DES 715. Week 13-2. Web Application Database Development. E-Commerce
Internet and World Wide Web basic building blocks are:
Internet – a worldwide network of networks
TCP/IP – the basic network protocol
Router – special hardware/software equipment that connects multiple and diverse networks
World Wide Web – world wide network collection of specially formatted and interconnected
documents, known as web pages
Web page – a text document containing text and special commands (or tags) written in HTML
HTML – standard document formatting language for Web pages. HTML makes it possible to
create links among documents and to present those documents in Web browsers
Hyperlink – link between pages
Uniform Resource Locator (URL) – the address of a resource on the Internet
HTTP – hypertext transfer protocol – the standard protocol used by web browsers and web
servers to communicate (above TCP/IP)
Web browser – the end user application used to browse Internet
Web Server – a specialized middleware required to process HTTP requests and to send the
results back to a user.
Web Server and Web client communicate using HTTP. A separate act of communication is
known as a session. Web Server supports and orchestrate the number of sessions
Web Site – collection of web pages together with web server, what are stored on the server
Static Web Pages – web pages, whose content remain the same
Dynamic Web pages - web pages whose content is automatically created and tailored to an end
user’s needs every time the end user requests the page
FTP, E-mail, News Group, social networks, etc – other blocks
From the system architecture point of view, Internet application is the example of client/server
architecture with thin client.
Databases principal design and management remain the same: ERD, normalization, distributed
database, transaction management, etc. However there are some issues about communication
what needs to be known and resolved. They are:
- Web pages themselves cannot communicate to databases
- Web pages communicate to Web Server in the request – reply mode
- Being a thin client, web pages practically do not support data processing
-
The nature of Internet applications suggests the messages be short and the reply should
come quickly. It means that transactions should not be of a complicated character,
involving many tables and cross references
Therefore the first question is how to arrange communication between web pages and databases.
The answer brings us to multi – tiered architecture of Internet applications. There are so called
server-side extensions and client-side extensions and their interfaces involved to provide the
interactions.
A server-side extension is a program that interacts directly with the web-server to handle specific
types of requests. Server-side extension may comprise a number of components, one of which is
Web-to-database middleware. For example it could be Front Page Server Extension to handle
Active Server Pages, that connect to database via ODBC.
Typicall Request / Reply Example in a Web Application
The actions that a Web-to-Database middleware might follow to complete a Client Browser
request for database data are as follows:
1. Client Browser sends a page request to the Web Server, for database data.
2. (a) The Web Server receives the request and validates it.
(b) The web server then determines if the page contains script language. If it does, then it passes
the request to the Web-to-database middleware.
3. (a) The Web-to-database middleware receives the script and validates it.
(b) The middleware then connects to the database and executes the query on the Database
Server.
4. (a) The database server returns the query results back to the Middleware
(b) Then the Middleware generates an HTML format page containing the results.
(c) The Middleware then sends the HTML page to the Web Server.
5. The Web Server returns the HTML page to the Client Browser.
To communicate, Web Server must provide some interface.
Web Server Interface
A web-server interface is a standard way to exchange messages that allows communication
between the Web Server and an External Program. Two well-defined types of Web server
interfaces are:
1. CGI – Common Gateway Interface
CGI uses a script file to perform specific functions using parameters about the client that are
passed by the client to the Web server. The script file content can be used to connect to the
database. The script files usually are written on Perl, C++, or VB. The most disadvantage of CGI
scripts is that they are to be repeated each time for each particular request.
2. API – Application Programming Interface
API’s are implemented as shared code (dynamic link-libraries (DLLs)). When the Web server
calls the API, they are invoked as part of the Web server program. API’s are specific to the Web
server and the operating system.
They are faster because API code is resident in memory and doesn't need to be run as an
external program for every request.
Other Web-programming languages must be used to add functionality to a web browser. This
additional client-side functionality is called a Client-Side Extension - they extend the ability of
the web-browser client. Such languages and tools to create client-side extensions include:
Plug-ins – external applications, that are automatically invoked by a browser when needed
Java – object oriented programming language. Java applications are compiled and stored in the
Web Server. Calls to Java modules are embedded into HTML pages. When the browser finds the
call, it will download the Java module and run it on a client machine.
JavaScript – scripting language. Java Script code is embedded into HTML pages and is
downloaded together with the web page.
ActiveX and VBScript - similar to Java and Java Script for Windows environment
Client-side extensions mostly are used to validate data, entered by a client.
In the Internet environment the number of concurrent requests to a database could be very high.
Actually Transaction Management is to be arranged on a server side, on so called Back Office.
Web Server takes care about client’s session management. Web- to- database middleware
supports web server – database communication. In more complicated systems Web Application
Server middleware may be used to build multi-tiered architecture.
E-commerce
E-commerce applications could be of two types - B2B (Business To Business) and B2C
(Business To Consumer).
Two specific features we have to keep in mind developing the database for e-commerce
application: online payment and online selection of the products.
