comp3121 e-commerce technologies
Post on 17-Jan-2016
29 Views
Preview:
DESCRIPTION
TRANSCRIPT
COMP3121 COMP3121 E-Commerce TechnologiesE-Commerce Technologies
Richard HensonRichard Henson
University of WorcesterUniversity of Worcester
NovemberNovember 20112011
Week 7: More on Server-side Week 7: More on Server-side Shopping CartsShopping Carts
ObjectivesObjectivesPlan and design a relational database for use Plan and design a relational database for use
in storing product, customer, order datain storing product, customer, order dataUse pre-written assemblies as web controls Use pre-written assemblies as web controls
for use within the VWD environmentfor use within the VWD environmentIntegrate pre-written assemblies with web Integrate pre-written assemblies with web
controls to produce a server-side shopping controls to produce a server-side shopping cart systemcart system
Possible Data Model with Possible Data Model with entities/attributes addedentities/attributes added
Possible basic data (entity) Possible basic data (entity) model for a Shopping Systemmodel for a Shopping System
customer
Order line
orderproduct
No entityrelationships shown! Where does
Shopping Cart fit?
Creating the Physical Database Creating the Physical Database from a Logical Designfrom a Logical Design
Database that can work with SQL required…Database that can work with SQL required… Popular options for small(ish) databases:Popular options for small(ish) databases:
Microsoft AccessMicrosoft Access» only Access 2000 onwards properly SQL compliantonly Access 2000 onwards properly SQL compliant
MySQLMySQL» originally shareware for Unixoriginally shareware for Unix» now available for W2Know available for W2K
Popular options for larger databases:Popular options for larger databases: SQLServerSQLServer ORACLEORACLE
Testing the Logical Design Testing the Logical Design with Physical Data…with Physical Data…
It works on paper…It works on paper… But a practical working model is needed:But a practical working model is needed:
create database tablescreate database tableslink them together, according to the Entity link them together, according to the Entity
model you createdmodel you createdpopulate the tables with trial data of an populate the tables with trial data of an
appropriate formatappropriate formatmake sure all is consistentmake sure all is consistent
Typical RAD tool “errors”…Typical RAD tool “errors”… MUCH can go wrong…!!!MUCH can go wrong…!!! Before embarking on shopping cart Before embarking on shopping cart
development…development… need to make sure all loca/remote web server settings need to make sure all loca/remote web server settings
are correctare correct screen fields and db fields must use the same formatscreen fields and db fields must use the same format
» mustn’t use “reserved words” or punctuation, inc spacesmustn’t use “reserved words” or punctuation, inc spaces users must have sufficient access rights to write to the users must have sufficient access rights to write to the
databasedatabase» this especially includes the “IIS process” userthis especially includes the “IIS process” user
major adjustments may be needed in response to a major adjustments may be needed in response to a minor change in design…minor change in design…
» TRUE OF MOST SOFTWARE DEVELOPMENT TRUE OF MOST SOFTWARE DEVELOPMENT PROJECTS…PROJECTS…
» all the more reason to get the design right…all the more reason to get the design right…
Role of Server Scripting in Role of Server Scripting in creating Product Pagescreating Product Pages
After the database has been After the database has been thoughtfully thoughtfully designed…designed…it needs to be physically implementedit needs to be physically implemented
Server behaviours with appropriate Server behaviours with appropriate embedded SQL are then required for:embedded SQL are then required for:picking the right data out of the remote picking the right data out of the remote
databasedatabasewriting data to the appropriate locations in writing data to the appropriate locations in
HTML pages on the local client browserHTML pages on the local client browser
Local storage of “remote” dataLocal storage of “remote” data Asp.net supports local storage of data through Asp.net supports local storage of data through
the use of the use of datasetsdatasetssimply a local copy of various data fields held on a local copy of various data fields held on
one or more data tables on the remote databaseone or more data tables on the remote database each field becomes a variable in local memoryeach field becomes a variable in local memory
The dataset fields map directly onto the fields The dataset fields map directly onto the fields in the remote databasein the remote database new data can therefore always be stored locally until new data can therefore always be stored locally until
the appropriate server command is made that writes the appropriate server command is made that writes it to the remote databaseit to the remote database
The Dataset Display The Dataset Display (one record)(one record)
As you have seen, VWD facilitates the set up As you have seen, VWD facilitates the set up of datasets & datagridsof datasets & datagrids
Can then be used to display dataset data on Can then be used to display dataset data on a HTML page, as the shopping carta HTML page, as the shopping cart a from/further control can be used to create a a from/further control can be used to create a
HTML table for displaying a single recordHTML table for displaying a single record a navigation bar object can then be added and a navigation bar object can then be added and
used to navigate to other recordsused to navigate to other records
Use of The Repeater Use of The Repeater with Datasetswith Datasets
To display Multiple Records from a defined To display Multiple Records from a defined dataset, a procedure is used similar to that for dataset, a procedure is used similar to that for a Repeater DataSource control, when used a Repeater DataSource control, when used with an external database:with an external database: create the tablecreate the table create “Repeater”create “Repeater” wrap <itemtemplate> round the <table>wrap <itemtemplate> round the <table> adjust <repeater…> </repeater> so it wraps adjust <repeater…> </repeater> so it wraps
