synchronization lock text field for php - php

How to lock a text field when one user typing in one text field??
Means that when 1 user typing in the text field, other user unable to type in that particular text field.. Is there a way to do that??

The way I understand it, you'll need to use JavaScript to constantly poll the server for changes. When a user starts typing, he'll Ajax the server notifying it of that. The server will save the new state to the database, and when the rest of the users poll for changes, the server will tell them user X is editing field Y, and use JavaScript to lock the field.
Note that this method shouldn't be used for critical security features! A user can easily bypass anything made in JavaScript, or on the client-side in general. You should validate on the server side as well, and not accept input on a field which is already being typed in.

Related

Real time data with Angular

i want to create a web page with data, this data can be edited in Real Time.
Users will see data in Real Time and can edit it, something like "Google Sheets" where everyone can edit the same file and see others changes in real time.
I will be using PHP, MYSQL, AngularJS.
I want to consult you on how to do it in the best way, this is some points that i thought of:
Use angular polling every X seconds to update page data in real time, but if user editing one of the fields, how can i prevent from this specific field to be updated by polling?
How can i LOCK specific field that user is editing, to prevent 2 users to edit the same field in real time
There is any better way to pull data in real time than angular polling?
When user editing text field i want to update it in database without "submit" or save button, i thought to save the data after 3 seconds, any better ideas?
Thank you,
1:
I'd suggest for you to have an array of objects or a datastructure similar to that, which contains the fields, in your AngularJS controller. When a user starts editing a certain field, you could set isEditing to true in the field object in your datastructure. Whenever an update comes in, you loop through your datastructure and only update fields of which isEditing isn't set / isn't true.
For making it more realtime, instead of polling, setup WebSockets and let the server broadcast the newest values of a field to all editors whenever it gets changed.
2:
For locking a field that a certain user is working on, you could add a locked column to the database table containing the fields. Whenever a user wants to start editing, the following would occur:
User requests to edit a field
Server checks if the field is locked
If the field isn't locked, the user is permitted to edit the field and the server sets the locked column to true or to the username, depending on your needs.
If the field is locked, the user isn't permitted to edit the field
When a user saves a field after editing it, you should set the locked column to false. You should probably also set the locked column to false whenever the editing user gets disconnected.
3:
PHP on it's own is not able to send data to the client without the client making a request. You'd need to add WebSocket support to PHP (for example http://socketo.me/, haven't tried that out though).
If you are interested in a server platform that is able to do this out of the box, you could take a look at http://nodejs.org. When you plan on using Node.js, I suggest using http://socket.io/ for maximum browser compatibility. (it includes fallbacks for whenever WebSockets aren't supported by the users browser)
4:
You could save the current value every x seconds if the value is different from the previous save. This would be more efficient than always saving the value. You'd need to save the previously saved value in a variable for this.

Comparing user input with stored data from database, and ask what to do if they do not match?

In the process of checkout, the user might start filling out the mailing/billing form before realizing that they should login - if they're an returning customer. (It's a highlightet area at the top telling them to do so, but you can't be too certain they use it.)
The scenario is like this:
The user is checking out. They start filling out the form. Then they remembers that they already have an account with the company, or notices the "sign in" notice at the top, and then logs in.
Now, when the user is logged in, we want to populate the form for the returning customer to make the process faster, but we don't want to overwrite whatever the user already typed. So we need to do some comapring on the fields, and then ask if the user want's to change or keep. Also, we do not whish to prompt the user if there's no difference.
My first though was to take all not empty fields into a combined string, and use strcasecmp() to compare it with an equal string from database. But turns out php don't think "y" and "Y" is the same letter, so it produces a mismatch. Also, since this is a Norwegian site, the use of nordic characters (e.g "æ ø å") is making this rather difficult..
Any ideas on how this could be accomplished in a good way?
I think the easiest way is html local storage so that if user fills a form than browser will store the data till completion of form like stackoverflow.If due to some reason page the cancelled or anything else reason got closed than you can just get that data and fill the form again with that data so that no time will consume .This is a very good technique you can store up to 5 mb on local machine without any server side call.
for further detail see this
html5 local storage
Local storage
When you take your not empty fields into a combined string
$_SESSION['checkoutForm_fields'] = $combinedFieldNames; // forexample comma seperated or json_encoded()
$_SESSION['checkoutForm_value'] = md5($combinedString);
// After login complete and you fetch the old values from DB
// get the $_SESSION['checkoutForm_fields'] value and gather the values of these fields from DB lets say $combinedStringFromDB;
if ($_SESSION['checkoutForm_value'] != md5($combinedStringFromDB)) {
// Do what ever you want.
}

How to block an user from faking requests? Or how to detect fake requests?

