I am constructing html table with data queried from database using php. I also need to perform edit,delete operations on that table. I am saving the
database row id as hidden input field in each table row.
What I am doing is when user clicks on the particular row I getting the row id using jquery and performing edit/delete operations on the database table
using ajax,php
But the problem here is when user inspects element he can see the ids of each row. So if the user is technical expert he can edit the row id and change the
value of other rows in database table.
Generally how to handle this type of situations without populating database row id in table.
If the user is that kind of expert to look in inspector and manipulate that hidden info, and that is something that has to be strictly not possible to change, you could send guid or some custom backend function that encrypt / decrypt the info from user table..
Populating the row id is a correct, but if the user can change the values of some records but not others, the correct solution would be check server-side if the user has the privileges to edit the row that is currently trying to edit
You can take more info from the any cell of the row.
You save the id in your hidden input then take with jquery any cell and if the data cell and the id are not same in DB don't do anything if have relation then Delete.
hope it will be useful
For more security you have to create hash of each row and send to ajax page and verify both the hash . since it is a one way encryption so you hash for each row is unique..
Here is what i am saying to you
https://www.owasp.org/index.php/How_to_protect_sensitive_data_in_URL's
Related
I have a simple HTML form with three fields name,school and city. Also within the form, I have a button which I am using to insert a sub form with values neighbourhood and population. The crud mechanism is using jquery append.
In my database, I am saving the main form data in one table and the sub form data in another table.
My question is, during the creation of data in the main form, if I insert the data of the main form into one table and get the last inserted Id and use the id as a reference when inserting data into the second table, will this approach always work in both mysql and ms SQL?
If not is there a better approach I can adopt?
It will work, as long as your dynamically created input has the proper name attribute..
For example: name="txt_neighbourhood"
I don't know how to program webpages very well so I have the following question. I have a MySQL database which a user can manage. I have two tables: persons, videos.
I want my page for the user to select a person from the persons table (by name for example) and then associate this person with a video link.
Selecting the person from database is easy,
SELECT personID, name
FROM persons
WHERE name LIKE '%John%'
So now the user has to insert a video link to the videos table which has a foreign key the personID.
I could store the primary key of the person after the "select" in a hidden html input form but I assume this is not very secure as they can edit it?
My question is: Where would you store such a key value in between a select and an insert call?
Is it safer to store all this data in a session instead?
This sort of thing happens quite a lot, and it's completely fine as long as you don't mind people seeing your primary keys (if they're numbers, it shouldn't be anything to worry about).
Let's say you're retrieving a list of rows from a table, and displaying them in HTML. If you want each table row to have a 'delete' button for deleting that row, both from the DOM and in the Database, say via an XMLHttpRequest, it's typical for each row to have an "id" attribute, with the id being the primary key value of the row you wish to delete.
Typically, your primary key will be:
The id field in your table
The field with AUTO_INCREMENT set
In short, give each dropdown a data-id attribute, which you access in your JavaScript via the .data selector. That's good enough. Just make sure you're also protecting yourself from SQL Injection and using PDO and prepared statements, and you'll be fine.
For extra protection, and to make sure nobody has altered the data-id attribute client-side before submit, check that the id corresponds to the name field in the database, and you're golden.
I think storing this type of data in the session is secure and a good choice. After all, it's session-scoped, so there's no reason to output it.
It would be more secure to store it in the session and, ofcourse, easier to access and manage.
I'm sorry if this a stupid question, but I am new to this. I want to store all the information from all my customers' different contact forms in a database so they can retrieve the information later. Each contact form has a different number of fields. Ideally I'd store all of this info in one MYSQL table, but as I said each customer's contact form has a different number of fields.
I was thinking of creating a database with the following fields
ID, customerID, dateTime, data
The data would be the html of the contact form. However I am sure that's not best practice. Also it wouldn't allow me to offer a download option to the customer of all their contact forms as a csv or similar.
