Web Development

Web Development

The Office of Information Technology provides a number of options and resources for students, employees, and organizations to host information and data online.  OIT also provides Campus Web Solutions, a custom web development contract service.

  1. The UNIX server, known as Mallard, hosts the Auburn University homepage. All Students and Employees automatically have 10GB of web space already set up on this server (http://www.auburn.edu/~username).

    • To access this space, see "Editing Websites on the Unix Server".
    • If visiting a site results is a "Forbidden" error one of two situations could be the cause of the problem.
      1. There is not and index.html, index.htm, or index.php file in the website.
      2. The permissions on that file are not set to allow the world read permission. (See #10 under "Using SFTP with WinSCP")

    Departments and Student Organizations can request web space on the UNIX server by sending the following information to webadmn@auburn.edu:

    • Name of the Department or Organization
    • Name and Position of person making the request
    • Prospective URL, such as http://www.auburn.edu/aubie
    • Names and usernames of the webmasters - we cannot provide webmaster access to non-AU personnel.
  2. SharePoint is a browser-based collaboration tool that makes it easier for people to work together. It helps people set up web sites to share information with others, manage documents from start to finish, and publish reports to help everyone make better decisions. Click to request a SharePoint site.

  3. The WordPress server is also available to student organizations, employees, and departments. This server is dedicated to the installation of the WordPress blogging software and is updated regularly with the latest patches.  To request space on the WordPress server, send the following information with your request to wpadmin@auburn.edu:

    • Name of person making the request
    • Auburn University username
    • Name of Department if applicable
    • Prospective URL, such as http://wp.auburn.edu/aubie
    *Setup takes between 3 and 5 business days depending on workload.
  4. A Windows server running IIS and ASP.NET, often using Microsoft SQL databases, is available to graduate students and employees by request. To request space, contact iisadmin@auburn.edu.


Features UNIX SharePoint WordPress Windows
Secure HTTPS capability Yes Yes Yes Yes
Server-side includes Yes No Yes Yes
PHP Yes No Yes No
VB.NET, C#, ASP, VB No Yes No Yes
ASP.NET Framework No Yes No Yes
MySQL Yes No Yes No
SQL Yes Yes No Yes
Backed up nightly Yes Yes Yes Yes
Undergraduate Students Yes No No No
Graduate Students Yes Yes No Yes
Student Organizations Yes Yes Yes No
Employees Yes Yes Yes Yes
Departments Yes Yes Yes Yes


Student Organizations

Every chartered student organization in good standing has a public web page linked from the Center for Student Organizations website.

Note: Student organization web pages must conform to all IT Policies.

Web Editing Software

To create web pages more quickly and easily, plus without having to learn HTML, you can use a web page editor or HTML editor.  A free option is Microsoft SharePoint Designer 2007, which is installed in the OIT Computing Labs located around campus and is available to download at AU Install.

Adobe Dreamweaver is another popular web page editing program which is compatible with the Unix Server.  Dreamweaver can be bought at special student pricing through the AU Bookstore.

Editing Websites on the Unix Server

Mapping a drive to personal home drive space (H:/P:)

If you are not on the Auburn network, you need to first VPN into the network.

Windows Computers
  1. Open a Windows Explorer window
  2. Click Computer > Add a network location
  3. On the "Welcome to the Add Network Location Wizard" screen, press the Next button.
  4. Select Choose a custom network location and press the Next button.
  5. To map to your home drive directory (H: drive on campus computers), insert \\ausamba.auburn.edu\homes. To map to your home drive web directory (P: drive on campus computers), insert \\ausamba.auburn.edu\public_html. Then press the Next button.
  6. You will likely be prompted to log in. Use yourusername@auburn.edu and your Auburn password.
  7. Choose the name you want for this stored location and press the Next button.
  8. Press the Finish button.
Mac Computers
  1. Choose Connect to Server from the Go menu in Finder.
  2. In the Server Address field, insert cifs://ausamba.auburn.edu/homes and press the Connect button.
  3. In the authentication dialog box, for workgroup/domain use AUBURN.EDU, then your username and your Auburn password. And then press the OK button.
  4. When presented with the SMB Mount dialog box, press the OK button.

Creating a personal website in OIT Computing Labs

These instructions help you create a web page from an OIT Computing Lab. There are a wide variety of uses for a web page, such as a resume, so be creative! Keep in mind, though, that you are subject to the rules set by the OIT Network Policy.

