Web Development

Web Development

The Office of Information Technology provides a number of options and resources for students, employees, and organizations to host information and data online.  OIT also provides Campus Web Solutions, a custom web development contract service.

  1. The UNIX server, known as Mallard, hosts the Auburn University homepage. All Students and Employees automaticaly have 10GB of web space already set up on this server (http://www.auburn.edu/~username).

    • To access this space, see "Editing Websites on the Unix Server".
    • If visiting a site results is a "Forbidden" error one of two situations could be the cause of the problem.
      1. There is not and index.html, index.htm, or index.php file in the website.
      2. The permissions on that file are not set to allow the world read permission. (See #10 under "Using SFTP with WinSCP")

    Departments and Student Organizations can request web space on the unix server by sending the following information to webadmn@auburn.edu:

    • Name of the Department or Organization
    • Name and Position of person making the request
    • Prospective URL, such as http://www.auburn.edu/aubie
    • Names and usernames of the webmasters - we cannot provide webmaster access to non-AU personnel.
  2. SharePoint is a browser-based collaboration tool that makes it easier for people to work together. It helps people set up web sites to share information with others, manage documents from start to finish, and publish reports to help everyone make better decisions. Click to request a SharePoint site.

  3. The WordPress server is also available to student organizations, employees, and departments. This server is dedicated to the installation of the WordPress blogging software and is updated regularly with the latest patches.  To request space on the WordPress server, send the following information with your request to wpadmin@auburn.edu:

    • Name of person making the request
    • Auburn University username
    • Name of Department if applicable
    • Prospective URL, such as http://wp.auburn.edu/aubie
    *Setup takes between 3 and 5 business days depending on workload.
  4. A Windows server running IIS and ASP.NET, often using Microsoft SQL databases, is available to graduate students and employees by request. To request space, contact iisadmin@auburn.edu.


Features UNIX SharePoint WordPress Windows
Secure HTTPS capability Yes Yes Yes Yes
Server-side includes Yes No Yes Yes
PHP Yes No Yes No
VB.NET, C#, ASP, VB No Yes No Yes
ASP.NET Framework No Yes No Yes
MySQL Yes No Yes No
SQL Yes Yes No Yes
Backed up nightly Yes Yes Yes Yes
Undergraduate Students Yes No No No
Graduate Students Yes Yes No Yes
Student Organizations Yes Yes Yes No
Employees Yes Yes Yes Yes
Departments Yes Yes Yes Yes


Student Organizations

Every chartered student organization in good standing has a public web page linked from the Center for Student Organizations website.

Note: Student organization web pages must conform to the Policies for student organization web pages and to the Network Policies.

Web Editing Software

To create web pages more quickly and easily, plus without having to learn HTML, you can use a web page editor or HTML editor.  A free option is Microsoft SharePoint Designer 2007, which is installed in the OIT Computing Labs located around campus and is available to download at AU Install.

Adobe Dreamweaver is another popular web page editing program which is compatible with the Unix Server.  Dreamweaver can be bought at special student pricing through the AU Bookstore.

Editing Websites on the Unix Server

Creating a personal website in OIT Computing Labs

These instructions help you create a web page from an OIT Computing Lab. There are a wide variety of uses for a web page, such as a resume, so be creative! Keep in mind, though, that you are subject to the rules set by the OIT Network Policy.

Follow these steps:

  1. Log into an OIT Computing Lab machine and open My Computer on the desktop.
  2. Select the (P:) drive, which is also your public_html directory on your H: drive.
  3. Open Microsoft SharePoint Designer 2007 and select File > New > Web Site.
  4. Choose General > One Page Web Site > click the Browse button > find the P drive > OK > OK.
  5. In the folder list pane on the left, highlight the file named default.htm > right-click > Rename > enter index.html
  6. Double-click index.html to open the file and begin making changes to the page.
  7. Choose File > Save or simply press Ctrl-S and voila! Your page is now viewable on the web at http://auburn.edu/~username where username is your username.
  8. Point a web browser to your new personal page and see how it looks to the world. Whenever you save changes, refresh (reload) the browser page to see the changes.
Creating a personal website outside OIT Computing Labs

Here's one of the many ways to create and modify your AU personal web page. Numerous web page creation tools are available for purchase and for free download on the Internet. OIT currently supports Microsoft SharePoint Designer 2007, which is available via free download. Any simple text editor, like NotePad, will work as well, but you'll need to know how to code HTML. Keep in mind that you are subject to the rules set by the OIT Network Policy for any web pages you create.

