So we are building a website and created our basic information to send logins to our database. We have trouble trying to disallow requests that just plug their own data in.
E.g.
http://testing.site.com/php/interfaces/User.php?Action=1&Email=test#gmail.com&FirstName=herp%20derp
By replacing email and firstname, they are able to add multiple users to the database and potentially with a script thousands. Is there any way to prevent this without using a captcha? We are trying to be very minimal and open with the site's design so would love some input if this is possible.
One option we have considered is moving our PHP offline and only allowing our API to access it- however it still presents the problem of users adding in authorised data (and overloading our database with thousands of multiple requests)
Here is a sample option, create a table with 2 fields, one is an Auto Increment id and one is a random code, lets name them ID and CODE
When sending that request, create 1 record in that table and pass the ID and CODE along with request, when receiving the request, check if there is a record in database with that ID and CODE process the request and delete that record from database too and if there isn't that record, just ignore request ...
Related
I have a question, some might have encountered while working with data. Trying to figure out how to implement "signature" for data passed back and forth to SQL Server via PHP.
For example, I have a sales order that contains dates, numbers, other variables (string), etc.
The idea is that when that data is inserted into SQL, a "signature" is created based on all the variables (around 30-40) and stored in that table. That signature will be sent to the user when user pulls the data. Then, when a user updates that data and sends back to SQL along with the current signature, PHP would compare that current data signature with the one stored in the database and update the data if it matches. if not - the user will get a notification saying something like "the state of the order has been changed, new data available".
This will prevent one user from overwriting the data if that data has been changed by another user while the first user worked on it.
I thought to add "user signature" which is comparatively easy. However it does not resolve the situation when the same user has opened multiple windows with that data and then accidentally tries to submit updates from one window after he already submitted some data from another window. (Some users are old folks and not tech savvy and may have open multiple windows in the browser, you know).
Locking records won't work here as the data has to be accessible by multiple users at any time.
Thank you for your help!
NOTE: If someone is using SQL Server Management Studio, seems like you can add this column only via query. At least I coud not find this option in "design" view.
ALTER TABLE table_name ADD Version rowversion;
I'm coding a small yet useful app to serve as an end-Point of HTML Forms, to avoid manually code every time I want to save Forms submissions into Database. Because of the nature of the app, I want to store all the POST's fields sent by the HTML form that sends the request.
This is my approach:
- User in the app creates an endpoint to send form submissions every endpoint will be stored in a table called ENDPOINTS that will have 2 fields: endpoint_URL (plain text to create the HTML endpoint) | data sent (JSON text to receive every field sent, no matter if every submission has different fields) this way I can store all the information without altering the structure of the Database Table every time a new field is received.
-The app then can show an HTML table of the specific endpoint and the information received field and content.
My concerns are:
-every submission (no matter if the submission comes from different endpoints) will be stored in the same database table, therefore it can create a huge list of registries on a single table.
Every time the HTML table is created will need to take the JSON content of the database field and reconstruct the HTML table (instead of using the power of the database to this endeavor).
What do you think could be the best approach to accomplish this? I can think on make a new table every time an endpoint is created and this table will receive every submission of the propper endpoint, nonetheless using this approach needs the database to update the fields every time the form receives different fields from the same endpoint.
I'm using LUMEN Framework instead of plain PHP to focus on the logic of the app rather than security concerns.
I am working with Qualtrics, which is just a web-based survey engine. The request is that, once users finish the survey, they will receive a small prize in the form of a gift code. Since I can't host the prize code data on the Qualtrics platform, my idea was to store the prize codes on a remote server. When the user finishes the survey they will be directed to my server (https), to a PHP script that will give out the prizes. On the surface this is possible, because as one piece of customization they allow to re-direct to a URL upon completion of the survey.
The problems that I am faced with, regarding my PHP script that gives out the prizes are as follows:
1) Make sure visitors have COME FROM the survey and have actually
finished the survey.
2) Only give out 1 prize per participant per survey.
It is difficult to address #1 because it seems like after the survey is complete, you just get a basic re-direct to my site. It would be possible to add GET data to the URL, its very easily readable and doesn't offer security. Even encrypting the GET data doesn't seem feasible because a hacker could just copy the data string once they see it.
The idea I had to address #2 was to check the user's IP address using PHP, and store the address in my DB after a 1-way encryption. This way the IP would be unknown, but I could check for duplicates, only allowing 1 prize per IP.
So the question is, is it even possible to do what I am trying to do with just a simple URL re-direct? Is my idea for addressing #2 acceptable?