Follow these steps:

  1. Log into an OIT Computing Lab machine and open My Computer on the desktop.
  2. Select the (P:) drive, which is also your public_html directory on your H: drive.
  3. Open Microsoft SharePoint Designer 2007 and select File > New > Web Site.
  4. Choose General > One Page Web Site > click the Browse button > find the P drive > OK > OK.
  5. In the folder list pane on the left, highlight the file named default.htm > right-click > Rename > enter index.html
  6. Double-click index.html to open the file and begin making changes to the page.
  7. Choose File > Save or simply press Ctrl-S and voila! Your page is now viewable on the web at http://auburn.edu/~username where username is your username.
  8. Point a web browser to your new personal page and see how it looks to the world. Whenever you save changes, refresh (reload) the browser page to see the changes.

Creating a personal website outside OIT Computing Labs

Here's one of the many ways to create and modify your AU personal web page. Numerous web page creation tools are available for purchase and for free download on the Internet. OIT currently supports Microsoft SharePoint Designer 2007, which is available via free download. Any simple text editor, like NotePad, will work as well, but you'll need to know how to code HTML. Keep in mind that you are subject to the rules set by the OIT Network Policy for any web pages you create.

Follow these steps:

  1. Create a folder on your local computer for your website, perhaps in My Documents\My Websites.
  2. Open Microsoft SharePoint Designer 2007 and select File > New > Web Site.
  3. Choose General > One Page Web Site > click the Browse button > find and select the folder you created in Step 1 > OK > OK.
  4. Make changes to the page.
  5. If you plan to host the page on the UNIX server (www.auburn.edu), then do this: in the folder list pane on the left, highlight the file named default.htm > right-click > Rename > enter index.html. If you plan to host the page on the Windows server, you can skip this step.
  6. Choose File > Save or simply press Ctrl-S. When you have the page the way you want it, the next step is to place the file onto the server.

Publishing your personal website outside OIT Computing Labs

Using Microsoft SharePoint Designer 2007 makes it really simple to publish to your UNIX web space. If you used a text editor, like NotePad, to code your own HTML, you can also use a FTP program to access and upload to your web space.

Follow these steps:

  1. Follow the steps in Creating a web page outside the OIT Computing Labs.
  2. Log in to the VPN Client
  3. Map a drive to your personal webspace - \\ausamba\public_html
  4. After saving your web page, select File > Publish Site.
  5. In the 'Remote Web Site Properties' box, for Remote Web Server type, check File System. For Remote Web site location, find the mapped network drive you created. Click OK.
  6. Panels labeled Local web site and Remote web site show your folders and files on your computer and on the web server. Highlight the folders and files you've created or changed on the local web site.
  7. Click the blue right arrow between the panels to copy the highlighted files to the remote web site.
  8. When publishing is completed, open a web browser and go to http://www.auburn.edu/~username to see your finished page.
  9. If you make changes to the web page, publish it again and reload your web browser to view the changes.

Using SFTP with WinSCP

These instructions show you how to use WinSCP, which is installed on all of the OIT computing labs and is available for home computer download from AU Install, to SFTP Files to your Auburn University web space.

Follow these steps:

  1. If you are off-campus, you will first need to connect via an VPN connection.
  2. Open the WinSCP program. The Login Dialog window will open automatically.
  3. Choose the File protocol SFTP.
  4. In the Enter host text box, type mallard.auburn.edu (in some other FTP programs you may have to use sftp://mallard.auburn.edu)
  5. The port number should be set to 22.
  6. In the Enter username and Enter password text boxes, enter your username and password.
  7. On the left select Environment > Directories. For the Remote directory enter your desired server path (ex. /export/vol2/httpd/htdocs/, which is the main auburn web directory), then press OK.  And if you get a message relating to cacheing, press "OK."
  8. The Connection Screen is where you transfer your files. The left side contains the drives, directories, and files on your computer while the right has those of the remote computer that you're logged into.
  9. To transfer a file, click once to select an item and then click on an option at the bottom of the screen or just drag the item. Use the folder followed by two dots, "..", to go back a directory.
  10. To change the permissions of files, right-click the item on the remote server side of the screen and select "properties."  Make sure that all files and folders are "world readable" (folders are at least 755 and files are at least 644).

Connecting to Mallard with SecureCRT

SecureCRT is provided on all OIT Computing Lab machines and is available for home computer download from AU Install.