Commonly used e-commerce scenario:
1. A customer orders products online, entering order and credit card information on a
merchant’s Web page
2. The information travels from the customer’s computer over the Internet to the merchant’s
Web server
3. The merchant uses a third-party company to process payment authorization
4. The payment processing company contacts the customer’s credit card issuing company to
authorize the transaction
5. The customer’s credit card issuer authorizes the transaction
6. The merchant receives authorization, stores the order and payment data in a database, and
sends order confirmation to the customer
7. The seller uses a third-party shipping company to deliver the products
8. The customer receives order and shipping confirmation
Note. A merchant should establish his relationship with the bank to support online payment (to
open his merchant account for online payments), but this is out of scope of a computer system
development
This is the list of main tables supported in a regular e-commerce application:
Production tables:
CUSTOMER – contains details for each registered customer. This table contains logon info,
general data, credit card data, and billing data. Logon info and credit card data must be encypted
PRODUCT – contains product details, such as product ID, prices, quantity on hand. Usually
product ID is internal ID, or stock ID (not SKU)
PRODTYPE – identify the main product type classifications (used to build the tree to split a
product list (or pricing list) on the first screen and narrow a customer’s searching
ORDER – contains general order details, such as customer, data, number
ORDLINE – contains the products selected for each order. There will be 1:M type of
connectivity between ORDER and ORDLINE
Support tables:
SHOPCART – Shopping Cart. The temporary table, contains the products and quantity of items
for each product selected by the customer. The table content is deleted when a customer finishes
selection. The content could be transferred to arrange online payment and be stored in the
ORDER table, if the customer is positive about purchasing. Or it could be just abandoned, if a
customer quits the web site. In any event, SHOPCART temporary rows will be erased.
The table contains the following fields:
CART_ID (pk) – generated automatically for each customer and each time
CART_PROD_ID (pk) – the ID of the product, selected by a customer. In a conventional
database it could be considered as FK as well, but on the performance reason we usually do not
do it for e-commerce. This table is very dynamic and is a subject of many updates within one
session
CART_QTY – the number of items for selected products
Other useful but optional tables:
PMTYPE – The payment options offered by the merchant
SHIPTYPE – the shipping options offered by the merchant
TAXRATE – The tax rate for each state and/or country
STATE – the list of states and/or countries for which the tax is charged
PROMOTION – special promotions such as sales discounts
PRICEWATCH – customers who want to be notified if a product match to certain criteria
PRODPRICE – Optional table used to manage multiple price level, when the price depends on
the quantity of items sold to a customer
Database Security
In a broad sense data security concept comprises a number of points:
- Data consistency
- Data Integrity
- Referential Integrity
- Data accuracy
- Protection against unauthorized access
- Protection against unauthorized changes
The first three relate essentially to conceptual database design and obtain (or not) proper features
as the result of the design implementation. Logical and physical models are to be accomplished
with relevant triggers and stored procedures, as well as with data replication and transaction
management solutions if necessary.
Data accuracy requirements are to be completed on the base of data constraints and usually
become a subject of software modules programming. It could be triggers or stored procedures as
well as application software. For example, if we want to strengthen the control over the Invoice
number value we may consider some internal structure of the value and make the data entry
software do check the accuracy of the number structure. Note: this is always the issue – how to
assure data accuracy. What helps well about this – to minimize the volume of data typing on a
keyboard. As much as possible it is recommended to use pull down list of options with the
content coming from support tables. Examples: credit card types, family relationship types,
charges types, calendar dates and so on. Work closely with a computer programmer in respect to
this issue.
Protection against unauthorized access and changes comprises a number of methods and tools,
especially in Internet environment. We’ll do consider some principal points.
Authentication – the process of determining whether someone is in fact who or what they claim
to be
Authorization – the process of providing permissions to someone or to something to do or to
have something
The components involved into online data processing are: a client, data transferring via
communication channels, data processing on the server. Each component has its security issues
to be resolved.
Basic problem of a client side security is his/her authentication and non - repudiation. The
traditional methods of authentication are user’s ID and password. However we must admit that
this is a weak method, what very easy could be broken. That’s why some new methods come to
the life, such as biometric authentication or token based authentication, as well as digital
signature.
Some special databases and protocols could be used to store user accounts (ID and Password) in
most secure way. They are known as Directory Services databases and work with LDAP
(Lightweight Directory Access Protocol). Known solutions are Directory Service from Novell,
Sun LDAP, Active Directory from Microsoft. Directory itself could be defined as a special
database, however not relational. The most proper definition of the data model of directory is
“object oriented”.
DBMS provides its own access control. User’s ID, password, and access privileges are stored in
as a part of system data. Nowadays the access privileges may be assigned at the granular level
allowing specific access control up to the records and fields.
Data transferring protection is based on data encryption methodology. This line has been
developed well and usually brings good results. Symmetric and Asymmetric encryption methods
are used to secure data transferring via public network (WAN). LAN usually is protected with
symmetric encryption.
Additional protection is required for data stored in the database. It is recommended to use
encryption algorithms to encrypt sensitive data before to store them. For example, credit card
data is to be encrypted. The least you can use for this is the basic encryption algorithms from
DBMS.