Follow these steps:

  1. Create a folder on your local computer for your website, perhaps in My Documents\My Websites.
  2. Open Microsoft SharePoint Designer 2007 and select File > New > Web Site.
  3. Choose General > One Page Web Site > click the Browse button > find and select the folder you created in Step 1 > OK > OK.
  4. Make changes to the page.
  5. If you plan to host the page on the UNIX server (www.auburn.edu), then do this: in the folder list pane on the left, highlight the file named default.htm > right-click > Rename > enter index.html. If you plan to host the page on the Windows server, you can skip this step.
  6. Choose File > Save or simply press Ctrl-S. When you have the page the way you want it, the next step is to place the file onto the server.
Publishing your personal website outside OIT Computing Labs

Using Microsoft SharePoint Designer 2007 makes it really simple to publish to your UNIX web space. If you used a text editor, like NotePad, to code your own HTML, you can also use a FTP program to access and upload to your web space.

Follow these steps:

  1. Follow the steps in Creating a web page outside the OIT Computing Labs.
  2. Log in to the VPN Client
  3. Map a drive to your personal webspace - \\ausamba\public_html
  4. After saving your web page, select File > Publish Site.
  5. In the 'Remote Web Site Properties' box, for Remote Web Server type, check File System. For Remote Web site location, find the mapped network drive you created. Click OK.
  6. Panels labeled Local web site and Remote web site show your folders and files on your computer and on the web server. Highlight the folders and files you've created or changed on the local web site.
  7. Click the blue right arrow between the panels to copy the highlighted files to the remote web site.
  8. When publishing is completed, open a web browser and go to http://www.auburn.edu/~username to see your finished page.
  9. If you make changes to the web page, publish it again and reload your web browser to view the changes.
Using SFTP with WinSCP

These instructions show you how to use WinSCP, which is installed on all of the OIT computing labs and is available for home computer download from AU Install, to SFTP Files to your Auburn University web space.

Follow these steps:

  1. If you are off-campus, you will first need to connect via an VPN connection.
  2. Open the WinSCP program. The Login Dialog window will open automatically.
  3. Choose the File protocol SFTP.
  4. In the Enter host text box, type mallard.auburn.edu (in some other FTP programs you may have to use sftp://mallard.auburn.edu)
  5. The port number should be set to 22.
  6. In the Enter username and Enter password text boxes, enter your username and password.
  7. On the left select Environment > Directories. For the Remote directory enter your desired server path (ex. /export/vol2/httpd/htdocs/, which is the main auburn web directory), then press OK.  And if you get a message relating to cacheing, press "OK."
  8. The Connection Screen is where you transfer your files. The left side contains the drives, directories, and files on your computer while the right has those of the remote computer that you're logged into.
  9. To transfer a file, click once to select an item and then click on an option at the bottom of the screen or just drag the item. Use the folder followed by two dots, "..", to go back a directory.
  10. To change the permissions of files, right-click the item on the remote server side of the screen and select "properties."  Make sure that all files and folders are "world readable" (folders are at least 755 and files are at least 644).
Connecting to Mallard with SecureCRT

SecureCRT is provided on all OIT Computing Lab machines and is available for home computer download from AU Install.

Follow these steps:

  1. If you are off-campus, you will first need to connect via an VPN connection.
  2. Open SecureCRT on your computer. In the OIT Computing Labs, click on "Secure Shell to Mallard" on the computer's desktop.
  3. Use the Connection window to select where to access. If this window doesn't come up, click the Connection button on the far left.