Follow these steps:

  1. If you are off-campus, you will first need to connect via an VPN connection.
  2. Open SecureCRT on your computer. In the OIT Computing Labs, click on "Secure Shell to Mallard" on the computer's desktop.
  3. Use the Connection window to select where to access. If this window doesn't come up, click the Connection button on the far left.

    Telnet SecureCRT
  4. Select Mallard and click Connect. If Mallard is not an option, click the New Connection button (third from the left), enter mallard.auburn.edu as the Hostname, and click OK.
  5. Fill in your username for Login: and your password for Password: when prompted.
  6. You have now created an SSH session. There are a variety of UNIX commands available to navigate and perform actions with.
  7. To disconnect, hit the Disconnect button (second from the left) or exit out of the program.

Basic UNIX commands

Here are a few of the commands you can use (italic commands require changes):

pwd : determines the present working directory

cd directory: change directories; i.e. cd /home/home9/username/subdir

ls : list of all the files in a directory

ls -l : detailed list of all the files, including file permissions, ownership, and groupname.

ls -R : recursive parameter; see all the subdirectories and files in and below the present one

ls -alR : recursive long listing including any hidden files

cp filename newname : make a copy of a file within the present working directory

cp filename targetdirectory : copy a file to another directory

mv filename newname : "move" or rename a file within the present working directory

mv filename targetdirectory : move a file to another directory

rm filename : delete a file located in the present working directory

mkdir newdirectory : make a new directory; use chmod command afterward and chgrp command if it is a shared directory

rmdir directoryname : delete a directory; will not work if files are in the directory

command1 | command2 : send the output of one program to another by putting a | (the pipe symbol) between two commands; for example, if you want to look at a list of your files, but you have too many files to see at once, you can prevent them from scrolling too quickly by piping the ls command into the more command like this ls | more.

command > filename : send the output of a program to a file; for example, to send the output of the ls command to the filelist.dat, use ls | filelist.dat.

man command : find more information about a particular command

cd /usr/bin : use this to display a complete list of commands that can be found

ls : use this to display all the commands

You can also use the asterisk (*) as a wildcard to set the permissions for all the files in a directory.

Understanding UNIX file permissions

Permissions are divided into three types:

r - read the file or directory
w -
write to the file or directory
x -
execute the file or directory

Read permission allows a user to read the contents of the file, or in the case of directories, to list the contents of the directory.

Write permission allows the user to write to and modify the file. For directories, write permission allows the user to create new files or delete files within that directory.

Execute permission allows the user to run the file as a program or shell script (if the file happens to be a program or shell script, that is). For directories, having execute permission allows the user to cd into the directory in question.

Each of these permissions is set for each of three types of users:

u - the owner of the file
g - members of the group to which the owner belongs
o - all other users

By setting the permissions, the file owner controls what users of each type can and cannot do to the file. The permissions to a file are listed as a string of nine characters like this:

user    group   other 
r w x r w x r w x

You can view the permissions of a file by entering ls -l at the command line prompt. The output will be a list of all the files and directories in your present directory. An example of one line from such a list would be:

-rwxrw-r-- smithjo client 3754 Feb 24 15:30 my.txt

The first (-) tells you if the entry is a file(-), directory(d), or a link(l). It is followed by the permissions list for the file, directory, or link. This is followed by the username of the person who owns the file or directory, in this case smithjo. The owner's username is then followed by the name of the owner's group (client), the size of the file(in bytes,3754), the date the file was last modified (Feb 24 15:30), and finally the name of the file (my.txt).

File permissions are set or changed with the chmod command. There is a shorthand way of setting permissions by using octal numbers. Read permission is given the value 4, write permission the value 2 and execute permission 1. These values are added together for any one user category:

1 = execute only
2 = write only
3 = write and execute (1+2)
4 = read only
5 = read and execute (4+1)
6 = read and write (4+2)
7 = read and write and execute (4+2+1)

So access permissions can be expressed as three digits. For example:

                              user   group   others
    chmod 664 file1           -rw-    rw-     r--
    chmod 644 file1           -rw-    r--     r--
    chmod 775 directory1      drwx    rwx     r-x        

