i want to handle the probable errors of mysql db. in my case, i have users table that has 7 columns. column email and username values should be unique and i set that for them. but in my sign up form, when users enter and submit their account infos, their entered username and email can be in the database. so in this case, mysql throws an error. for example in my database there is a row with test#test.com email and saman138 username. if a user enters test#test.com for email and saman138 for username, mysql throws an error like this:
Duplicate entry 'saman138' for key 'users.username_UNIQUE'
But the main problem is that i cant display the right error to user. I actually dont know how to do that in the best with the highest performance. For example how can i recognize that the users entered password is duplicated in the database and display the right error to user? I can send two extra queries to get the row that has the entered email or password and then send an error with this message:
your entered username and email already exists in database. Please
enter an other email and username.
this is my codes to insert users infos in to the users table:
import bcrypt from "bcrypt";
import { SignUpInfos } from "../interfaces/Interfaces";
import { mysql } from "../utils/DB";
const signUpUser = async (datas: SignUpInfos) => {
const hashedPassword = await bcrypt.hash(datas["user-password"], 10);
const results = await new Promise((resolve, reject) => {
mysql.query(
"INSERT INTO users ( fullname, email, username, password ) VALUES ( ?, ?, ?, ? )",
[
datas["user-fullname"],
datas["user-email"],
datas["user-username"],
hashedPassword,
],
(err, result) => {
if (err) reject(err);
else resolve(result);
}
);
});
return results;
};
export { signUpUser };
so what is the best way to return the right error message if there was an error? is there any best way to do that or i should send to extra queries? thanks for help :)
As according to the MVC pattern, input validation is typically done before the request gets to the database (in your javascript code), not relying on database errors to inform you that something is wrong.
For example:
First you might check that a username is a valid username through business rules in the javascript; checking that the username doesnt have spaces or something.
Then you might search the database to see if there are any users with a given name, return the number and then use that to tell the user that a name is already taken. Only once this search returns that there are no other similar usernames in the database should you actually let them submit the new account.
But, that is not to say you should abandon the database rules altogether because they are important to ensuring someone doesnt do something dodgy like mess with your database (as an extreme) by bypassing the javascript code somehow and adding duplicate accounts -- that would be tragic.
Where does input validation belong in an MVC application?
"with the highest performance" -- "premature optimization". The login process, even when accounting for error cases, takes only milliseconds. There is no need to optimize this.
Also, since the usual case is "no errors" it is best to assume there will be no errors, then let some lower-level process (such as the databse INSERT) catch the error. If, instead, you checked for errors first, you would usually be wasting your time.
Anyway, the test and the insert must be done atomically, or else someone else can sneak in between your test and your insert and, say, grab the user_name. That is, the two must be combined into an "atomic" action. And the db, with UNIQUE constraints, does that nicely for you.
Related
Last year I made a laravel site with an events table where I needed three fields to be unique for any event (place, date and time). I wasn't able to set up a validation request to do this so I added an unique index for these three fields directly through phpmyadmin and catching the exception that could happen if a duplicated event was inserted.
So basically my store() method has a try/catch like this:
try {
$event = new Event;
$event->place = $request->input('place');
$event->date = $request->input('date');
$event->time = $request->input('time');
$event->save();
return view(...);
} catch (\Illuminate\Database\QueryException $e) {
// Exception if place-date-time is duplicated
if($e->getCode() === '23000') {
return view('event.create')
->withErrors("Selected date and time is not available");
}
}
Well, now I had to change the app so events could be soft deleted and I simply added the 'deleted_at' field to the unique index, thinking it would be so easy... This approach doesn't work anymore so I've been reading here and there about this problem and the only thing I get is I should do it through a validation request with unique, but honestly I just don't get the syntax for this validation rule with three fields that can't be equal while a fourth one, deleted_at, being null.
My app checks for the available places, dates and times and doesn't let the user choose any not available event but no matter how many times I've told them there's always someone who uses the browser back button and saves the event again :(
Any help will be much appreciated. Thank you!
