Create a secure Web Application and

Generated Report as PDF

1
Murdan Sianturi, 2Mochamad Wahyudi
1
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri, Jurusan Manajemen
STIE Mulia Pratama
2
Program Pascasarjana Magister Ilmu Komputer STMIK Nusa Mandiri, Program Studi Teknik
Komputer AMIK BSI
[email protected]
[email protected]

Abstract
Web Base Application this moment has consider by company, specifically for company who having more than one
branch or more. With presence application web bases, data can save as centrally. The other thing become
consideration for company is the expense belong to cheap, because we can hire the server at provider. There are
many Internet Service Provider in Indonesia, with the result they are competing within thing price. However there
are cause of why they afraid that is to say complication data safety.

Key words
Web Application, Security, SQL Injection, PDF Report

1. Introduction 1. Using Strong Password for User (min. 8 character).

In software engineering, a web application is an 2. Create a Secure in Login System.
application that is accessed via a web browser over a 3. Create a secure system while send DATA trought
network such as the Internet or an intranet. It is also a browser.
computer software application that is coded in a
browser-supported language (such as HTML, a. Using Strong Password for User
JavaScript, Java, etc.) and reliant on a common web To overcome reconnaissance password (S’to,
browser to render the application executable. 2009). The hacker gathering stage about all information
Web applications are popular due to the ubiquity of user has.
web browsers, and the convenience of using a web
browser as a client, sometimes called a thin client. The b. Create a Secure in Login System
ability to update and maintain web applications without To create a secure in login system, there is two
distributing and installing software on potentially version. The first version, using session register
thousands of client computers is a key reason for their (Hakim, 2008). Usually a programmer use this method.
popularity, as is the inherent support for cross-platform If success login :
compatibility. Common web applications include Session_register(“namauser”);
webmail, online retail sales, online auctions, wikis and Session_register(“passw”);
many other functions. $_session(namauser) = $r[id_user];
$_session(passw)=$r[passw];
For logout :
2. The Most Important Focus To Develop A Web Session_start();
Application Session_destroy;
There are four most important focus : The second version, using MD5 command to
1. Is it application was secure ? encrypt username and password.
2. Is it application User friendly or easy to use ?
3. Is it application’s accessibility good?. And how fast Algorithm :
it to find a data using search facility ? 1. Open form FormLogin.php, input User_Name and
4. Is it application can generated a good report ? Passw
2. Klik Login Button and directly open CekLogin page.
(Locate username & password at table member).
2.1. Is it application was secure ? Implemented Cek Login in PHP:
In develop an application, be sure to create a <?php
secure system, such as : $uname = $_POST["uname"];
$pas = $_POST["pas"];
// This means the query sent to MySQL would be :
include "db.inc.php"; echo $query;
//protect MySQL injection ?>
$uname = stripslashes($uname);
$pas = stripslashes($pas); The query sent to MySQL:
$uname = mysql_real_escape_string($uname); SELECT * FROM users WHERE user='murdan'
$pas = mysql_real_escape_string($pas); AND password='' OR ''=''
$sql="select user,pasw from operator where
user='$uname' and pasw='$pas'"; This would allow anyone to log in without a valid
if (!$res=mysql_query($sql,$dbh)) { password.
echo "err1 ".mysql_error();
exit; But if use stripslashes and
} mysql_real_escape_string, result should be :
$nemu = 0; The query sent to MySQL :
if ($row=mysql_fetch_row($res)) { SELECT * FROM users WHERE user='murdan'
$nemu = 1; AND password=\'\' OR \'\'=\'\'
$vuser = $row[0];
$vpasw = $row[1]; It’s mean the condition should be FALSE.
$combiKey[1]="srah117"; 3. If username and password found, save $hexa as
$combiKey [2]="jonth65"; cookies
$combiKey [3]="mrlun23"; Setcookie("Cid", $hexa, time() +3600);
$combiKey [4]="dgko32"; /* expire in 1 hour */
$combiKey [5]="gterww31"; 4. Insert data to tbl_session
$combiKey [6]="gerardus45"; include "dbses.inc.php";
$combiKey [7]="sanamra97"; $sql = "insert into tbl_session (cid,user_name)
$combiKey [8]="tansye84"; values ('$hexa','$user_name')";
$combiKey [9]="rassye443"; if (! mysql_query($sql,$dbh)) {
$combiKey [10]="prangs99"; echo mysql_error();
$n=rand(1,10); exit;
$encript = $vuser.$pw.$vpasw.$combiKey[$n]; }
$vSessionID = md5($encript);
} Notes:
else { dbses.inc.php is a script to make connection to
echo database.
"<script>location.href='index.php?hasilLogin=A
nda+Salah+Password'</script>"; <?php
exit; //dbses.inc.php
} $database="aplikasi";
$hostname="localhost";
?> $username="root";
$password="tHe98452est";
Why use stripslashes and if
mysql_real_escape_string? (!$dbh=mysql_connect($hostname,$username,
The function is to add the slash before character ‘ $pa ssword)) {
or “. echo mysql_error();
exit;
Look at below as example protect MySQL injection: }
?php mysql_select_db($database,$dbh);
// Query database to check if there are any matchig ?>
users 5. Call direct INDEX.php
$query = "SELECT * FROM users WHERE user='{ Usually a website consist a header, detail and
$_POST['username']}' AND password='{$_POST['p footer. While index.php called it’s should be called
assword']}'"; header.php, detail.php and footer.php. While
mysql_query($query); header.php called, it’s also called cekses.php by
Include “cekses.php” command.
// We didn't check $_POST['password'], it could be 6. At every page run Cekses.php
anything the user wanted! For example: Cekses.php is a script which is should be call
$_POST['username'] = 'murdan'; every time to compare cookies value with data at
$_POST['password'] = "' OR ''='"; table session. If found at table, the user_name
 should be display on top of pages (header), definite </SCRIPT>
that user is ONLINE.
Look this script : It’s mean, after post User Name and Password and
<?php klik Login. The login.php script should be accessed
//cekses.php directly. There are two variable bring to page login.php,
//GET COOKIE VALUE First namely $uname and $pas.
//and COMPARE it with username at table
$cookies_id = $_COOKIE["cid"]; And at login.php, need set up two variabel also to
include " dbses.inc.php"; get data. Look at this script :
$sql="select user_name from tbl_session where <?php
id='$cookies_id ' order by id"; //login.php
if (!$res=mysql_query($sql,$dbh)) { $uname = $_POST[“uname”];
echo mysql_error(); $pas = $_POST[“pas”];
exit; ….
}
if ($row=mysql_fetch_row($res)) { …
$userOK = $row[0]; ?>
}
?> Notes:
<SCRIPT language=JavaScript>
document.tform.uname.focus() ;
document.tform.uname.select() ;
</SCRIPT>