Thanks.
There are probably many ways this could be handled. Two that come to mind:
1) At the end of survey, Qualtrics creates an embedded data field called ResponseID which is in the Qualtrics data. You can include the ResponseID in the redirect then have your php script call the Qualtrics REST API, and try to retrieve the response with that ResponseID to make sure it exists.
2) Just before the end of survey, you could do a web service call to a script that creates a unique id, store the id on the server side, and return it to the survey as an embedded data field. Then pass the unique id in your redirect and make sure it matches a unique id you stored.
EDIT based on comment below:
You can add custom parameters to your redirect by piping in parameter values like this:
http://mywebsite.com/myscript.php?rid=${e://Field/ResponseID}
If you are able generate special request parameter for redirect url and make it for every user unique, then you could invent some algorithm, and encrypt user ID with it and pass this ID as parameter in redirect url.
I am sending a GET Parameter which is an ID, of course this ID is needed to pull fields from salesforce using the soapclient API.
My issue is because this parameter can easily be changed by a user to a different ID, on load of my page it will pull up other fields based on that other ID the user had altered.
How can I secure this in some form? whether it is from the salesforce end or the php side, My Solutions I came up with are the following but I found tedious.
Have a field in salesforce that is ticked if user has submitted the data before so old data can not be viewed again when it does a check to see if it was submitted.
Create a session, grab the get parameter, then redirect to the same page. but that is a bit tedious.
What is the best solution for handling a GET Parameter from a salesforce link that will arrive in a email to the user?
I'm not sure how you generate these ID's or where you use them. But if you store them somewhere and then retrieve them at a later time you could try and hash them. When the ID gets generated either hash it right away and use this hash as the identifier or, if you only get the ID at a later point (on insertion for example), you could create a hash out of the generated ID and store it in a different field of the same record. Later when you are retrieving or showing records to the user you can hash the ID again and make only requests using the hash. This would be a pretty difficult way for the user to get any other records since they would have to know the hash that was generated for the ID.
Of course it all depends a bit on your implementation. I don't have any personal experience with salesforce, so I don't know what might or might not be preventing you from implementing such an idea.
1. Adding role to user
Hello. I am creating my php system that will be used mainly to spread information and managing large database of users.
Let say i have my main "team" settings, and i want to have site where user (admin) can set up team data like "coordinator" or "manager" etc. I want to keep that simple, so admin can set up specific roles (they are stored in database under table team_settings with specific fields like team_manager etc.) by providing username/visible name.
Here is my question. I assume i will need to use jQuery to do simple "quick search" to choose specific user, but here is the deal. How to put this one in my form, that after choosing person, when i post the form i will store user_id in specific table field?
So mainly - how to set up user_id in my field when input will have user name instead?
2. Codeigniter Mailing / Bulk Emails
I am looking for any person that had faced mailing problems while using codeigniter or pure php. My problem is - my shared hosting have 30 sec execution time on PHP scripts, so i need to send email, mobile text message and IM message in this time.
Of course i can use cron to accomplish that, but the question is: Do anyone now any sort of extern API that i can use to send my bulk email? It will be same message (maybe with some variables, nothing more) send to about 150 users maximum.
3. Codeigniter Ajax
I just need to call same methods from my controllers and return different objects - when it is requested by AJAX it should return HTML, but when I call it (or my user) manually, it should load the view. How can i accomplish that?
Thanks in advance for all of your replies.
May The Force Be With You.
Answer for question 3, as I didn't understand the first two.
Simple way of using a function in two different ways:
Send an additinal parameter with ajax request like: ajax=true(either post or get request). when a normal request post/get will be posted, it will not be there. So just have a check that whehter aN ajax named variable exist in post/get request and process data accordingly. IF AJAX FOUND, do not load view, and echo $HTML; else $this->load->view('viewname'); Hope that helps.
After searching the user, when clicking on the edit user are you editing on the same page on a popup or navigating to different page for editing. If you are using same page, store the username in a Javascript global variable and post it while posting other edited details. If you using different page you can pass the username or user_id in the url segment and can use this as a parameter inside the controller function.
http://yoursite.com/controller/functionName/username or id
function functionName($username)
{
//do validate the $username and useit
//if posted update ot display the edit form
}
You can use some email queue concept. Where you insert all the generated emails to a queue table and with status off course. Then process them in a cron job in preferable limit so that it will not exceed the 30second limit. I am have included the same concept for the Codeigniter websites generated using thephpcode.com