SQL ASN3
You may work in pairs if you want for this assignment Purpose
• To give you exposure to
o creating a program that
§ connects to a database
§ writes, reads and updates the data in the database
o writing the interface between a database and a user
o creating a client/server program that runs on the internet, serves up a page that runs on the client
side (the users browser) and also connects to a back end database on the server side (your virtual machine)
Tools
• Your virtual machine with the following installed (See Vagrant Information for more details): o MySQL. Only a root user is required. Password is not required.
o Python 3
o Flask for Python 3
• Optional tools
o MySQL Workbench
o Bootstrap if you want to make your webpages look nice
o GitHub repository if you want to easily share code with a partner
• Instructions
• Using the following database:
• (also linked in the “Assignment 3 DB” page on the left) and your virtual machine, Python/Flask and MySQL, create a website on your machine that allows a theatre company to manage the viewing of it’s movie screenings.
• There will be two parts to the assignment: •
Part 1: The Back End (45%):
The staff who work at a theatre must be able to:
• Movies
o add movies
o delete movies
o modify movies
o list all movies and all attributes (except genre) sorted alphabetically by movie name
• Genres:
o add a genre to a movie
o delete a genre from a movie
o list all genres and the movie the genre is for sorted alphabetically by genre (include the movie
name only)
• Rooms:
o add rooms
• https://owl.uwo.ca/access/content/group/c345a70e-0aae-48d4-8b8e- 5d18c599ee54/Other/MovieTheatre.sql
o delete rooms
o modify rooms
o list the rooms and all attributes
• Showings
o add showings
o delete showings
o modify showings
o list all the showings and all attributes sorted by date of the showing
• Customer
o add customers
o delete customers
o modify customers
o list all the customers and all attributes sorted by last name
• Attend
o list all the paid for attendances and all attributes,
§ along with customer first name and last name § along with showing and showing date/time
§ along with movie and movie title
§ sorted by rating
Part 2: The Front End (45%):
The customers of the theatre must be able to:
• allow a customer to search all the showings by searching (give a warning if there are no seats left for a showing):
o o
o o o
• allow a o
• allow a o
• allow a viewed
• allow a
a selected genre (use a dropdown input box from all existing genres in the database)
a range of dates (use two dropdowns to select a start and end date from all existing dates in the database)
a showing that still has seats available (checkbox)
a movie title (free-form input box)
(Hint: How many seats are left are determined by {room capacity for a showing} – {the total tickets purchased for that showing})
customer to attend a showing
select their name and any showing, and “buy” a ticket for it (ie. insert a new entry in the Attend table).
customer to rate a showing
select their name and a showing they attended, and give a rating (a number of stars between 1 and 5) (ie. update an existing entry in the Attend table)
customer to select their name and see all the movie titles and ratings for the movies he/she has
customer to select their name and see his/her profile (all the info about the customer)
Part 3: SQL Injection attack (10%):
• Demonstrate a vulnerable page by not using parameterized queries (also known as prepared statements). o Build a second page that does not use parameterized queries. When a customer is searching for a
movie, it should be possible to use a SQL injection attack to view ALL customers at once in the database.
Part 4: Bonus (up to +10%):
• Movie Posters (5%):
o Modify the database to allow a staff member to add a movie poster image that is added when the
movie is added (it will never be updated or added after the fact). The image should somehow be displayed. Assume that all the poster images will be 240 pixels by 360 pixels.
o When the customer views a list of showings based on the movie title, display the movie poster (if one was uploaded) to the user.
• Design (5%)
o TAs will grant an extra 5% if your application has some kind of a modern layout and design. Using
Bootstrap (see links above) is a good option. There are other template types out there or you can design one from scratch.
Helpful hints
• Write the “select” webpages first. They will be the easiest to implement
• Write your functions to return strings first. Once the data is accurate, you can move on to using HTML
templates
• Here are some helpful links:
o http://flask.pocoo.org/
o https://www.youtube.com/playlist?list=PLQVvvaa0QuDc_owjTbIY4rbgXOFkUYOUB o http://dev.mysql.com/doc/connector-python/en/
Other Notes
• It is a good habit to disconnect from a database once you have finished using it. After every action above, make sure you disconnect from the database.
• Remember that your code will get large and cluttered and your application will be marked partly on your structure and modularity. Don’t put everything in one file. Try using Python import and separate files to break up the python code.
• The exact number of pages your website will have is not a set number. For example, you may choose to have several pages for the backend with multiple parts inside one page or you might have many pages with exactly one part inside each page. The choice is yours.
• Security:
o Typically, an application like this should use usernames and passwords at the web layer for
authentication and authorization. The users would have authentication data in a table in the
database. For the sake of simplicity, do not implement this.
o Typically, an application like this should connect to the database with a user account that has
exactly the permissions it needs. For the sake of simplicity, just connecting with root and no
password is acceptable.
• You may modify the database any way you wish (or even use your own version) provided the modifications
continue to follow good database practices. Be sure to upload your copy of the database if you have made modifications to the schema. (You will have to do this if you want to do the movie posters bonus)
NOTE: you can not use any third party ORM/DAL frameworks that let you avoid writing SQL queries/statements. While it is the preferred option in the industry, you should get more experience writing SQL with this assignment.