Defence Syllabus
System Overview & Live Demo Console
Lecture Notes Management Portal Architecture Defense
This traditional **PHP + MySQL** application facilitates secure course note publishing. It features a responsive dark-themed user interface, database aggregation counts, dynamic downloads, and inline iframe-based document previews.
One-Click Demo Authentication Console
Click any card below to instantly log in under that specific system role. The backend handles session injection automatically, allowing you to demonstrate different permission boundary levels to the panel without login delays.
Database Schema & Relationships
Relational schema design structured on MySQL InnoDB Engine
1. Users Table
Contains account login details. Password is encrypted using bcrypt hash strings.
2. Courses Table
Details course subjects. Created by administrators.
3. User_Courses Table
Many-to-Many join table mapping students/lecturers to courses.
4. Lecture_Notes Table
Note records referencing physical disk file names and student download metrics.
System Module Structure
Module boundaries mapping system operations to role requirements
Admin Module
- User accounts CRUD.
- Course catalog setup.
- Mapping students & lecturers to courses.
- Aggregated system activity stats.
Lecturer Module
- Document PDF uploads (<5MB).
- Title/desc management edits.
- Unlinking physical files on deletions.
- Download counts chart.
Student Module
- Browse registered courses notes.
- Debounced note keyword search.
- Inline document iframe preview.
- Dynamic streamed downloads.
Session Management Policy
Hardening session storage cookies and applying inactivity timeout thresholds
- session.cookie_httponly = 1: Restricts scripts (like JavaScript document.cookie) from accessing the session identifier cookie, neutralizing XSS session hijacking vectors.
- session.cookie_secure: Enabled dynamically if the server detects SSL/TLS (HTTPS).
- samesite = Lax: Instructs browsers to omit cookies on cross-site requests, mitigating Cross-Site Request Forgery (CSRF).
Route Authorization & Protection
Verifying session statuses and role access limits
How check_role() Enforces Boundaries
- First, checks if `is_logged_in()` is true. If false, redirects to the login page.
- Verifies session timeout limits. If expired, logs the user out.
- Examines `$_SESSION['role']` against the array of allowed roles passed to the page function.
- If unauthorized, logs the breach to `error_log` and redirects the user back to their respective role's dashboard.
// Example usage inside admin/dashboard.php
require_once __DIR__ . '/../includes/auth.php';
// Enforce admin-only access
check_role(['admin']);
File Upload Safety Rules
How uploaded documents are filtered and stored securely
1. Filetype & MIME Checks
The system checks file extension (`pdf`) AND queries the file MIME type using PHP's `finfo_file` library, validating that it matches `application/pdf` to prevent execution of PHP files disguised with PDF extensions.
2. Cryptographic Re-Naming
Files are renamed to a secure hash (`bin2hex(random_bytes(16)) . '.pdf'`) on disk. This prevents directory traversal, overwriting existing files, and URL path discovery.
3. .htaccess Protection
A `.htaccess` file containing `Deny from all` is placed inside the `uploads/` folder. This tells the web server to block direct URL requests to file locations, preventing direct downloads.
4. Dynamic Download Gateway
All files are downloaded or previewed through `download.php` or `preview.php`. These scripts read the file contents and stream them back to authorized users using standard HTTP headers.
SQL Injection Protection
Comparing raw SQL queries against secure PDO prepared statements
If `$user` is `' OR '1'='1`, the query changes context, executing unauthorized logic (SQL Injection).
Database compiles the query structure first. Parameters are bound separately, rendering injection text harmless.
// Secure parameter binding implementation example
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? OR email = ? LIMIT 1");
$stmt->execute([$identity, $identity]);
$user = $stmt->fetch();
Interactive Code Explorer
Defend your source code by explaining the logic to the panel
What it does
Why it was written
How it works