    Telnet SecureCRT

  4. Select Mallard and click Connect. If Mallard is not an option, click the New Connection button (third from the left), enter mallard.auburn.edu as the Hostname, and click OK.
  5. Fill in your username for Login: and your password for Password: when prompted.
  6. You have now created an SSH session. There are a variety of UNIX commands available to navigate and perform actions with.
  7. To disconnect, hit the Disconnect button (second from the left) or exit out of the program.
Create accessible content (Section 508)

For assistance in creating web content that is accessible to students with disabilities please contact the Instructional Multimedia Group (IMG) or the Office of Accessibility.

IMG offers a short course on creating accessible courses. View the OIT Training page for more information.

Helpful Resources (external web sites)

Basic UNIX commands

Here are a few of the commands you can use (italic commands require changes):

pwd : determines the present working directory

cd directory: change directories; i.e. cd /home/home9/AUuser/subdir

ls : list of all the files in a directory

ls -l : detailed list of all the files, including file permissions, ownership, and groupname.

ls -R : recursive parameter; see all the subdirectories and files in and below the present one

ls -alR : recursive long listing including any hidden files

cp filename newname : make a copy of a file within the present working directory

cp filename targetdirectory : copy a file to another directory

mv filename newname : "move" or rename a file within the present working directory

mv filename targetdirectory : move a file to another directory

rm filename : delete a file located in the present working directory

mkdir newdirectory : make a new directory; use chmod command afterward and chgrp command if it is a shared directory

rmdir directoryname : delete a directory; will not work if files are in the directory

command1 | command2 : send the output of one program to another by putting a | (the pipe symbol) between two commands; for example, if you want to look at a list of your files, but you have too many files to see at once, you can prevent them from scrolling too quickly by piping the ls command into the more command like this ls | more.

command > filename : send the output of a program to a file; for example, to send the output of the ls command to the filelist.dat, use ls | filelist.dat.

man command : find more information about a particular command

cd /usr/bin : use this to display a complete list of commands that can be found

ls : use this to display all the commands

You can also use the asterisk (*) as a wildcard to set the permissions for all the files in a directory.

Understanding UNIX file permissions

Permissions are divided into three types:

r - read the file or directory
w -
write to the file or directory
x -
execute the file or directory

Read permission allows a user to read the contents of the file, or in the case of directories, to list the contents of the directory.

Write permission allows the user to write to and modify the file. For directories, write permission allows the user to create new files or delete files within that directory.

Execute permission allows the user to run the file as a program or shell script (if the file happens to be a program or shell script, that is). For directories, having execute permission allows the user to cd into the directory in question.

Each of these permissions is set for each of three types of users:

u - the owner of the file
g - members of the group to which the owner belongs
o - all other users

By setting the permissions, the file owner controls what users of each type can and cannot do to the file. The permissions to a file are listed as a string of nine characters like this:

user    group   other 
r w x r w x r w x

You can view the permissions of a file by entering ls -l at the command line prompt. The output will be a list of all the files and directories in your present directory. An example of one line from such a list would be:

-rwxrw-r-- smithjo client 3754 Feb 24 15:30 my.txt

The first (-) tells you if the entry is a file(-), directory(d), or a link(l). It is followed by the permissions list for the file, directory, or link. This is followed by the username of the person who owns the file or directory, in this case smithjo. The owner's username is then followed by the name of the owner's group (client), the size of the file(in bytes,3754), the date the file was last modified (Feb 24 15:30), and finally the name of the file (my.txt).

File permissions are set or changed with the chmod command. There is a shorthand way of setting permissions by using octal numbers. Read permission is given the value 4, write permission the value 2 and execute permission 1. These values are added together for any one user category:

1 = execute only
2 = write only
3 = write and execute (1+2)
4 = read only
5 = read and execute (4+1)
6 = read and write (4+2)
7 = read and write and execute (4+2+1)

So access permissions can be expressed as three digits. For example:

                              user   group   others
    chmod 664 file1           -rw-    rw-     r--
    chmod 644 file1           -rw-    r--     r--
    chmod 775 directory1      drwx    rwx     r-x        

