query is a question or a request.

We can query a database for specific information and have a recordset returned.

Look at the following query (using standard SQL):

SELECT LastName FROM Employees

The query above selects all the data in the "LastName" column from the "Employees" table.

To learn more about SQL, please visit our SQL tutorial.

What is Apache Web Server?

Apache HTTP Server is a free and open-source web server that delivers web content through the
internet. It is commonly referred to as Apache and after development, it quickly became the most
popular HTTP client on the web. It’s widely thought that Apache gets its name from its
development history and process of improvement through applied patches and modules but that
was corrected back in 2000. It was revealed that the name originated from the respect of the
Native American tribe for its resiliency and durability.

Apache Web Application Architecture

Apache is just one component that is needed in a web application stack to deliver web content.
One of the most common web application stacks involves LAMP, or Linux, Apache, MySQL,
and PHP.

Linux is the operating system that handles the operations of the application. Apache is the web
server that processes requests and serves web assets and content via HTTP. MySQL is the
database that stores all your information in an easily queried format. PHP is the programming
language that works with apache to help create dynamic web content.

Firewalls help protect the web application from both external threats and internal vulnerabilities
depending on where the firewalls are configured. Load Balancers help distribute traffic across
the web servers which handle the HTTP(S) requests (this is where Apache comes in) and
application servers (servers that handle the functionality and workload of the web app.) We also
have Database Servers, which handle asset storage and backups. Depending on your
infrastructure, your database and application can both live on the same server although it’s
recommended to keep those separate.

Apache HTTP Server versions

Latest Release Initial Release Version

03-02-2010 (1.2.42) 06-06-1998 1.3

10-07-2013 (2.0.65) 06-04-2002 2.0

11-07-2017 (2.2.34) 01-12-2005 2.2

07-08-2020 (2.4.46) 21-02-2012 2.4

Installing Apache and MySQL
These are instructions for installing on Windows 7 desktop (they may also be useful for a server
install with some thought to security) using individual components rather than a one click
installer. This is intended only as a testing/evaluation install via 'localhost'. Proper server
configuration and security is not considered.

NOTE: This assumes that you are comfortable with administering a Windows system and can
use the command line. I never use Windows and I managed, but this may not be the quickest or
most efficient way to do things. Make sure your Windows installation is in good shape, you clear
out all the junk and stuff making it run slower (because installing all this server software
certainly isn't going to make it run faster!) and that you have installed any outstanding updates.

Step 1: Install MySQL

 Install the MySQL database server on your PC. We will do this using the 'MSI' one-click installer for
Windows. Go to http://dev.mysql.com/downloads/ and download the 'MySQL Installer for Windows'.
At the time of writing this was from a very obvious graphic at the top of the screen (which I missed
the first time).
 Run the installation. Click...
 Install MySQL products
 Accept the license
 Allow the version check (optional)
 At 'Choose a Setup Type' accept the "Developer Default" and click Next
 A number of downloads of required software may be identified. Click Execute and follow
onscreen instructions to install them.
 At 'Installation progress' screen, hit Execute - the MySQL software will be installed
 At 'Configuration overview' hit Next to go to the basic configuration screen.
 Accept all the defaults on the 'MySQL Server Configuration' and hit Next.
 On the password screen, supply a password for the 'root' (main administrator) user. Make sure it's
one you won't forget. You can also create a 'User' account just for Moodle with more restricted
access if you like. This would be good practice on a public server but just using the 'root' user
will suffice for testing.
 On the Service details page, accept the defaults and hit Next and then Next a couple more times
for the configuration progress.
 Click Finish. Job done.
 MySQL Workbench will open. Under Server Administration (right hand column, double click 'Local
MySQL56' (or whatever you called it). A box should pop up asking for the root password. Enter the
password you supplied
 The server management screen should appear. You don't have to worry too much about this. It just
shows the install is working.

Step 2: Install Apache

 Install the Apache web server on your PC. Go to http://www.apachelounge.com/download/. Scroll

down the page until you find the download for the 'Apache 2.4 win32 binaries' and download. You
need to be careful that the module dll in PHP matches the version of Apache you install. Apache
won't load otherwise.
 Unzip the file into C:\. You should end up with a directory 'Apache24' (or whatever the latest version
is).
 Find Start > All programs > Accessories > Command Prompt...... BUT, right click, and select 'Run as
administrator'.
 Enter the following commands
 cd \Apache24\bin
httpd -k install
httpd -k start

...you may well get a warning about the server name. Don't worry about it. Don't close this
window, you will need it again in a minute.

 To test it worked type 'http://localhost' into your browser. You should get a screen up to the effect
that Apache is installed and working.