It’s mean is: Put the cursor automaticly standby in

Figure 1. Login Page box of field uname.How if from FormLogin.php we also
send other variabel, like $special_member = “1”?
But we don’t want this data known by public ?

At above form (FormLogin.php), we can change should

be
action="login.php?special_member=1" onSubmit="">

And login.php become :

<?php
Figure 2. After Login //login.php
$uname = $_POST[“uname”];
c. Logout $pas = $_POST[“pas”];
Algorithm Logout for version 2 : $special_member = $_GET[“special_member”];
1. Read variabel Cookies. By command $cookies_id ….
= $_COOKIE["cid"];
2. Delete id from table tbl_session, which is equel with …
$cookies_id ?>
3. Delete Cookies variable. By command
setcookie("cid","",0); It’s no secure. Because at browser we still can see
the variabel showing. The solution is making the
d. Secure while send DATA to other page trought variabel is hidden. Set it before </FORM>, like this:
browser <INPUT type="hidden" name="special_member"
To send DATA from a Form, usually using POST value="1">
method. Look at this script FormLogin.php : So the FormLogin.php should be change, like this :
<FORM name=tform method="POST" <FORM name=tform method="POST"
action="login.php" onSubmit=""> action="login.php" onSubmit="">
User Name : <INPUT name="uname" size="16"> User Name : <INPUT name="uname" size="16">
Password: <INPUT type=password name="pas" Password: <INPUT type=password name="pas"
size="10"> size="10">
&nbsp;&nbsp;<input value='Login' type='submit'> &nbsp;&nbsp;<input value='Login' type='submit'>
</FORM> <INPUT type="hidden" name="special_member"
<SCRIPT language=JavaScript> value="1">
document.tform.uname.focus() ; </FORM>
document.tform.uname.select() ; <SCRIPT language=JavaScript>
document.tform.uname.focus() ; Help instructions to input data.
document.tform.uname.select() ;
</SCRIPT>

And at login.php, need set up three variabel to get

hidden data was come from the form. Look at this
script:
<?php
//login.php
$uname = $_POST[“uname”];
$pas = $_POST[“pas”];
$special_member=$_POST[“special_member”];

….

