INTERNATIONAL SCIENTIFIC JOURNAL "SECURITY & FUTURE" WEB ISSN 2535-082X; PRINT ISSN 2535-0668

Web application with Python and security of the information system

Petar Halachev
University of Chemical Technology and Metallurgy - Sofia, Bulgaria

Abstract: The aim of the research is to develop a database management system for collecting, processing, storing and using information for
the teaching of PhD students at a university using the high-level Python language.
Studied and researched in the process of development are the main characteristics of the most widely used database management systems.
The practical aspects of the design, creation and use of databases were analysed. Has been formulated the requirements to the functional
capabilities of the developed database. For the development of the web-application was used Python programming language. The database
model, the user interface and a set of reports were developed. A physical data model, oriented towards the design and the development of a
database management system using the Python programming language was proposed. The main risks and threats to the security of
information in the web-application are characterized. Guidelines for infrastructure protection are proposed.
Keywords: WEB-APPLICATION, MODEL, DATABASES, PYTHON PROGRAMMING LANGUAGE, SECURITY

The goal set in the present study is the design, development and
1. Introduction practical implementation of a database management system for
Information technology is one of the most important factors collecting information about the training of doctoral students at a
influencing the development of the society in the 21st century. The university with the application of a high-level Python language. In
rapid development and penetration of information technology has order to achieve the goal set in the project, it is necessary to solve
led to the emergence of technical, social and legal phenomena. The the following tasks:
most significant is the phenomenon of society's transition from -To study and investigate the characteristics of different types of
traditional real-time interaction to the transmission of the database management systems
information through electronic methods. -To analyze the practical aspects of the design, creation and use
In the modern world, in various spheres of human life of databases;
information technology is used. Each organization seeks to reduce -To study the state register of the documents for obtaining the
the cost of time, material and labor resources in the process of its scientific degree "Doctor" and the methodological
activities and to simplify the process of information processing. recommendations for keeping and filling in the register;
Through the usage of automated information processing systems -To conduct an analysis of the subject area and to formulate
and databases can be accomplished the solution of these tasks. requirements for the functional capabilities of the developed
A number of researchers developed the conceptual foundations, database;
the principles of the database design, the technology for their -To design a database of the trained and defended doctoral
implementation and the systems for their management. students at a specific university;
A. West and S. Prettyman [1] consider building interactive -To develop an application integrated with databases
websites based on the MySql database. The emphasis is to install -To collect and enter the necessary information;
and launch a website with real applications in the shortest possible -To implement the database using a high-level programming
time. language Python - development of the database model, user
K. Lang [2] designed the MySQL relational database interface, reference set, etc.
management system and provided practical guidelines for installing The approaches used are management of database systems and
and starting MySQL on a Linux based server. He shows how to use application of modern programming languages, in particular - a
MySQL to create and manage databases in both command mode high-level programming language Python.
and batch mode, using SQL scripts. There are instructions for
embedding MySQL to programs in different programming 2. Research methodology
languages. The integration of MySQL with high-level programming
languages for building dynamic web pages is considered. The report applies research methods related to solving specific
J. Krogh [3] discusses the installation and setup of a MySQL tasks and achieving the goal:
connector for Python; connecting Python to MySQL; the -collection and statistical processing of information;
configuration of the access to the database; the execution of SQL -study and analysis of normative documents and state standards
and NoSQL queries from a program written in Python; debugging regarding the information for trainees and defended doctoral
and troubleshooting. He also considers the possibilities for storing students;
data in different national languages using the support of the MySQL -conceptual modeling of databases and applications
Unicode character set. (MySQLServer) in order to build a system for information
V. Siahaan and R. Sianipar [4] study Python-based software management in an educational organization;
projects that use databases. The use of Python is suitable for -application of modern programming technologies (Python) in
designing and developing databases, as it contains libraries with the design and creation of database management systems.
rich functionality for opening, editing, adding new records and The Dutch programmer Guido van Rossum developed and
executing reports on various database management systems. created Python [6]. They call the Python programmers jokingly
N. Chauhan, M. Singh, A. Verma, A. Parasher, G. Budhiraja [5] "Lifelong project dictators", which means that Guido monitors all
focus their research on the development of a database management language changes and makes the final decision to implement certain
system in colleges that other educational institutions could use. To features when the situation requires it. V. Rosum also participated
develop this application was used Python. The information that is in the development of the educational programming language ABC.
stored is accessible from anywhere in the educational institution. He then won the prestigious Free Software Award in 2001 while
This system offers various features for students and staff members, working for Google. Now the creator of Python works in Dropbox,
which includes attendance and student ratings, available to both which relates them to the cloud services.
students and staff, but can only be updated by employees of a According to K. Srinath [7], Python is a powerful, object-
particular department. Students and staff have separate user profiles. oriented programming language. He sets out the reasons for the
The system includes a real-time library management subsystem, a accreditation of Python as the fastest growing programming
college micro-transport management system and a dormitory language in recent times, backed by research on articles published
accommodation management system. in various magazines and popular websites. He presents the
Goals and objectives of the study characteristics and the most important features of the Python