Step 3: Install PHP

 Now install the PHP scripting language on your PC. Go to http://www.php.net/download. In

the current stable release section click on link for Windows 5.x.x binaries and source. Scroll
down to the newest 'Zip' for VC14 x86 Thread Safe (non thread safe doesn't have the
Apache dll. the VC version may be different, and you may need x64 version) PHP (again,
the newest versions of PHP didn't have this but it shouldn't matter) and download. *Don't*
be tempted to use the Microsoft Installer version; it won't work.
 Open the zip file and extract to C:\PHP\
 In a console window, type php -v to see if it worked. (You may need to set up your PATH.
Alos, if you get weired error messages, or no error messages at all, read the bit on the left
of http://windows.php.net/ where it talks about installing "C++ Redistributable for Visual
Studio")

Step 4: Configure Apache and PHP

You now need to edit Apache's httpd.conf file. In the file explorer navigate to C:\Apache24\conf\
httpd.conf. Open it in Notepad . At the end of this file (or wherever you like if you want to be
more organised) add the following lines:

LoadModule php5_module "C:/PHP/php5apache2_4.dll"

AddHandler application/x-httpd-php .php
PHPIniDir C:/PHP

The version of the module file matters (2_4 in this case). It MUST match the Apache version
installed.

In the same file. Search for the line starting DirectoryIndex. Change it as follows

DirectoryIndex index.php index.html

Now, navigate to C:\PHP, and copy php.ini-development to php.ini. Edit this file, find the
following lines and modify them as follows (all should exist already):
 memory_limit = 256M
post_max_size = 128M
upload_max_filesize = 128M

You need to specify the extensions required for Moodle. Find the 'Dynamic Extensions' section
and change the following lines (uncomment and add the correct path):

extension=c:/php/ext/php_curl.dll
extension=c:/php/ext/php_gd2.dll
extension=c:/php/ext/php_intl.dll
extension=c:/php/ext/php_mbstring.dll
extension=c:/php/ext/php_mysqli.dll
extension=c:/php/ext/php_openssl.dll
extension=c:/php/ext/php_soap.dll
extension=c:/php/ext/php_xmlrpc.dll

(these are a minimum. You may need others - e.g. LDAP - for specific functions) ...and save.

Back in the 'cmd' window for Apache, you need to restart it to load your changes...

httpd -k restart

Step 5: Test your install

Navigate to C:\Apache24\htdocs and create a file called 'test.php'. I had to change a file explorer
setting to create .php files - Organise > Folder and search options > View and then untick 'Hide
extensions for known file types'.

In this file enter the single line...

<?php phpinfo();

And then, in your browser, navigate to http://localhost/test.php. You should see a screen with
masses of information and the PHP logo at the top. Check a few lines down for 'Loaded
Configuration File' and make sure it says c:\php\php.ini.

That's PHP and Apache all working :)

Security Guidelines for Mysql

Anyone using MySQL on a computer connected to the Internet should read this section to avoid
the most common security mistakes.

In discussing security, it is necessary to consider fully protecting the entire server host (not just
the MySQL server) against all types of applicable attacks: eavesdropping, altering, playback, and
denial of service. We do not cover all aspects of availability and fault tolerance here.

MySQL uses security based on Access Control Lists (ACLs) for all connections, queries, and
other operations that users can attempt to perform. There is also support for SSL-encrypted
connections between MySQL clients and servers. Many of the concepts discussed here are not
specific to MySQL at all; the same general ideas apply to almost all applications.

When running MySQL, follow these guidelines:

 Do not ever give anyone (except MySQL root accounts) access to the user table in
the mysql system database! This is critical.
 Learn how the MySQL access privilege system works (see Chapter 4, Access Control and
Account Management). Use the GRANT and REVOKE statements to control access to
MySQL. Do not grant more privileges than necessary. Never grant privileges to all hosts.
Checklist:

o Try mysql -u root. If you are able to connect successfully to the server without being
asked for a password, anyone can connect to your MySQL server as the
MySQL root user with full privileges! Review the MySQL installation instructions,
paying particular attention to the information about setting a root password.
See Section 3.4, “Securing the Initial MySQL Account”.
o Use the SHOW GRANTS statement to check which accounts have access to what.
Then use the REVOKE statement to remove those privileges that are not necessary.
 Do not store cleartext passwords in your database. If your computer becomes compromised,
the intruder can take the full list of passwords and use them. Instead, use SHA2() or some
other one-way hashing function and store the hash value.
To prevent password recovery using rainbow tables, do not use these functions on a plain
password; instead, choose some string to be used as a salt, and use hash(hash(password)
+salt) values.

 Assume that all passwords will be subject to automated cracking attempts using lists of
known passwords, and also to targeted guessing using publicly available information about
you, such as social media posts. Do not choose passwords that consist of easily cracked or
guessed items such as a dictionary word, proper name, sports team name, acronym, or
commonly known phrase, particularly if they are relevant to you. The use of upper case
letters, number substitutions and additions, and special characters does not help if these are
used in predictable ways. Also do not choose any password you have seen used as an
example anywhere, or a variation on it, even if it was presented as an example of a strong
password.

Instead, choose passwords that are as long and as unpredictable as possible. That does not
mean the combination needs to be a random string of characters that is difficult to remember
and reproduce, although this is a good approach if you have, for example, password
manager software that can generate and fill such passwords and store them securely. A
passphrase containing multiple words is easy to create, remember, and reproduce, and is
 much more secure than a typical user-selected password consisting of a single modified
word or a predictable sequence of characters. To create a secure passphrase, ensure that the
words and other items in it are not a known phrase or quotation, do not occur in a
predictable order, and preferably have no previous relationship to each other at all.