… Figure 4.
?>

This is has most secure. If you worry somebody 2.3. Is it application having good accessibility ?
change parameter on browser and may effect to your How fast it to find data using search engine facility
database. ? How fast your application ? It’s most the important
one, if you want to build an application web base.
e. About Cookies
The problem, while use cookies. Hijacking cookie a. Fast while accessing the web page.
(S’to, 2004). If some body know your cookies code at On this cases, be sure to minimize using query
another computer and set this code at their computer command at every page. If necessary don’t use query
by Opera browser, automaticly they has login as your anymore. I mean, be sure that every page would be
account. access by visitor has be a HTML file. So when does the
So, for cekses.php need additional function to application should execute query database ? The
check user IP and User Agent. If these attributes not solution is : Query should be done after saving data.
same while user log on, the system need to reject And don’t forget to save the result as html file.
access for user.
Algorithm :
input data
2.2. Is it application user friendly or easy to use? click submit
On every page accessed, need some instructions save data to database by insert command
to help the user step by step how to run the application. do query command to read database and generated
information page as html file.
Help instructions to find data.
How to save data as html or as php file?
<?php
//genfile.php
$sv=”
<?php
\$harga = 100;
\$jumlah = 20; \$tot = \$harga*\$jumlah;
Echo \“Total :\“.\$tot;
Figure 3. ?>”;
$namafile="coba.php";
if (file_exists($namafile)) {
unlink($namafile);
}
$handle= fopen($namafile,'a');
fputs($handle, $sv);
?>

After run genfile.php, you have a file coba.php now,

with volume such as :
<?php
$harga = 100;
$jumlah = 20; $tot = $harga*$jumlah;
Echo “Total :“.$tot;
?>

b. Fast while Searching Data.

In application it’s most important to prepare a
search facility. Why?. To ascertain user is the data was
available or not. Or to find some information about data
having.
But if you search data at a big table, it should be
influence speed of searching. So before, be sure well
set up a small table for search facility. For example the
table for searching having only three fields. The field Figure 6.
are title varchar(150) and content (text, 800) and url
(varchar 100). Data for this table are come from all To print Acquittance for student :
table, from master file, from transaction file and news <?php
file. $gtanggal = $_GET["gtanggal"];
//23.10.2009
Algorithm Store Data to Search Tabel : $tahunct = substr($gtanggal,6,4);
1. Read all data from table master $bulanct = substr($gtanggal,3,2);
2. Store to search table $rec = $_GET["rec"];
3. Read all data from table transaction $namafile = $_GET["namafile"];
4. Store to search table $c =$_GET["c"];
When doing add data to search table ? Doing it //cari $rec di tabel mahasiswa
every add new data in the system. Example, after add include "db.inc.php";
master file or transaction file. Or doing as manually $sql= "select npm,nama,jurusan,ta,kelas
what script should be called to do this. Algorithm for from mahasiswa where rec='$rec'";
Searching a Data : if (!$res=mysql_query($sql,$dbh)) {
1. Open file “search table”. echo mysql_error(); exit;
2. Query Data by condition }
3. Display Result. if ($row=mysql_fetch_row($res)) {
$vnpm = $row[0];
You can take example Google to do this. $vnama = $row[1];
$vjurusan = $row[2];
$vta = $row[3];
$vkelas = $row[4];
}