I don't want to have a different table for each customer either, and I am sure having a table with 'field1', 'field2', 'field3' etc isn't that good either.
Any ideas?
If you don't need it to be relational, that would be fine. You wouldn't be able to query it very easily.
You could store the answers in another table using keys to link back to the form and field.
Or use a KeyValue store type DB like MongDB, and you could store all your data without worrying about the schema.
Make another table called user_data. In it, have:
id, user_id, data
Then, if they fill out a form with 10 fields, you can enter 10 entries into this table. When you pull data for the user, just also pull any data from the user_data table that has user_id = their id.
If you need more than that, you could also add a "field_name" field or something:
id, user_data, field_name, data
You can use the MySQL database to have a schema for your desired information that relates many tables to one another.
Here is another discussion about database design:
Database Design Best Practices
If you must have only one table, the other choice I would mention is to have the ID created automatically, and then make the fields be not required. This way when a customer fills out one form before the other it won't mess you up. You can then store the ID as a Session Variable and reuse it for different INSERT statements to your database.
You can make a download function for the customer that will output in the desired format that queries your table and then generates the file.
I have created a table that displays the results from a MYSQL database. At the end of each row, I have added a button that when clicked on inserts the session username into the database. Apart from the session username I want to insert all the other details present in the table ROW in which the button is present.
How do I do that?
I presume you have some sort of form for each row to hold your submit button?
If thats the case you can use hidden field form elements. in each cell of the row add an hidden field and set the values. upon when the user submits that info is passed to via POST or GET. Be warned that doing this means the user could tamper with the data before submitting entering invalid info.
To avoid the above issue you can just pass the ID of the row to the form and on submit read the id, get the result for the DB and then insert into into another table or database.
I was wondering how can I select a value from a database that a user just entered it into and then add it to another mysql table all in the same script before the script is finished running.
You're probably looking for an insert ... select statement.
If you're talking about adding a value that a user just entered into a form, to something, and then putting that into the database, you should do the addition while in PHP. There's no point in going to the database after you've just inserted the value for this purpose.
If I'm misunderstanding something, please elaborate your question and let us know WHY you would want to figure out a just-inserted database value and do an operation on it, rather than trying to do it before you insert in the first place.
Also, if it's a fairly simple modification consider using an UPDATE statement, not a select --> insert.
Like nash said, you perform a select.
But to get the data from the row that the user just entered, you'll need:
mysql_insert_id()
Which grabs the last ID inserted (this is assuming you have an increment id column)
So assuming just entered his first and last name in a form, you'd insert his first and last name in the database(which i assume you know how since the title of this question is "SELECT a value from MySQL database"), you can get what he just entered by:
$last_id = mysql_insert_id();
If there are no rows on that table yet, then this will return 1. $last_id is now 1 (one).
To select:
SELECT * FROM users WHERE userID = "$last_id"
this will grab what the user just inserted....however, this seems pointless as you can use the variables from the form he just filled
enter code here
In the PHP MySQL module, you normally perform a mysql_select_db() to switch database.
You can insert your data into tables in different databases by switching between them with that function.
However, you can insert data into any table of any database (which the user has access to) by prefixing the database name to the table like so:
INSERT INTO test_db.test_table (`column1`,`column2`) VALUES ('abc',123);
You can use that also to insert data from one table into another using:
INSERT INTO `db1`.`myTable` (`column1`,`column2`) SELECT `column1`,`column2` FROM `db2`.`myTable` WHERE `id`= 5
The WHERE id part should obviously match the id of a row in db2.myTable
If you use doctrine you have the inserted data in the object representing the table and in addition you have primary key assigned for the record inside the object.
Con is doctrine is huge database abstraction layer, so if your application is not big doctrine is hammer for mosquito.
what is the structure of your database? The names of your tables, columns?
Some tutorial that you may want to look at: (grabbed from google)
http://www.phpf1.com/tutorial/php-mysql-tutorial.html
In theory you perform a select, take the data you need and perform an insert.