This is not a good approach to solve the problem.
You can do follow things to solve this problem
Before insert into database get a specific row if exist from database
and store into a variable.
Then check the data is already stored into the database or not.
If data is already there create custom validation message using Message Bag Like below.
$ifExist = $event
->wherePlace(request->input('place'))
->whereDate(request->input('date'))
->whereTime(request->input('time'))
->exist();
if ($ifExist) return 'already exist';
It might help you.
#narayanshama91 have pointed the right way.
You said you would like to use the unique rule to validate the input but the problem is that last week there was a post in Laravel Blog warning users of a possible SQL Injection via the unique rule if the input is provided by the user.
I would highly advise you to NOT USE this rule in this case since you depend on users input.
The correct approach in your case would be #narayanshama91 answer.
$ifExist = $event
->wherePlace(request->input('place'))
->whereDate(request->input('date'))
->whereTime(request->input('time'))
->exist();
if ($ifExist) {
return 'already exist';
}
Today I wanted to greet the user in my app by name, but I did not manage to get it.
I found System.User, but lacking some examples I did not manage to get the info I needed. I saw no possibility to get the current user (id) to call User.GetFromId().
Can you guide me into the right direction? Have I been on the wrong path?
Okay, So first things first, getting access to a user's personal information is a privilege you have to request, so in your store app's Package.appxmanifest, you'll need to enable the User Account Information capability in the Capabilities tab.
Next, you'll want to be using the Windows.System.User class, not the System.User (System.User isn't available to Windows store apps, which you appear to be discussing given the tags you provided for your question)
Third, you'll want to request personal information like this.
IReadOnlyList<User> users = await User.FindAllAsync(UserType.LocalUser, UserAuthenticationStatus.LocallyAuthenticated);
User user = users.FirstOrDefault();
if (user != null)
{
String[] desiredProperties = new String[]
{
KnownUserProperties.FirstName,
KnownUserProperties.LastName,
KnownUserProperties.ProviderName,
KnownUserProperties.AccountName,
KnownUserProperties.GuestHost,
KnownUserProperties.PrincipalName,
KnownUserProperties.DomainName,
KnownUserProperties.SessionInitiationProtocolUri,
};
IPropertySet values = await user.GetPropertiesAsync(desiredProperties);
foreach (String property in desiredProperties)
{
string result;
result = property + ": " + values[property] + "\n";
System.Diagnostics.Debug.WriteLine(result);
}
}
When you call GetPropertiesAsync, your user will get a permission prompt from the system asking them if they want to give you access to that. If they answer 'No', you'll get an empty user object (but you'll still get a unique token you can use to distinguish that user if they use the app again).
If they answer yes, you'll be able to get access to the properties below, and various others.
See the UserInfo Sample Microsoft provided for more examples.
I found this great node mysql boilerplate:
https://github.com/ocastillo/nodejs-mysql-boilerplate
it works terrific! However, now I need to hook it in to my existing user table, and my key field is named userID, not simply id, and changing the key fieldname in mysql breaks the example. So my question is, where in the project do I need to specify a different id field name? I see user.id in /util/auth.js passport.serializeUser and id in passport.deserializeUser functions, but it seems it must be specified elsewhere too. I'm hoping this is a simple question for users of passportjs!
Yes, you should only need to change the code in the serializeUser and deserializeUser functions. Those two functions you control, and state within them what you'd like to serialize into the session cookie (when the user logs in), and deserialize from the session cookie (when the user revisits the site after logging in). Think of them as ways to remember who this person is, once they return. The passport.use function is only used to define the authentication strategy, and within that, the manner in which you'll "log the user in".