Use these UNIX commands to change file and directory permissions:

chmod 644 filename : if the file is yours alone, you must restrict the group permissions to allow read only (because everyone is a member of the group other); allow the "world" to read only

chmod 664 filename : if the file is to be shared, remember to first change the group ownership using chgrp command as above; give read and write access to the group, and allow the "world" to read only, by using the command

chmod 775 directory : allow read, write and execute permission to the owner and group, and allow the "world" to read and execute, by using the command

chmod 666 PHP_data_file : any data file that needs to be written to by a PHP script has to be world readable and writeable

Where filename is the name of the file or directory is the name of the directory. You can also use the asterisk (*) as a wildcard to set the permissions for all the files in a directory:

UNIX also allows files to be shared. In this way, files can be maintained by the persons responsible for them but altered by no one else. Although each file is owned by a particular user, it is also owned by a particular group, which is a system-defined group of users. Each user always belongs to at least one group. On the OIT Sun Network, there is a general group called other to which everyone belongs. Use these UNIX commands to view and change group access:

groups : determine what groups you are in

ypmatch groupname group : find out who is in a particular group

chgrp groupname filename : after uploading a file, will change file access to only those in your group

chgrp groupname directory : after uploading a directory, will change directory access to only those in your group

Note: The default access group for everyone on the Mallard server is "other". If you do not change the access group on your organization's Web documents and leave the file permissions set at "read and write" for the group, anyone that can log in to the OIT Sun can edit your Web documents.

The system administrator creates groups for various purposes. For example, the persons maintaining a home page for an organization are all placed into a group for that organization (e.g., sga or upc). There are similar administrative groups, as well as a few system-defined groups used to control access to resources.

Password protecting your pages

The following method uses basic HTTP authentication. It is important to note that passwords sent via this method are considered to be "clear text", meaning that they could possibly be viewed by a third party, since this communication method is not inherently secure. While this method is fine for basic security, it is important that you do not use the same password that you use for more important applications, such as email, computer or network login, etc.

Follow these steps:

  1. Open a text editor, like NotePad, and enter the following lines:

    For single user access:

    AuthUserFile /path/username/public_html/private/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Aubie's Private Page"
    AuthType Basic
    <Limit GET>
    require user tiger

    For group access:

    AuthUserFile /path/username/public_html/private/.htpasswd
    AuthGroupFile /path/username/public_html/private/.htgroup
    AuthName ByPassword
    AuthType Basic
    <Limit GET>
    require group my-users

  2. Open a FTP program to your Mallard account and look at the location on the remote system side to find your directory path (i.e. /home/home9/username). Use this to replace path with and replace username with your username.
  3. Replace private with the directory that you want password protect.
  4. Replace Aubie's Private Page with what you would like to show up on the login box.
    For single user access: Replace tiger with the username you'd like to use.
    For group access: Replace my-users with the name you'd like for your group.
  5. Save the file as .htaccess and upload it to the private directory.
    For group access: Create a group file by typing the following in a text editor and saving it as .htgroup.

    my-users: tiger eagle aubie

    Replace my-users with the name of your group and tiger eagle aubie with the usernames you'd like to us.

  6. Open an SSH session or application (SecureCRT is recommended), log in to Mallard (mallard.auburn.edu) and change to the private directory to change the file permissions on the .htaccess file.

    chmod 644 .htaccess
  7. Set the password for your username by typing in the command below. You will be prompted to enter a password twice.

      htpasswd -c .htpasswd tiger

    Note: You may issue the htpasswd command again to change the password any time.

    For group access: Set the password for the additional usernames using the following commands without the -c:

      htpasswd .htpasswd eagle
      htpasswd .htpasswd aubie

  8. Change the file permissions on the .htpasswd file that was just created.

    chmod 644 .htpasswd

    The .htpasswd file is readable, but the password is encrypted.
  9. Open a web browser and go to your password protected directory. Enter your username and password.

    Note: There is no correspondence between usernames and passwords on specific UNIX systems (e.g. in an /etc/passwd file) and usernames and passwords in the authentication schemes we're discussing for use in the web. As illustrated in the examples, web-based authentication uses similar but wholly distinct password files; a user need never have an actual account on a given UNIX system in order to be validated for access to files being served from that system and protected with HTTP-based authentication.