around itemtemplatearound itemtemplate
Making the Product Pages Making the Product Pages Attractive and UsableAttractive and Usable
All the principles of web page design learned in All the principles of web page design learned in COMP1141, 2121, 2040, etc. should still apply:COMP1141, 2121, 2040, etc. should still apply: use master pages, and CSS to give all the pages a use master pages, and CSS to give all the pages a
common background layout and the same “look and common background layout and the same “look and feel”feel”
use client-side scripting, written in various use client-side scripting, written in various languages, to enhance user interfacelanguages, to enhance user interface
make sure the pages load quickly by using software make sure the pages load quickly by using software such as Photo Editor or PhotoShop to keep graphics such as Photo Editor or PhotoShop to keep graphics small, lower resolution, or bothsmall, lower resolution, or both
Encouraging Encouraging Customer InteractionCustomer Interaction
It is the customer interactivity that represents It is the customer interactivity that represents “buying” through the website“buying” through the website
Again, server scripts must be Again, server scripts must be written/engineered/used to extract the data written/engineered/used to extract the data from various types of HTML forms and store from various types of HTML forms and store it:it: temporarily in the local datasetstemporarily in the local datasets permanently in the remote databasepermanently in the remote database
How to capture “buying” dataHow to capture “buying” data
Data collection needs to be triggered from the Data collection needs to be triggered from the shopping pages…shopping pages… a hyperlink passes the product record ID to a newly created a hyperlink passes the product record ID to a newly created
session cookiesession cookie An associate page extracts other data from the remote An associate page extracts other data from the remote
database to the session cookie e.g. price from the product database to the session cookie e.g. price from the product table table
This session cookie is of course the dataset This session cookie is of course the dataset for the shopping cart data…for the shopping cart data… but it needs to be carefully defined…but it needs to be carefully defined…
More about the Cart DatasetMore about the Cart Dataset Each new cookie needs an IDEach new cookie needs an ID
a cookie represents an order…a cookie represents an order…» orderID therefore represents cookieIDorderID therefore represents cookieID
a cookie record is created for each new product a cookie record is created for each new product orderedordered» this represents an orderline…this represents an orderline…» each orderline needs an IDeach orderline needs an ID» orderlineID therefore equivalent to cookie orderlineID therefore equivalent to cookie
record IDrecord ID Essential for a business to keep records of Essential for a business to keep records of
transactions i.e. orders…transactions i.e. orders… final cookie contents therefore saved to a remote databasefinal cookie contents therefore saved to a remote database
Using the Cart DatasetUsing the Cart Dataset The AddfromDb control extracts data The AddfromDb control extracts data
from fields from products table, held on from fields from products table, held on a remote databasea remote databasestored as a cart recordstored as a cart recordstored securely in local memorystored securely in local memory
Data generated by the cart can also Data generated by the cart can also relate to essential data for orders and relate to essential data for orders and order-items table, managed by a order-items table, managed by a different control, WritetoDBdifferent control, WritetoDB
More about “The Cart”More about “The Cart” Needs to be designed to carry a number Needs to be designed to carry a number
of parameters and settings of parameters and settingsthe WebXelCart assembly pre-defines the the WebXelCart assembly pre-defines the
variables to store these settingsvariables to store these settingsvalues need to be added to the cart control values need to be added to the cart control
via the control “properties” or source codevia the control “properties” or source codeData easily extracted from the cart Data easily extracted from the cart
using <%# Eval… %> to create the using <%# Eval… %> to create the screen displayscreen display
Displaying the Shopping CartDisplaying the Shopping Cart
A web page needs to be designed to A web page needs to be designed to display cart data from the dataset in an display cart data from the dataset in an appropriate placeappropriate place
A table design tool saves time…A table design tool saves time…rows and columns as appropriate…rows and columns as appropriate…<%# Eval etc. as appropriate in the cells<%# Eval etc. as appropriate in the cells
Display of Shopping CalculationsDisplay of Shopping Calculations
Expectation that a shopping cart will display…Expectation that a shopping cart will display… a line for each product – including line totala line for each product – including line total an order totalan order total
For the display of line totals and order For the display of line totals and order totals…totals… calculations need to be includedcalculations need to be included cart fields needed for results of these calculationscart fields needed for results of these calculations
Creation of the cart display is then a simply a Creation of the cart display is then a simply a matter of:matter of: extracting data from the local datasetextracting data from the local dataset displaying it on the pre-formatted pagedisplaying it on the pre-formatted page
Secure Storage/Retrieval of Secure Storage/Retrieval of Shopping Cart DataShopping Cart Data
Sensitive and Private Data should be secureSensitive and Private Data should be secure remote storage obviously better!remote storage obviously better!