Use these UNIX commands to change file and directory permissions:

chmod 644 filename : if the file is yours alone, you must restrict the group permissions to allow read only (because everyone is a member of the group other); allow the "world" to read only

chmod 664 filename : if the file is to be shared, remember to first change the group ownership using chgrp command as above; give read and write access to the group, and allow the "world" to read only, by using the command

chmod 775 directory : allow read, write and execute permission to the owner and group, and allow the "world" to read and execute, by using the command

chmod 666 PHP_data_file : any data file that needs to be written to by a PHP script has to be world readable and writable

Where filename is the name of the file or directory is the name of the directory. You can also use the asterisk (*) as a wildcard to set the permissions for all the files in a directory:

UNIX also allows files to be shared. In this way, files can be maintained by the persons responsible for them but altered by no one else. Although each file is owned by a particular user, it is also owned by a particular group, which is a system-defined group of users. Each user always belongs to at least one group. On the OIT Sun Network, there is a general group called other to which everyone belongs. Use these UNIX commands to view and change group access:

groups : determine what groups you are in

ypmatch groupname group : find out who is in a particular group

chgrp groupname filename : after uploading a file, will change file access to only those in your group

chgrp groupname directory : after uploading a directory, will change directory access to only those in your group

The system administrator creates groups for various purposes. For example, the persons maintaining a home page for an organization are all placed into a group for that organization (e.g., sga or upc). There are similar administrative groups, as well as a few system-defined groups used to control access to resources.

Password protecting your pages with PHP and AUthenticate (CAS)

Note: If you have a custom domain name (anything other than *.auburn.edu/*), you must first register your URL in AUthenticate by submitting a request.

PHP files on the UNIX web server may be configured to require authentication via Auburn's active directory services through AUthenticate (CAS). This measure also benefits users by participating in the single sign-on feature, which means if a user logs into AU Access, for example, they can then use your website without logging in again - and vice versa.

Require Basic Authentication

This method simply requires a user to log in, thereby proving their Auburn University affiliation.

  require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/PHPCAS/auburncas.php';
<!doctype html>
    <p><a href="?logout=">Logout</a></p>

Display Content Based on AD Groups

You may want to restrict content to a specific AD group. We have a simple method for this type of authorization. As you can see below, the checkGroupMembership method passes two parameters: the logged in user and an array of AD groups. A user must be in at least one of these groups to pass the authorization test. In your code, replace the two example AD groups with any number of Auburn AD groups of your choosing.

  require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/PHPCAS/auburncas.php';
  $auth = checkGroupMembership(phpCAS::getUser(), array("exampleADgroup1","exampleADgroup2"));
<!doctype html>
    <h1>LDAP Authorization</h1>
  if ($auth) {
    <p>Authorized! Insert your restricted content here.</p>
  } else {
    <p>Denied! Insert your rejection message here.</p>
    <p><a href="?logout=">Logout</a></p>

Editing Websites on the Windows Web Server

Publishing via Web Deploy

These instructions are used to Publish an application via Web Deploy to the IIS servers OIT offers. Depending on the server you are trying to connect to when the instructions have "web.auburn.edu" you may need to substitute it with "auappsmigr.auburn.edu."

  1. Open Visual Studio and select Build > Publish Web Site

  2. When the publishing option window opens, select <New Profile...>.
  3. Enter the profile name: web.auburn.edu.

  4. Complete the connection properties as follows:

    Server: https://webpublishing.auburn.edu:8172/msdeploy.axd?site=web.auburn.edu&app=/{YOUR_APP_NAME}

    Site name: web.auburn.edu/{YOUR_APP_NAME}


    Password: {YOUR_PASSWORD}

    Destination URL: https://web.auburn.edu/{YOUR_APP_NAME}

  5. Press Validate Connection and wait for the green check to make sure your settings work.
  6. Press Publish.

Password protecting your pages with .NET and AUthenticate (CAS)

Adding CAS to your .NET application can be done with a few simple steps. Full implementation details are available at https://wiki.jasig.org/display/CASC/.Net+Cas+Client but for purposes of Auburn sites do the following:

  1. Add the DotNetCasClient Reference to your .NET application
    1. Download the zip and extract
    2. Add the reference to your project using Visual Studio
  2. Modify your web.config
    1. Add  the following to you’re the <configuration> section:
        <section name="casClientConfig" ;type="DotNetCasClient.Configuration.CasClientConfiguration,  DotNetCasClient"/>
        <!--  Other custom sections here -->
    2. Add the <casClientConfig> element to the <configuration> section like so:
        serviceTicketManager="CacheServiceTicketManager" />
    3. Register the module  within the <system.web><httpModules> and <system.webServer><modules> like so:
        <add name="DotNetCasClient" type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
        <!-- Other modules here -->