103 YEAR IV, ISSUE 3, P.P. 103-106 (2020)

INTERNATIONAL SCIENTIFIC JOURNAL "SECURITY & FUTURE" WEB ISSN 2535-082X; PRINT ISSN 2535-0668

language, the types of database management systems supported by These features include the nature of the information stored, the
Python, its users and applications. method of data storage, the structure and organization of the data,
Python is object-oriented (works with fields and methods), has the method of accessing the data, the scope of the users.
cross-platform compatibility, and can be programmed with the same Remotely performed is the management of the database - its
set of features under Windows as well as MacOS, linux, * nix, and creation, maintenance and the configuration of the user access by
other popular operating systems. The program can analyze its using special software tools - database management systems. Their
structure and change it while the code is running. It is possible to range is very wide - when there is a need to store relevant and
execute instructions directly. It has functions for symbolic data reliable information and quick access to it, including information
processing. The language is aspect-oriented – divides the program systems, are used databases. Issues related to the maintenance of
into aspect-modules. This is a horizontal programming paradigm reliable and complete information and, in parallel, the timely
where can be added behavior (or function) to several classes that do registration of new documents are always relevant.
not share the same vertically object-oriented inheritance. One of the key areas in the automation of the educational
Python has a minimalistic syntax, but it is no lower level and institution using information technology is the development of
sometimes outperforms larger programmable environments. relational databases that can solve the problem of storing and
Minimalism allows you to increase the speed of writing programs, systematizing information according to the specific requirements of
as well as increase the speed of reading code. The standard library the educational institution.
of language modules includes an ever-growing set of different The problems of creating and designing databases and systems
functions, and the user can easily add missing or new functions. for their management are one of the important issues in the process
The reason for the popularity of the language is the clear and of information technology development. Database management
simply structured code. systems are evolving from single-user, which operate on a single
Visual highlighting with spaces replaces the lack of bulky personal computer, at a later stage as multi-user - based on the file
constructions denoting new classes, methods or threads. In such server architecture, and then - on the basis of client-server
circumstances, it is much easier to track the progress of program architectures and management systems of distributed databases
development, it is easier to eliminate errors and add functionality. operating within global networks.
Structured Python code is much easier to understand, both for a MySQL is widely used due to its advantages: it is easy to
beginner in programming and for a specialist who is in the early interact; with a wide range of programming languages; has high
stages of using the programming language. productivity; the software is open source; supports stored
Python is multi-paradigmatic - programs are in one language, procedures and triggers. Along with these advantages, MySQL has
but in different styles. As with all programming languages, some disadvantages: it is difficult to scale; MySQL does not work
programs are using special rules - syntax. well with large amounts of data; does not fully comply with the
Zen of Python includes a set of 19 rules for Python existing SQL standard [8].
programming: simplicity is better than complex; complex is better
than complicated; if the implementation is difficult to explain - the 3. Database development
idea is bad; if the implementation is easy - maybe it's a good idea,
etc. Programs written in Python should be simple to execute and The developed database for doctoral students at a university
easy to build, but if the situation requires it, the programmer is free targets to automate the processes of collecting, processing, using
to decide how to compile the code for it. and storing the necessary information for the trainees and defending
PEP8 is a set of general rules for writing Python code. It doctoral students, the issued documents. The design of the system
consists of code design recommendations, general tips and allows increasing of the productivity of an educational institution by
frequently asked questions with development examples. Although it automating the processing and storage of information.
can help solve the basic tasks of a novice programmer, in most Before the stage of designing and developing the database for
cases teams of professional programmers complement PEP8 doctoral students at the university, the main theoretical aspects of
themselves, increasing the productivity of each team member as a the databases are studied, namely the characteristics, design, their
whole. PEP8 defines mandatory rules when writing code: classification and management systems.
-To use four spacing intervals, not to use tabs, not to mix Developed was a user interface of the application, and the data
intervals with tabs. is then accessed with a convenient client application.
-The maximum line length is 79 characters. Must be used a The developed database for doctoral students helps to solve
slash (‘\’ character) and spacing of the new line to carry the line. problems related to increasing the productivity of an educational
-Two blank lines must separate the first level functions and institution by minimizing the time for information processing. The
class definitions. information system serves to systematize the information about
-Every import must be on a new line. doctoral students at the university by automating this process. It
-Avoid additional spaces in parentheses, before and after also includes the work of extracting information on the status of the
commas, colon numbers. doctoral student, quickly filling in forms with the request of the
-Frequently update the code comments. employer for the authenticity of the diploma, automatic generation
-The comments should be in English. of reports for the doctoral students and elimination of errors when
-Avoid one-letter identifiers. entering data.
-Variables to have detailed and descriptive names. A Python application links to a MySQL database by the
-Do not compare Boolean variables with True or False, they MySQLdb library.
should be evaluated directly. In the general case, you must additionally install it.
Following the basic rules of writing Python allows you to create To execute an SQL query (SELECT, UPDATE, INSERT) for
code that is equally easy to read and analyze. This writing approach working with data, the following construction is used:
is one of the main advantages of Python over other programming First, the connect function is called, and information about the
languages. MySQL data server is given as parameters - username, password,
Based on the concept that a large amount of information must database name. Then you create a cursor to execute the SQL
be organized in databases to show effectively the changes in the real queries. After executing the queries, you process the result with an
world and to meet the information needs of the user, are based the iterative construction for, which prints the first column of the result
main directions of the modern information technology. Databases on the screen.
are developed and operated under the control of special software To close the connection we call the close function (Table 1):
systems called database management systems.
The different components, features and aspects of the database
function relates to their variety.