So this should work (assuming I've followed what you've said above):
passport.serializeUser(function(user, done) {
done(null, user.userID);
});
passport.deserializeUser(function(user_id, done) {
new data.ApiUser({userID: user_id}).fetch().then(function(user) {
return done(null, user);
}, function(error) {
return done(error);
});
});
You might benefit from more examples, here's a gist I put together on passport configuration within Node (however this one uses Mongo): https://gist.github.com/dylants/8030433
I have a small app where users create things that are assigned to them.
There are multiple users but all the things are in the same table.
I show the things belonging to a user by retrieving all the things with that user's id but nothing would prevent a user to see another user's things by manually typing the thing's ID in the URL.
Also when a user wants to create a new thing, I have a validation rule set to unique but obviously if someone else has a thing with the same name, that's not going to work.
Is there a way in my Eloquent Model to specify that all interactions should only be allowed for things belonging to the logged in user?
This would mean that when a user tries to go to /thing/edit and that he doesn't own that thing he would get an error message.
The best way to do this would be to check that a "thing" belongs to a user in the controller for the "thing".
For example, in the controller, you could do this:
// Assumes that the controller receives $thing_id from the route.
$thing = Things::find($thing_id); // Or how ever you retrieve the requested thing.
// Assumes that you have a 'user_id' column in your "things" table.
if( $thing->user_id == Auth::user()->id ) {
//Thing belongs to the user, display thing.
} else {
// Thing does not belong to the current user, display error.
}
The same could also be accomplished using relational tables.
// Get the thing based on current user, and a thing id
// from somewhere, possibly passed through route.
// This assumes that the controller receives $thing_id from the route.
$thing = Users::find(Auth::user()->id)->things()->where('id', '=', $thing_id)->first();
if( $thing ) {
// Display Thing
} else {
// Display access denied error.
}
The 3rd Option:
// Same as the second option, but with firstOrFail().
$thing = Users::find(Auth::user()->id)->things()->where('id', '=', $thing_id)->firstOrFail();
// No if statement is needed, as the app will throw a 404 error
// (or exception if errors are on)
Correct me if I am wrong, I am still a novice with laravel myself. But I believe this is what you are looking to do. I can't help all that much more without seeing the code for your "thing", the "thing" route, or the "thing" controller or how your "thing" model is setup using eloquent (if you use eloquent).
I think the functionality you're looking for can be achieved using Authority (this package is based off of the rails CanCan gem by Ryan Bates): https://github.com/machuga/authority-l4.
First, you'll need to define your authority rules (see the examples in the docs) and then you can add filters to specific routes that have an id in them (edit, show, destroy) and inside the filter you can check your authority permissions to determine if the current user should be able to access the resource in question.
I have a user update function and I allow users to change their email address but the same address must be unique in the database so, before I update, I must check if their new email already exists in the database but the query I use to check that returns the same row. Example:
user = User.query.get(1)
user.email = 'some#email.com'
if user.validate(): # The validate function performs a query to see if 'some#email.com' is already taken
user.save()
Now going into the validate function I have:
check = User.query.filter_by(User.email='some#email.com').first()
if check:
# email already exists
Problem is that check holds the same user I'm editing. Sqlalchemy submits the update to the database but under some sort of transaction so my query returns the same user I'm editing. I've solved this by creating a second session object but seems like an overkill. Any better ideas? Am I making sense?
Why not check, whether a user with a given e-mail address exists, before manipulating an existing user? You could e.g. write a standalone function for that:
def user_email_exists(email):
return (not User.query.filter(User.email=email) == None)
Then call user_email_exists before the attempt to change the user object.
...
# User object to alter
user = ...
# the new email address, which needs to be checked
new_email_addr = 'new#shiny.com'
if user_email_exists(new_email_addr):
raise SomeMeaningfulException() # or some `flash` message + a redirect
else:
user.email = new_email_addr
db.session.add(user)
db.commit()
...
The simplest way is probably just to add a second filter to the query inside your validate function. Instead of having it select any user with that email address, have it select any user with that email address and NOT the same username or user id. That way you're ensuring to only get a return if there is a different user with that email address.