include "db.inc.php";
$sql= "select npm,nama,jurusan,
ta,kelas,tanggal,jumlah,terbilang,nomor_kwi,opr from
kwitansi_bayaran where npm='$vnpm' and
tanggal='$gtanggal'";
if (!$res=mysql_query($sql,$dbh)) {
echo mysql_error();
exit;
}
if ($row=mysql_fetch_row($res)) {
$vnpm = $row[0];
Figure 5. $vnama = $row[1];
$vjurusan = $row[2];
2.4 Is it application can generated a good report ? $vta = $row[3];
In PHP we can generated a report to PDF using $vtanggal = $row[5];
Class. There are two file class needed, to run report. $vjumlah = $row[6];
The file is class.ezpdf.php and class.Cpdf.php. Both $vterbilang = $row[7];
file, you can download it in $vnomor_kwi = $row[8];
www.sinergypro.com/murdan/class.zip. Example : How $vopr = $row[9];
to print Acquittance for student and Payment Report ? }
/////
include "db.inc.php";
$sql= "select \$pdf->addText(200,\$brs,14,'<b>TANDA
kode_pembayaran,jenis_pembayaran,keter,jumlah,sks PENERIMAAN</b>');
from tr_bayaran where npm='$vnpm' and \$all = \$pdf->openObject();
tanggal='$vtanggal' order by kode_pembayaran"; \$pdf->saveState();
if (!$res=mysql_query($sql,$dbh)) { \$pdf->restoreState();
echo mysql_error(); exit; } \$pdf->closeObject();
$n=0; $tjumlah = 0; \$pdf->addObject(\$all,'all');
while ($row=mysql_fetch_row($res)) { \$brs=\$brs-12;
$n++; \$pdf->ezSetDy(-60);
$xkode_pembayaran[$n] = $row[0]; \$data = array($sude);
$xjenis_pembayaran[$n] = $row[1]; \$cols = array('Kode'=>'Kode','Jenis
$xketer[$n] = $row[2]; Pembayaran'=>'Jenis
$xjumlah[$n] = $row[3]; Pembayaran','Jumlah'=>'Jumlah');
$xsks[$n] = $row[4]; \$pdf->ezTable(\$data,\$cols,'',
$tjumlah = $tjumlah+$xjumlah[$n]; array('xPos'=>110,'xOrientation'=>'right','','cols'=>array(
} 'Kode'=>array('width'=>45,'justification'=>'center'),
'Jenis Pembayaran'=>array('width'=>260),
$koma_vjumlah = "".number_format($tjumlah,0,'.',','); 'Jumlah'=>array('width'=>65,'justification'=>'right')
///// )));
\$pdf->ezSetDy(-14);
//$sude="array('Kode'=>'','Jenis \$pdf->ezText('Terbilang : <b>$vterbilang</b>',12);
Pembayaran'=>'','Jumlah'=>''),"; \$pdf->ezSetDy(-14);
$i = 0; \$pdf->ezText('Nama : <b>$vnama</b>',9);
while ($i<$n) { \$pdf->ezSetDy(-6);
$i++; \$pdf->ezText('NPM : <b>$vnpm</b>',9);
$fiel1 = $xkode_pembayaran[$i]; \$pdf->ezSetDy(-6);
$keterangan=""; \$pdf->ezText('Jurusan : <b>$vjurusan</b>',9);
if ($xketer[$i]) { \$pdf->ezSetDy(-6);
$keterangan=" $xketer[$i]"; \$pdf->ezText('Kelas : <b>$vkelas</b>',9);
} \$pdf->ezSetDy(50);
$fiel2 = $xjenis_pembayaran[$i].$keterangan; \$pdf->ezText('Tanggal <b>$vtanggal</b>',9);
$fiel3 = $xjumlah[$i]; \$pdf->ezSetDy(-6);
$c_fiel3 = "".number_format($fiel3,0,'.',','); \$pdf->ezText('Yang Menerima',9);
$sude=$sude. "array('Kode'=>'$fiel1','Jenis \$pdf->ezSetDy(-6);
Pembayaran'=>'$fiel2','Jumlah'=>'$c_fiel3'),"; \$pdf->ezText(' ',9);
} \$pdf->ezSetDy(-6);
$sude=$sude. "array('Kode'=>'','Jenis \$pdf->ezText(' <b>$vopr</b>',9);
Pembayaran'=>'Total:','Jumlah'=>'<b>$koma_vjumlah< ?>
/b>')"; ";
$namafile="cetak/kwi.php";
$sude="<?php if (file_exists($namafile)) {
\$brs=807; unlink($namafile);
\$pdf->addText(400,\$brs,9,' NOMOR'); }
\$brs=\$brs-12; $handle= fopen($namafile,'a');
\$pdf->addText(400,\$brs,9,'KWITANSI'); fputs($handle, $sude);
\$brs=\$brs-12; unset($sude);
\$pdf->addText(400,\$brs,12,' <b>$vnomor_kwi</b>'); echo
\$pdf- "<script>location.href='gene_report.php?namafile=$na
>addJpegFromFile('images/stiemp.jpg',90,780,50); mafile'</script>";
\$brs=810; exit;
\$pdf->addText(146,\$brs,15,'<b>STIE MULIA ?>
PRATAMA</b>');
\$brs=\$brs-12; Script gene_report.php:
\$pdf->addText(146,\$brs,9,'Program Sarjana Strata 1 <?php
(S1)'); //gene_report.php
\$brs=\$brs-11; include getcwd().'/class.ezpdf.php';
\$pdf->addText(146,\$brs,9,'Program Studi o $pdf =& new Cezpdf("a4");
Manajemen o Akuntansi'); $pdf->selectFont(getcwd().'/fonts/Helvetica.afm');
\$brs=\$brs-26; $pdf->openHere('Fit');
$pdf -> ezSetMargins(30,40,20,20);
 $c_tjumlah = "".number_format($tjumlah,0,'.',',');
include "kwi.php"; $sude=$sude."array('TANGGAL'=>'$fiel2','NPM'=>'
$pdf->ezStream(); $fiel1','KODE PEMBAYARAN'=>'$fiel3', 'JENIS
?> PEMBAYARAN'=>'$fiel4','SKS'=>'$fiel5','JUMLAH'=
>'$c_fiel6','NO. KWITANSI'=>'$fiel7'),\n";
}