104 YEAR IV, ISSUE 3, P.P. 103-106 (2020)

INTERNATIONAL SCIENTIFIC JOURNAL "SECURITY & FUTURE" WEB ISSN 2535-082X; PRINT ISSN 2535-0668

Table 1. Executing an arbitrary SQL query to the database The application of tools such as certificates (HTTPS) and
electronic signatures provides greater reliability to users.
#!/usr/bin/python -Separation of user data - A problem with the web technologies
import MySQLdb is the separation of the data and applications from the users. The
best option is when each user uses an individual virtual machine
db = MySQLdb.connect(host = "localhost",
# usually localhost (VM) and a virtual network VPN (Virtual Private Network).
user = "user", -Data Encryption - must be encrypted the connection channels
# username and data stored on the web server. There is usually no problem
passwd = "*****", when exchanging data over the network, as the secure HTTPS
# password protocol provides the access to the data. However, when controlling
db = "PHD_STUDENTS") data on the web, there are problems with the usage of encryption of
# name of the database one key for all accounts, and the hacker gaining access to the key
# Creation of a Cursor Object could gain access to all the data.
# Allows the execution of SQL quires -Physical security - Some measures that would prevent the
cur = db.cursor() possibility of leaking information about customers to foreign or
bribed associates include: biometric identification, smart cards,
# Execution of a SQL query video surveillance, regular checking of access logs and more.
cur.execute("SELECT * FROM DOCTORANTS") -Harmful traffic - Deploying applications to the web server
complicates the task of ensuring traffic safety between applications
# Printing the first column of the result
for row in cur.fetchall(): and the virtual machine. If hackers find a vulnerability in one virtual
print row[0] machine, they can easily access the others.
Carrying personal belongings (Bring Your Own Device) The
# Closing the connection trend of BYOD (Bring Your Own Device) [10] is increasing -
db.close() carrying personal smartphones, tablets, laptops, etc. from
employees to work, which leads to increased risks to security of the
information of the organization.
During the development of the database, was selected the Malicious participants often use the main security
Relational model. The model is on Fig. 1: vulnerabilities of web applications:
-Cross-site scripting (XSS) protection - XSS attacks allow a
user to inject client side scripts into the browsers of other users.
-Cross-site request forgery (CSRF) protection - CSRF attacks
allow a malicious user to execute actions using the credentials of
another user without that user’s knowledge or consent
-SQL injection protection - SQL injection is a type of attack
where a malicious user is able to execute arbitrary SQL code on a
database. This can result in deleted records or data leakage.
-Clickjacking protection - Clickjacking is a type of attack where
a malicious site wraps another site in a frame. This attack can result
in tricking an unsuspecting user to perform unintended actions on
the target site.
-SSL/HTTPS - it is always better for security to deploy a site
behind HTTPS. Without this, it is possible for malicious network
users to sniff authentication credentials or any other information
transferred between client and server, and in some cases – active
network attackers – to alter the data sent in either direction.
-Host header validation - must be used the host header provided
by the client to construct the URLs in certain cases. The sanitization
of these values prevents Cross Site Scripting attacks. For Cross-Site
Request Forgery, cache poisoning attacks, and poisoning links in
emails can be used a fake Host value.
