Purpose

- To give you exposure to
? creating a program that
- connects to a database
- writes, reads and updates the data in the database
? writing the interface between a database and a user
? creating a client/server program that runs on the internet, serves up a page that runs on the client side (the users browser) and
also connects to a back end database on the server side (your virtual machine)

Instructions

Using the following database:

https://owl.uwo.ca/access/content/group/c345a70e-0aae-48d4-8b8e- 5d18c599ee54/Other/MovieTheatre.sql

(also linked in the "Assignment 3 DB" page on the left) and your virtual machine, Python/Flask and MySQL, create a website on your machine that allows a theatre company to manage the viewing of it's movie screenings.

There will be two parts to the assignment:

Part 1: The Back End:

The staff who work at a theatre must be able to:
- Movies
? add movies
? delete movies
? modify movies
? list all movies and all attributes (except genre) sorted alphabetically by movie name
- Genres:
? add a genre to a movie
? delete a genre from a movie
? list all genres and the movie the genre is for sorted alphabetically by genre (include the movie name only)
- Rooms:
? add rooms
? delete rooms
? modify rooms
? list the rooms and all attributes
- Showings
? add showings
? delete showings
? modify showings
? list all the showings and all attributes sorted by date of the showing
- Customer
? add customers
? delete customers
? modify customers
? list all the customers and all attributes sorted by last name
- Attend
? list all the paid for attendances and all attributes,
? along with customer first name and last name
? along with showing and showing date/time
? along with movie and movie title
? sorted by rating

Part 2: The Front End:
The customers of the theatre must be able to:
- allow a customer to search all the showings by searching (give a warning if there are no seats left for a showing):
? a selected genre (use a dropdown input box from all existing genres in the database)
? a range of dates (use two dropdowns to select a start and end date from all existing dates in the database)
? a showing that still has seats available (checkbox)
? a movie title (free-form input box)

? (Hint: How many seats are left are determined by {room capacity for a showing} - {the total tickets purchased for that showing})
- allow a customer to attend a showing
? select their name and any showing, and "buy" a ticket for it (ie. insert a new entry in the Attend table).
- allow a customer to rate a showing
? select their name and a showing they attended, and give a rating (a number of stars between 1 and 5) (ie. update an existing entry in the Attend table)
- allow a customer to select their name and see all the movie titles and ratings for the movies he/she has viewed
- allow a customer to select their name and see his/her profile (all the info about the customer)

Part 3: SQL Injection attack:
- Demonstrate a vulnerable page by not using parameterized queries (also known as prepared statements).
? Build a second page that does not use parameterized queries. When a customer is searching for a movie, it should be possible to use a SQL injection attack to view ALL customers at once in the database.

Part 4: Bonus (up to +10%):
- Movie Posters:
? Modify the database to allow a staff member to add a movie poster image that is added when the movie is added (it will never be updated or added after the fact). The image should somehow be displayed. Assume that all the poster images will be 240 pixels by 360 pixels.
? When the customer views a list of showings based on the movie title, display the movie poster (if one was uploaded) to the user.
- Design
? TAs will grant an extra 5% if your application has some kind of a modern layout and design. Using Bootstrap (see links above) is a good option. There are other template types out there or you can design one from scratch.