$sude=$sude."array('TANGGAL'=>'','NPM'=>'','KODE
PEMBAYARAN'=>'','JENIS
PEMBAYARAN'=>'<b>Total:</b>','SKS'=>'','JUMLAH'=
>'<b>$c_tjumlah</b>','NO. KWITANSI'=>'')\n";

//error T_ARRAY muncul disebabkan karena DATA

tidak ada yang masuk ke array.
$sude="<?php

\$brs=807;
Figure 7. \$pdf-
>addJpegFromFile('images/stiemp.jpg',55,780,50);
To print Payment Report: \$brs=811;
//gener_pembayaran.php?bt=08.2009 \$pdf->addText(120,\$brs,15,'<b>STIE MULIA
<?php PRATAMA</b>');
//gener_daftar_bayaran.php?bt= \$brs=\$brs-12;
$bt=$_GET["bt"]; \$pdf->addText(120,\$brs,8,'Program Sarjana Strata 1
(S1)');
\$brs=\$brs-11;
include "db.inc.php"; \$pdf->addText(120,\$brs,8,'Program Studi o
$sql="select Manajemen o Akuntansi');
npm,tanggal,kode_pembayaran,jenis_pembayaran,kete \$brs=\$brs-36;
r,sks,jumlah,nomor_kwi,opr from tr_bayaran where \$pdf->addText(180,\$brs,14,'<b>DAFTAR
right(tanggal,7)='$bt'order by nomor_kwi PEMBAYARAN $bt</b>');
DESC,kode_pembayaran"; \$all = \$pdf->openObject();
if (!$res=mysql_query($sql,$dbh)) { echo \$pdf->saveState();
mysql_error(); exit; } \$pdf->restoreState();
\$pdf->closeObject();
$z=0; \$pdf->addObject(\$all,'all');
while ($row=mysql_fetch_row($res)) { \$brs=\$brs-12;
$z++; \$pdf->ezSetDy(-80);
$vnpm[$z] = $row[0]; \$data = array($sude);
$vtanggal[$z] = $row[1]; \$cols =
$vkode_pembayaran[$z] = $row[2]; array('TANGGAL'=>'TANGGAL','NPM'=>'NPM','KODE
$vjenis_pembayaran[$z] = $row[3]; PEMBAYARAN'=>'KODE PEMBAYARAN', 'JENIS
$vsks[$z] = $row[5]; PEMBAYARAN'=>'JENIS PEMBAYARAN',
$vjumlah[$z] = $row[6]; 'SKS'=>'SKS','JUMLAH'=>'JUMLAH','NO.
$vnomor_kwi[$z] = $row[7]; KWITANSI'=>'NO. KWITANSI');
//echo "$vnpm[$z]<br>"; \$pdf->ezTable(\$data,\$cols,'',
} array('xPos'=>55,'xOrientation'=>'right','','cols'=>array(
'TANGGAL'=>array('width'=>70,'justification'=>'left'),
$i = 0; 'NPM'=>array('width'=>50,'justification'=>'left'),
while ($i<$z) { 'KODE
$i++; PEMBAYARAN'=>array('width'=>80,'justification'=>'left'
$fiel1 = $vnpm[$i]; ),
$fiel2 = $vtanggal[$i]; 'JENIS
$fiel3 = $vkode_pembayaran[$i]; PEMBAYARAN'=>array('width'=>130,'justification'=>'lef
$fiel4 = $vjenis_pembayaran[$i]; t'),
$fiel5 = $vsks[$i]; 'SKS'=>array('width'=>38,'justification'=>'right'),
$fiel6 = $vjumlah[$i]; 'JUMLAH'=>array('width'=>68,'justification'=>'right'),
$fiel7 = $vnomor_kwi[$i]; 'NO.
$tjumlah = $tjumlah + $fiel6; KWITANSI'=>array('width'=>75,'justification'=>'left')
$c_fiel6 = "".number_format($fiel6,0,'.',','); )));
 References
?> A. Good, Nathan. 2008. Seven habits for writing secure