-Referrer policy - Browsers use the Referer header as a way to
send information to a site about how users got there.
-User-uploaded content - If your site accepts file uploads, it is
strongly advised that you limit these uploads in your Web server
configuration to a reasonable size in order to prevent denial of
Fig. 1. Relational database model service (DOS) attacks.
-Additional security topics - While Python provides good
4. Security of the application security protection out of the box, it is still important to properly
deploy your application and take advantage of the security
The HTTPS protocol relies on TLS (transport layer security) to protection of the Web server, operating system and other
provide a secure channel for communication between two endpoints components. [11].
[9]. The means of symmetrical encryption using a temporary
encryption key for the session protects the communication over
HTTPS. To exchange the temporary key is used asymmetric Conclusion
encryption. To enable the usage of a SSL protected connection was One of the effective ways to improve the quality of training is
installed a SSL certificate. its automation with the help of modern computer technology,
Some of the main threats to the information security of users in namely with the application of databases and software applications.
a web environment are user authorization, data encryption, physical In this way, it is possible to speed up the process of information
security in the operation of equipment, harmful traffic: processing significantly, to extract in a timely manner appropriate
-User authorization - When using a web services, the most and reliable information about the PhD students and to compile
common way to authorize users is the password protection. reports according to set criteria.

105 YEAR IV, ISSUE 3, P.P. 103-106 (2020)

INTERNATIONAL SCIENTIFIC JOURNAL "SECURITY & FUTURE" WEB ISSN 2535-082X; PRINT ISSN 2535-0668

The software application allows entering, editing, viewing,

storing and deleting information about university doctoral students.
The developed database facilitates the preparation of various types
of reports and speeds up the process of obtaining the requested
information and making management decisions. The
implementation of the software application is aimed at improving
the work of university staff, doctoral supervisors, optimizing the
work with data and ensuring their reliable storage.
The practical orientation of the program application is you can
apply it in other educational institutions with a similar profile.

5. References
1.Practical PHP 7, MySQL 8, and MariaDB Website Databases:
A Simplified Approach to Developing Database-Driven Websites,
September 2018, Apress901 Grayson Street Suite 204 Berkely, CA,
Adrian W. West, Steve Prettyman
2. MySQL Database System, 28 August 2018, ISBN 978-3-319-
92429-8, K. C. Lang
3. MySQL Connector/Python Revealed, ISBN 978-1-4842-
3693-2, Jesper Wisborg Krogh
4. Learn SQLite with Python: Building Database-Driven
Desktop Projects, Sparta Publishing, Sep 29, 2019, Vivian Siahaan,
Rismon Hasiholan Sianipar
5. Implementation of database using python flask framework,
20 December 2019, Nidhi Chauhan, Mandeep Singh, Ayushi
Verma, Aashwaath Parasher, Gaurav Budhiraja
6. https://www.python.org/ - Python
7. Python – The Fastest Growing Programming Language,
International Research Journal of Engineering and Technology
(IRJET), Dec-2017, K. R. Srinath
8. https://www.mysql.com/ - MySql
9. Rolf Oppliger, Security Technologies for the World Wide
Web, 2003 Artech House Inc. ISBN 1-58053-348-5
10. http://newhorizons.bg/blog/2014/01/information-security-
threats-2014
11. https://docs.djangoproject.com/en/3.1/topics/security/

106 YEAR IV, ISSUE 3, P.P. 103-106 (2020)