Cart data is best held locally for quick Cart data is best held locally for quick response – dilemma?response – dilemma?
CompromiseCompromise use local datasets with best options for local use local datasets with best options for local
securitysecurity only store non-sensitive data in cart fieldsonly store non-sensitive data in cart fields no customer data in the cart…no customer data in the cart… dataset deleted as soon as the customer logs out…dataset deleted as soon as the customer logs out…
When to collect customer dataWhen to collect customer data Long standing debate amongst shopping cart Long standing debate amongst shopping cart
designers…designers… Can either:Can either:
make customers “register” when they enter the sitemake customers “register” when they enter the site Or… only make customers register when they are Or… only make customers register when they are
ready to buyready to buy The former might be better from a marketing The former might be better from a marketing
perspective (collecting “intelligence” on potential perspective (collecting “intelligence” on potential customers…)customers…) but will put some customers off even browsing the sitebut will put some customers off even browsing the site
Customer registration only when buying is Customer registration only when buying is preferable (preferable (IMHO…)IMHO…)
Issues with Issues with Customer DataCustomer Data
Not stored with the cart but customer details Not stored with the cart but customer details capture is a crucial part of the shopping capture is a crucial part of the shopping SYSTEMSYSTEM
Private Data!!!Private Data!!! MUST (1998 Data Protection Act) be kept up to MUST (1998 Data Protection Act) be kept up to
date, stored and moved securelydate, stored and moved securely better not to store locallybetter not to store locally write directly to/from the remote, secure, databasewrite directly to/from the remote, secure, database always sent/received using secure httpalways sent/received using secure http
Essential Customer Fields Essential Customer Fields for Purchasefor Purchase
Name & address fieldsName & address fields include postcodeinclude postcode
Email addressEmail address fulfilment information & messagesfulfilment information & messages
Telephone noTelephone no in case email failsin case email fails
Shipping address fieldsShipping address fields customer may not want goods customer may not want goods
delivered to the same address…delivered to the same address…
Handling Customer DataHandling Customer Data Added by the customer to a HTML formAdded by the customer to a HTML form
extracted by put or getextracted by put or get sent securely using http-ssent securely using http-s Processed remotely on a secure server & stored Processed remotely on a secure server & stored
on a secure remote databaseon a secure remote database sensitive datasensitive data (e.g. customer’s credit card details) (e.g. customer’s credit card details)
should be sent securely to a should be sent securely to a specialist providerspecialist provider with an SSL certificatewith an SSL certificate
» can only send such data via https over a secure can only send such data via https over a secure connection to a secure serverconnection to a secure server
Under no circumstances should personal or Under no circumstances should personal or sensitive customer data be dealt with using sensitive customer data be dealt with using standard HTTP!standard HTTP!
On-line Payment SystemsOn-line Payment Systems Requires an effective & highly secure Requires an effective & highly secure
method of:method of:1.1. authentication of the userauthentication of the user2.2. authorisation of the amount required for paymentauthorisation of the amount required for payment
(has to follow authentication)(has to follow authentication) BOTH effectively achieved through an on-BOTH effectively achieved through an on-
line link to the International banking systemline link to the International banking system Usually a fee required to make this linkUsually a fee required to make this link
makes sense to do authentication & authorisation makes sense to do authentication & authorisation at the same timeat the same time
some shopping cart payment systems some shopping cart payment systems authenticate NOW, and authorise LATERauthenticate NOW, and authorise LATER
Authentication (Is the user Authentication (Is the user really who they say they are?)really who they say they are?) Will require confirmation of:Will require confirmation of:
namenametype of accounttype of accountaccount numberaccount numberother information (e.g. start date, expiry other information (e.g. start date, expiry
date, issue number), depending on the date, issue number), depending on the type of accounttype of account
Authorisation (even if they are Authorisation (even if they are that person, can they pay?)that person, can they pay?)
