Defence Syllabus

System Overview & Live Demo Console

Lecture Notes Management Portal Architecture Defense

This traditional **PHP + MySQL** application facilitates secure course note publishing. It features a responsive dark-themed user interface, database aggregation counts, dynamic downloads, and inline iframe-based document previews.

One-Click Demo Authentication Console

Click any card below to instantly log in under that specific system role. The backend handles session injection automatically, allowing you to demonstrate different permission boundary levels to the panel without login delays.

Database Schema & Relationships

Relational schema design structured on MySQL InnoDB Engine

1. Users Table

Contains account login details. Password is encrypted using bcrypt hash strings.

PK: user_id | role ENUM('admin','lecturer','student')
2. Courses Table

Details course subjects. Created by administrators.

PK: course_id | UNIQUE: course_code | FK: created_by -> users
3. User_Courses Table

Many-to-Many join table mapping students/lecturers to courses.

PK: user_course_id | FK: user_id, course_id | UNIQUE KEY: (user_id, course_id)
4. Lecture_Notes Table

Note records referencing physical disk file names and student download metrics.

PK: note_id | FK: course_id, uploaded_by
Cascading Integrity: Deleting a user or course cascades deletions to assignments and note records automatically via MySQL foreign key mappings, preventing orphaned records.

System Module Structure

Module boundaries mapping system operations to role requirements

Admin Module
  • User accounts CRUD.
  • Course catalog setup.
  • Mapping students & lecturers to courses.
  • Aggregated system activity stats.
Lecturer Module
  • Document PDF uploads (<5MB).
  • Title/desc management edits.
  • Unlinking physical files on deletions.
  • Download counts chart.
Student Module
  • Browse registered courses notes.
  • Debounced note keyword search.
  • Inline document iframe preview.
  • Dynamic streamed downloads.

Session Management Policy

Hardening session storage cookies and applying inactivity timeout thresholds

Our system customizes the session parameters in `config/config.php` before starting the session:
  • session.cookie_httponly = 1: Restricts scripts (like JavaScript document.cookie) from accessing the session identifier cookie, neutralizing XSS session hijacking vectors.
  • session.cookie_secure: Enabled dynamically if the server detects SSL/TLS (HTTPS).
  • samesite = Lax: Instructs browsers to omit cookies on cross-site requests, mitigating Cross-Site Request Forgery (CSRF).

When a user logs in, `$_SESSION['last_activity']` is set to `time()`. On every subsequent page access through `check_role()`, the system validates if the time elapsed exceeds `SESSION_TIMEOUT` (30 minutes). If true, it flushes the session array, deletes the cookie, destroys the session, and redirects to the login screen with a timeout notification.

Route Authorization & Protection

Verifying session statuses and role access limits

How check_role() Enforces Boundaries
  1. First, checks if `is_logged_in()` is true. If false, redirects to the login page.
  2. Verifies session timeout limits. If expired, logs the user out.
  3. Examines `$_SESSION['role']` against the array of allowed roles passed to the page function.
  4. If unauthorized, logs the breach to `error_log` and redirects the user back to their respective role's dashboard.
// Example usage inside admin/dashboard.php
require_once __DIR__ . '/../includes/auth.php';

// Enforce admin-only access
check_role(['admin']);

File Upload Safety Rules

How uploaded documents are filtered and stored securely

1. Filetype & MIME Checks

The system checks file extension (`pdf`) AND queries the file MIME type using PHP's `finfo_file` library, validating that it matches `application/pdf` to prevent execution of PHP files disguised with PDF extensions.

2. Cryptographic Re-Naming

Files are renamed to a secure hash (`bin2hex(random_bytes(16)) . '.pdf'`) on disk. This prevents directory traversal, overwriting existing files, and URL path discovery.

3. .htaccess Protection

A `.htaccess` file containing `Deny from all` is placed inside the `uploads/` folder. This tells the web server to block direct URL requests to file locations, preventing direct downloads.

4. Dynamic Download Gateway

All files are downloaded or previewed through `download.php` or `preview.php`. These scripts read the file contents and stream them back to authorized users using standard HTTP headers.

SQL Injection Protection

Comparing raw SQL queries against secure PDO prepared statements

Vulnerable Raw SQL
"SELECT * FROM users WHERE username = '$user'"

If `$user` is `' OR '1'='1`, the query changes context, executing unauthorized logic (SQL Injection).

Secure Prepared Statement
"SELECT * FROM users WHERE username = ?"

Database compiles the query structure first. Parameters are bound separately, rendering injection text harmless.

// Secure parameter binding implementation example
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? OR email = ? LIMIT 1");
$stmt->execute([$identity, $identity]);
$user = $stmt->fetch();

Interactive Code Explorer

Defend your source code by explaining the logic to the panel

What it does

Why it was written

How it works