Editing Websites on the Windows Web Server

Publishing via Web Deploy

These instructions are used to Publish an application via Web Deploy to the IIS servers OIT offers. Depending on the server you are trying to connect to when the instructions have "web.auburn.edu" you may need to substitute it with "auappsmigr.auburn.edu."

  1. Open Visual Studio and select Build > Publish Web Site

  2. When the publishing option window opens, select <New Profile...>.
  3. Enter the profile name: web.auburn.edu.

  4. Complete the connection properties as follows:

    Server: https://webpublishing.auburn.edu:8172/msdeploy.axd?site=web.auburn.edu&app=/{YOUR_APP_NAME}

    Site name: web.auburn.edu/{YOUR_APP_NAME}


    Password: {YOUR_PASSWORD}

    Destination URL: https://web.auburn.edu/{YOUR_APP_NAME}

  5. Press Validate Connection and wait for the green check to make sure your settings work.
  6. Press Publish.

Database How-To

Accessing a mySQL database

You can issue queries to the mySQL database either via an SSH session, via MySQL Control Center or directly from a PHP script.

NOTE: The campus firewall blocks off-campus traffic on port 3306. To connect to your AU mySQL database, you must be logging in from a machine on campus (such as mallard.auburn.edu) or running the AU VPN client.

Follow these steps:

  1. To access your database through SSH, open an SSH session or application (SecureCRT is recommended), connect to the OIT Sun Network (mallard.auburn.edu) and enter the following command:

    mysql -h acadmysql.duc.auburn.edu -u username -p

    Replace username with the one specified in your confirmation email. Supply your password when prompted and press Enter.

    When you get a mysql> prompt, type in the following:

    use name;

    Replace name with the database name in your confirmation email. You're now connected to your mySQL database via telnet.

  2. To access a mySQL database through a PHP script, insert the following code inside the PHP script:
  3. <?
    mysql_connect("$DBHost","$DBUser","$DBPass") or die("Unable to connect to server");
    mysql_select_db("$DBName") or die("Unable to select database");

    Assign $DBHost to the database host name (acadmysql.duc.auburn.edu), $DBUser to the username in the confirmation email, $DBPass to the password, and $DBName to the database name.

    You can now start issuing queries from the PHP script.
Understanding and preventing SQL injections

Understanding SQL Injections

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. Many web developers are unaware of how SQL queries can be tampered with, and assume that a SQL query is a trusted command. SQL queries are actually able to circumvent access controls, thereby bypassing standard authentication and authorization checks.

Since SQL statements are text only, it is easy to dynamically change SQL statements to provide the user with selected data:



txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

The example above creates a select statement by adding a variable (txtUserId) to a select string. The variable is fetched from the user input (Request) to the page.

Injected SQL commands can alter SQL statements and compromise the security of a web application. The above where condition could easily be qualified by a SQL injection. For instance, consider if "UserId" was equal to: "2 OR 1=1". That would make the SQL query:

txtSQL = "SELECT * FROM Users WHERE UserId = 2 OR 1 = 1";

Since the statement above is true, it should further be appended to include destructive and malicious code. Most databases support batched SQL statements, separated by semicolon. Consider if "UserId" was equal to: "2 OR 1=1; DROP TABLE *". That would make the SQL query:

txtSQL = "SELECT * FROM Users WHERE UserId = 2 OR 1 = 1; DROP TABLE *";

Now your databas has no tables. So how do we prevent an action like this?

Preventing SQL Injections Using Parameters

Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks. This is not a very good idea. Many of these words (like delete or drop) and characters (like semicolons and quotation marks), are used in common language, and should be allowed in many types of input.

The only proven way to protect a website from SQL injection attacks, is to use SQL parameters. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

ASP.NET Razor Example
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = @0";

Note that parameters are represented in the SQL statement by a @ marker.

The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

Another Example
txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";

The following examples shows how to build parameterized queries in some common web languages.

txtUserId = getRequestString("UserId");
sql = "SELECT * FROM Customers WHERE CustomerId = @0";
command = new SqlCommand(sql);

txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
command = new SqlCommand(txtSQL);

$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':add', $txtAdd);
$stmt->bindParam(':cit', $txtCit);

Last Updated: March 11, 2016