Just because the user has that account with Just because the user has that account with those details, doesn’t mean they have the those details, doesn’t mean they have the funds available to pay for the goods…funds available to pay for the goods…
The account needs to be checked against the The account needs to be checked against the invoice amount to make sure that the account invoice amount to make sure that the account has sufficient funds…has sufficient funds…
B2B Payment SystemsB2B Payment Systems
Usually make use of EFT (Electronic funds Usually make use of EFT (Electronic funds Transfer)Transfer)
Both buyer and seller need to contact Both buyer and seller need to contact relevant bank computer:relevant bank computer: for authentication purposesfor authentication purposes to transfer fundsto transfer funds
On-line banking system needs to be very On-line banking system needs to be very secure:secure: 512 bit encryption512 bit encryption private networks with secure gateway from the private networks with secure gateway from the
InternetInternet
B2C Payment SystemsB2C Payment Systems Payment take place through the vendors web Payment take place through the vendors web
sitesite most popular method - credit or debit cardmost popular method - credit or debit card
Relevant bank computer needs to be Relevant bank computer needs to be contactedcontacted uses The Internet to find gateway to bank networkuses The Internet to find gateway to bank network security between bank, server, and browser a security between bank, server, and browser a
major issue - use VPN & secure protocols such as major issue - use VPN & secure protocols such as SSL & http-sSSL & http-s
Once within the International Banking Network, Once within the International Banking Network, similar authentication and funds transfer systems similar authentication and funds transfer systems as for B2Bas for B2B
Security Issues with B2C Security Issues with B2C Payment SystemsPayment Systems
Data could technically be intercepted either:Data could technically be intercepted either: at the user’s browserat the user’s browser at the vendor’s serverat the vendor’s server at the gateway to the International Banking at the gateway to the International Banking
NetworkNetwork en-route between any of the aboveen-route between any of the above
Correct use of VPNs (Virtual Private Correct use of VPNs (Virtual Private Networks), with encryption and secure Networks), with encryption and secure protocols throughout make it extremely protocols throughout make it extremely unlikely that data will be intercepted en routeunlikely that data will be intercepted en route
Protection of Protection of “Data at Rest”“Data at Rest”
No sensitive or personal data on the clientNo sensitive or personal data on the client What about the server? The Internet allows What about the server? The Internet allows
any node to be a potential target…any node to be a potential target… some early systems stored credit card details on some early systems stored credit card details on
the vendor’s serverthe vendor’s server» without encryption!without encryption!» asking for trouble!asking for trouble!
Some concern also about the “secure servers” of Some concern also about the “secure servers” of merchant service providersmerchant service providers
» must hold e.g. credit card numbers must hold e.g. credit card numbers » may be protected by VPN but data still stored in an may be protected by VPN but data still stored in an
encrypted formatencrypted format
Securing those Securing those Merchant ServersMerchant Servers
Server security a a matter of:Server security a a matter of: configuration and management of the server configuration and management of the server
softwaresoftware setting appropriate user privileges and file securitysetting appropriate user privileges and file security auditing of all access to confidential dataauditing of all access to confidential data appropriate monitoring of attempted entry to the appropriate monitoring of attempted entry to the
system by “invalid” userssystem by “invalid” users Probably a lot safer to have credit details held Probably a lot safer to have credit details held
here than written down by a stranger at the here than written down by a stranger at the other end of the telephone line…other end of the telephone line…
Keeping the Customer Keeping the Customer Informed!Informed!
By email! Relatively easy to set upBy email! Relatively easy to set up of paramount importance, bearing in mind that of paramount importance, bearing in mind that
customers may be from overseascustomers may be from overseas Opportunities to send messages when:Opportunities to send messages when:
credit details are authenticatedcredit details are authenticated order is paid fororder is paid for order is pickedorder is picked order is dispatchedorder is dispatched
Summary of Main PointsSummary of Main Points
Client-server shopping system must have a Client-server shopping system must have a well designed database held remotelywell designed database held remotely
Cart & cart fields should be held in local Cart & cart fields should be held in local computer whilst user is logged oncomputer whilst user is logged on
Customer data should be held remotelyCustomer data should be held remotely Standard shopping cart should not handle Standard shopping cart should not handle
online payment data at all, just forward it online payment data at all, just forward it securelysecurely
Good Planning for Good Planning for Shopping SystemsShopping Systems
Develop the data model (database)Develop the data model (database) Plan the shopping pagesPlan the shopping pages Identify the scripts needed to store customer Identify the scripts needed to store customer
shopping data, produce the cart and invoiceshopping data, produce the cart and invoice Plan the datasets that will be used for Plan the datasets that will be used for
temporary data storagetemporary data storage Choose an Implementation model to interface Choose an Implementation model to interface
with the data model (e.g. IIS, asp.net/c#, with the data model (e.g. IIS, asp.net/c#, MDAP, Access)MDAP, Access)
Select a Payment System that works with the Select a Payment System that works with the Implementation model chosenImplementation model chosen
Thanks for listening…Thanks for listening…
top related