 Invest in a firewall. This protects you from at least 50% of all types of exploits in any
software. Put MySQL behind the firewall or in a demilitarized zone (DMZ).

Security Guidelines for apache

1. Disable the server-info Directive

If the <Location /server-info> directive in the httpd.conf configuration file is enabled, you can see
information about the Apache configuration by accessing the /server-info page (for
example, http://www.example.com/server-info). This could potentially include sensitive
information about server settings such as the server version, system paths, database names,
library information, and so on.

For example, /server-info exposes the Apache version along with the OpenSSL version. In the
past, an attacker could use this information to find out whether the server uses a version of
OpenSSL that is vulnerable to the Heartbleed bug.

You can disable this directive by commenting out the entire mod_info module in
the httpd.conf Apache configuration file:

#LoadModule info_module modules/mod_info.so

2. Disable the server-status Directive

When enabled, the <Location /server-status> directive lists information about server performance,
such as server uptime, server load, current HTTP requests, and client IP addresses. An attacker
may use this information to craft an attack against the web server.

You can disable this directive by commenting it out in the httpd.conf Apache configuration file:

#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .your_domain.com
#</Location>
3. Disable the ServerSignature Directive

The ServerSignature directive adds a footer to server-generated documents. This footer includes
information about your Apache configuration such as the version of Apache and the operating
system. To restrict Apache from displaying this sensitive information, you need to disable this
directive in your httpd.conf Apache configuration file:

ServerSignature Off

4. Set the ServerTokens Directive to Prod

The ServerTokens directive controls the information that is sent back in the Server response
header field. You can use different syntaxes in this directive, as listed in
the Apache ServerTokens documentation. The ServerTokens directive should be set to Prod in
order to instruct Apache to return only Apache in the server response headers. This can be done
by including the following directive in your httpd.conf Apache configuration file:

ServerTokens Prod

5. Disable Directory Listing

Directory listing lets you view complete directory contents. If this option is enabled, an attacker
can simply discover and view any file. This could potentially lead to the attacker decompiling
and reverse engineering an application in order to obtain the source code. They can then analyze
the source code for possible security flaws or obtain more information about an application, such
as database connection strings, passwords to other systems, etc. You can disable directory listing
by setting the Options directive in the Apache httpd.conf file:

<Directory /your/website/directory>
Options -Indexes
</Directory>

6. Enable Only the Required Modules

A default installation of the Apache HTTP server may include many pre-installed and enabled
modules that you do not need. To add insult to injury, some web server administrators have a
tendency to take the path of least resistance and enable all the remaining modules in httpd.conf,
so as to ensure that everything works without a hitch. This, however, also opens up the Apache
server to any security issues that might exist or be discovered in the future for the enabled
modules.
The Apache module documentation lists and explains all the modules available for Apache.
Research the modules that you have enabled and make sure that they are really required for the
functionality of the website. Unnecessary modules should be disabled by commenting out a
specific LoadModule line.

7. Use An Appropriate User and Group

By default, Apache runs under the daemon user and group. However, it is best practice to run
Apache using a non-privileged account. Furthermore, if two processes (such as Apache and
MySQL) are running using the same user and group, issues in one process might lead to exploits
in the other process. To change Apache user and group, you need to change
the User and Group directives in the Apache httpd.conf configuration file.

User apache
Group apache

8. Restrict Unwanted Services

To secure Apache, you may want to disable certain services, such as CGI execution and
symbolic links, if these are not needed. You can disable these services using the Options directive
in the httpd.conf configuration file and you may also disable these services for a particular
directory only. The below example shows what you need to include in
your httpd.conf configuration file to disable CGI script execution, symbolic links, and server-side
includes for your web server root directory and its subdirectories.

<Directory /your/website/directory>
Options -ExecCGI -FollowSymLinks -Includes
</Directory>

9. Use the ModSecurity WAF

ModSecurity is an open-source module that works as a web application firewall. Different

functionalities include filtering, server identity masking, and null-byte attack prevention. This
module also lets you perform real-time traffic monitoring.

We recommend that you follow the ModSecurity manual to install mod_security to improve your
web server security and protect against a multitude of attacks including distributed denial of
service attacks (DDOS). You can also temporarily use ModSecurity to protect against certain
attacks like SQL Injection and Cross-site Scripting until vulnerabilities are fixed by the
developer.
10. Enable Logging

Apache logging provides detailed information about client requests made on your web server,
hence enabling such logging will prove useful when investigating the cause of particular issues.
In order to enable logging the mod_log_config module needs to be included from the Apache
httpd.conf file. This module provides the TransferLog, LogFormat, and CustomLog directives
which are respectively used to create a log file, specify a custom format, and creating and
formatting a log file in one step. As seen below, the LogFormat directive is used to specify a
custom logging format – in this case the referrer and browser of each request are logged along
with the default logging parameters. Then, the CustomLog directive will be used to instruct
Apache to use this logging format