"; PHP applications.
$namafile="daftar_bayaran.php"; http://www.ibm.com/developerworks/opensource/lib
if (file_exists($namafile)) { rary/os-php-secure-apps/index.html (Access 15
unlink($namafile); October, 2009).
}
$handle= fopen($namafile,'a'); Hakim, Lukmanul. 2008. Membongkar Trik Raksasa
fputs($handle, $sude); para Master PHP. Jakarta : Lokomedia.
echo
"<script>location.href='gene_daftar_bayaran.php'</scri Peranginangin, Kasiman. 2006. Aplikasi Web dengan
pt>"; PHP dan MySql. Yogyakarta : Andi Publisher.
exit;
?> Rahmat, Putra. 2009. Panduan Lengkap Hacking PC.
Jakarta : Kawan Pustaka.
Script gene_daftar_bayaran.php:
<?php Ricky, Anselmus. 2009. On The Spot Hacking. Jakarta :
//gene_daftar_bayaran.php PT. Elex Media Komputindo.
include getcwd().'/class.ezpdf.php';
$pdf =& new Cezpdf("a4"); Sartain, Julie, 2007, Tips For Better Security &
$pdf->selectFont(getcwd().'/fonts/Helvetica.afm'); Compliance.
$pdf->openHere('Fit'); http://www.processor.com/articles/PDFMagazine/G
$pdf -> ezSetMargins(30,40,20,20); ood/P___2913.PDF?GUID= (Access 15 October,
include "daftar_bayaran.php"; 2009).
$pdf->ezStream();
?> S’to. 2009. CEH Certified Ethical Hacker 100% Illegal.
Conclusion Jakarta: Jasakom.
There are four focus to developt a web application :
1. Application must be secure. Thalib, Abdul. 2003. Keamanan pada Aplikasi Web
a. User must be using strong Password dengan PHP.
b. Secure while login (push off SQL Injection) and http://www.cert.or.id/~budi/courses/ec7010/dikmen
c. Check IP and User Agent. ur/thalib-report.pdf (Access 15 October, 2009).
d. Secure while Update Data.
Only the user who was login can update data. W. Purbo, Onno & Akhmad Daniel S. 2005.
Every doing update, need to log some Membangun Web e-commerce. Jakarta : PT. Elex
information such as username, date and time, Media Komputindo.
username, and what data has changed.
To optimal your application security, you can
protect each your page with this script:
<?php
Include “cekses.php”;
If (!$userOK) {
Echo “You are not Authorize!”;
Exit;
}
?>
For Additional , the application need also having
backup system, because data is critical assets
(Sartain, 2007).
2. Application must be user friendly and easy to use.
Need Help File showing at every page (Give
instruction step by step for user)
3. Application must be fast.
a. Fast searching data (minimize table and use
index).
b. Fast query and showing data (use index).
4. Application must be can generated Good Report
Use ClassPDF