Let's suppose that you have a website that contains a single button.
When this button is pushed, an ajax request is sent to the server - who receives the request and adds 1 in an internal counter on its database.
An user could copy the entire request (and its headers) and create a script to send infinite requests to overload the server (and mess with the counter).
I'm trying to avoid:
Recording the user IP
Using Captcha
I'm using php in my back-end. Is there any way to prevent this situation? Is there some way to send an "invisible" request?
Your problem is called "cross site request forgery".
A good way to solve this problem is to generate a random string when the page with the button on it is called, write it into the users session and into the generated page, and send it together with your button press (for example in a GET request).
On the backend side you check if the submitted string matches with the string in the users session and then delete the string from the session. Only proceed if both strings matched and weren't empty.
This way every request URL is only valid one time and only valid for the user who initially opened the page with the button on it.
you can create a unique token that is assigned to the button and can only be submitted once with the button press.
this will mean that the user will need to refresh the page to get a new button, if thats a problem, associate the token with the user and not the button
the above method means that you need to add server side code. you might be able to get away with using something like evercookie to log the button press on the clientside and attempt to prevent the user from sending another request and recieving another request from user - i dont recommend doing this in prod, but it might be fun ;)
ill try to be bit more clear:
generate the button so that it submits a form containing a hidden field called 'uuid' that contains a pre-generated uuid for that button. this uuid will need to be kept in the database or in memory. if you use a good uuid lib, the chance of the user generating an existing uuid are infinitesimal.
now, the user clicked the button and the action goes to /my-button/?uuid=3394b0e0-a3bb-11e1-b3dd-0800200c9a66
now the server checks if the uuid is a previously generated one. if it is, it deletes the uuid from where its stored and lets the action do whatever. the uuid does not exist, it returns a 404.
You can't possibly know how a request is initiated, all you can do is make it more difficult to fake. But if this is something to do with security, then it's the people who can successfully fake the request that you need to be most aware of. So it's likely useless (or even misleading) to attempt this as some kind of security measure.
You can try an encrypted key that the server will only accept once within a certain time lmit, but you will still not know how the request was initiated (and you really shouldn't depend on that). Buttons are a UI feature that might be converted into some other UI artifact based on whatever the user agent has been configured to present to the user (if there is a user invovled at all).

Human verification without user action

For a system I'm working on I've got a bit of a problem: I'm messing with one of the basic rules of HTTP and I'm allowing users to post data through a GET request.
Don't get mad at me yet: I've got a reason for this: Users arrive in my application from an external environment and I can't prompt them for any extra input (so all necessary data is in the GET query). They should be able to close the browser window right after it opens and the input should be saved. And no, I can't do this through AJAX, an API or other under-the-hood method.
These requirements kind of rule out captcha, calculations, forms etc. So I'm left with the problem that I really do want some type of verification to prevent bots/crawlers from "accidentally" submitting something.
One of the solutions I am looking into is making a very lightweight landing page that submits itself through javascript onload but it would be the ugliest thing in my application so I'm trying to prevent it. Another is to let the landingpage not do any of the processing but instead use an AJAX-call to do this. This would however mean that older browsers (and many mobile phones) would have to use another solution.
Background: Application written in PHP5.3, built on Yii Framework, 100% cross-browser compatible (this includes pretty much every mobile phone out there).
Some more background: The "exteral environments" I'm talking about vary from e-mail clients to websites. Manipulation of our content at runtime isn't possible.
Update: Here's what I'm going to do: I'm probably going to combine solutions posted here in a fallback mechanism so that a chain of verifications will be attempted:
1. Ajax verification
2. Non-Ajax javascript verification (automatic form submission)
3. Prompt for user input (user has to click a confirm button)
Besides this I'm going to implement a bot trap as descripbed by http://www.kloth.net/internet/bottrap.php
After I'm done with building this I'll update the post if I did anything different.
Hard to understand where you app is and where external environment really are. But one simple bot-removal technique I use is to put an hidden field named 'login' or 'name' and give it an empty value.
Human people will never fill this hidden field, but spam bots are always filling it. So you can discard any request with that field being not empty.
Now you must prevent crawlers and not only spam bots. Never did it, but here are some thoughts. You could add a hidden 'human' hidden input in the form on first mouseMove events (but keyboard-only -- and think about blind people -- users will be considered as robots). So maybe if this field is not there you can launch a javascript 'confirm' where you ask "Confirm that you are a robot or click cancel if you are human".
You can make your anchor link containing a default value that this hidden field values will overwrite in js. Most crawlers will not overwrite the values, especially if you must cancel a confirmation to get the right behavior (and avoid confirmation with mouseMove event for most users).
If you are able to modify the place that your users are coming fro, you could try including a checksum. Calculate some kind of checksum or hash of all the fields in the GET request and add it to the GET request itself (i.e. through javascript, but do it in the place your users are coming from, not where they are landing). Then, in your application, reject all hits with an incorrect checksum.

Need a general idea for how to communicate with server PHP script and return error information to client

I have a form that the user needs to populate and then the form will be sent to a server.
After the user submits the form, if the server script found that the form is not correctly populated (i.e. the uploading file is too big), it should return error to the client side.
Now, my question is as follows:
How do I keep the user seeing the same page without transferring to a different page?
Because I don't want the user to waste time to reenter everything again. I just want the user to correct the wrong part.
Because I don't want the user to waste
time to reenter everything again. I
just want the user to correct the
wrong part.
This is a good intention, but the wrong solution.
To stay on the same page would mean you have to submit the form using javascript. While possible, why make things more complicated than they have to be?
Instead, submit the form to the server and when you write out the form again to the user with the error message, set what the user entered as the default value on the form. Then it will be there for them and they won't have to type it again.
Note: Don't do this for passwords tho; the page may be cached and then the users password is saved in a plain file on the hard disk. This is why most sites make users retype passwords each time.
You need to show form again and fill previously entered data in input's "value" fields. Of course, don't forget to replace special characters with html entities with htmlentities();
I also found one tutorial for you: http://evolt.org/node/60144

Categories