        <validation validateIntegratedModeConfiguration="false"/>
          <remove name="DotNetCasClient"/>
          <!-- Other modules here -->
      </modules> </system.webServer>
    4. Configure Forms Authentication under the <system.web> section:
      <authentication  mode="Forms">
          path="/{YourSiteName}/" />
  3. For MVC applications Use the Authorize Attribute to Authenticate  and the FormsService.SignOut() function to invalidate that Authentication certificate:
    //this attribute will redirect the user to  authenticate if they aren't already
    //authorize is a misnomer in this case as this  doesn't manage user authorization at all
    public ActionResult LogOn() {
      return  RedirectToAction("Index", "Home");
    public ActionResult LogOff() {
      return  RedirectToAction("Index", "Home");
  4. Retrieve the logged in users info, perhaps for authorization:
    public ActionResult Index() {
      //this.ControllerContext.HttpContext is the alternative for HttpContext.Current.User in webforms
      string username =  this.ControllerContext.HttpContext.User.Identity.Name;
      return View();

Database How-To

Accessing a mySQL database

You can issue queries to the mySQL database either via an SSH session, via MySQL Control Center or directly from a PHP script.

NOTE: The campus firewall blocks off-campus traffic on port 3306. To connect to your AU mySQL database, you must be logging in from a machine on campus (such as mallard.auburn.edu) or running the AU VPN client.

Follow these steps:

  1. To access your database through SSH, open an SSH session or application (SecureCRT is recommended), connect to the OIT Sun Network (mallard.auburn.edu) and enter the following command:

    mysql -h acadmysql.duc.auburn.edu -u username -p

    Replace username with the one specified in your confirmation email. Supply your password when prompted and press Enter.

    When you get a mysql> prompt, type in the following:

    use name;

    Replace name with the database name in your confirmation email. You're now connected to your mySQL database via telnet.

  2. To access a mySQL database through a PHP script, insert the following code inside the PHP script:
  3. <?
    mysql_connect("$DBHost","$DBUser","$DBPass") or die("Unable to connect to server");
    mysql_select_db("$DBName") or die("Unable to select database");

    Assign $DBHost to the database host name (acadmysql.duc.auburn.edu), $DBUser to the username in the confirmation email, $DBPass to the password, and $DBName to the database name.

    You can now start issuing queries from the PHP script.

Understanding and preventing SQL injections

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. Many web developers are unaware of how SQL queries can be tampered with, and assume that a SQL query is a trusted command. SQL queries are actually able to circumvent access controls, thereby bypassing standard authentication and authorization checks.

Since SQL statements are text only, it is easy to dynamically change SQL statements to provide the user with selected data:



txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;

The example above creates a select statement by adding a variable (txtUserId) to a select string. The variable is fetched from the user input (Request) to the page.

Injected SQL commands can alter SQL statements and compromise the security of a web application. The above where condition could easily be qualified by a SQL injection. For instance, consider if "UserId" was equal to: "2 OR 1=1". That would make the SQL query:

txtSQL = "SELECT * FROM Users WHERE UserId = 2 OR 1 = 1";

Since the statement above is true, it should further be appended to include destructive and malicious code. Most databases support batched SQL statements, separated by semicolon. Consider if "UserId" was equal to: "2 OR 1=1; DROP TABLE *". That would make the SQL query:

txtSQL = "SELECT * FROM Users WHERE UserId = 2 OR 1 = 1; DROP TABLE *";

Now your databas has no tables. So how do we prevent an action like this?

Preventing SQL Injections Using Parameters

Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks. This is not a very good idea. Many of these words (like delete or drop) and characters (like semicolons and quotation marks), are used in common language, and should be allowed in many types of input.

The only proven way to protect a website from SQL injection attacks, is to use SQL parameters. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

ASP.NET Razor Example
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = @0";

Note that parameters are represented in the SQL statement by a @ marker.

The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

Another Example
txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";

The following examples shows how to build parameterized queries in some common web languages.

txtUserId = getRequestString("UserId");
sql = "SELECT * FROM Customers WHERE CustomerId = @0";
command = new SqlCommand(sql);

txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
command = new SqlCommand(txtSQL);

$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':add', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
Last Updated: September 12, 2017