At the moment i have htp.print and DBMS_output to show the me the end result of user input. however, htp.print shows the confirmed message on the web browser and my DBMS_output doesn't work for some reason. But what i'm looking for is the confirmation message which will pop up and show to the user. i have tried java script and for some reason that is not working either. below are the syntax.
-- button and input text field
HTP.FORMOPEN ('BANINST1.UAP.P_UNSUSPEND_SEARCH', 'post');
HTP.P ('<input type="text" method="post" name="bannerid" id="bannerid" placeholder="e.g. 000123456" maxlength="9"
autocomplete="off" required>');
HTP.FORMSUBMIT ('', 'Submit', cattributes => 'onclick="confirmMsg()"');
HTP.FORMCLOSE;
-- javascript confirmation message which is not working
htp.p ('<script type="text/javascript">
function confirmMsg() {
var field1 = document.getElementById("bannerid").value;
alert(field1+" has been unsuspended");
}
</script>');
Assuming you are looking for ways to generate log messages from the DB Backend, I see basically 2 ways to achieve this:
(1) Persist your messages to a table inside an autonomous transaction. A complete example can be found here.
(2) If you have access to the DB servers file system, you can also write messages to text files using the UTIL_FILE package.
Related
I am trying to use an HTML number input field to validate a one-time code a user has. The one-time code is a Django model attribute under the user model, with the user object passed into the HTML template. Currently it is set up as such:
<input type="number" name="auth_code" value="" min="{{user.auth_code}}" max="{{user.auth_code}}" onchange="this.setCustomValidity('')" onkeypress="this.setCustomValidity('')" oninput="this.setCustomValidity('')" oninvalid="this.setCustomValidity('This authorization code is incorrect.')" required />
If the user's code is 100000, and I enter 100001, I get the oninvalid message (as expected). However, if I delete a digit (or the whole number), I get a message stating "The value must be user.authcode." Clearly I don't want this value shown.
If I set any message in the onchange or oninput field other than ('') (i.e. ('Enter a code.')), I can't validate any code (correct or incorrect). I run into the "This authorization code is incorrect." message even when validating 100000.
How can I get around this?
I have few checkboxes in my template whos value is the id of database row. I am using AJAX to post these values back and forth.
{% for item in sale_order_items %}
<tr>
<td class="text-center">
<input type="checkbox" name="saleorderitem" value="{{item.id}}">
</td>
</tr>
item.id for instance renders to 1. Now what if the user changes the value from 1 to 2 in browser using "inspect" and submits the form. what can I do at the frontend or django backend to prevent this and check if the user is submitting the same values as intended?
This depends on many different things but to take you back to the basics: When you create a function in order to bulletproof it out of any errors you use type and value checks.
I would think the best approach to this is to add some back-end checks. The form values returned would have to adhere a set of rule such as a value threshold. If the value returned is beyond that threshold then that would mean that something has changed in the HTML.
You add a check if it fails then the back-end would return an error. In collaboration with front-end you refresh the page and return an error message. It might be really terrible UX but an average end user would never change values using their inspector.
The other alternative is to use javascript to detect any kind of HTML/DOM mutations or changes which I would advice against. Having values to be checked against specific criteria (using the back-end) is best as it foolproofs info passed on to your server against any change.
I found a solution, in this scenario django session variable can be used to store data between requests. When I load the form, I set the session variable to the required values, then on form submission, I check the submitted values with the values in session variable. And it works.
After i knew how to secure upload image Bypassing forms input fields to upload unwanted files i would like to give another example of from with 2 filed, one of them are hidden.
SQL Table (id,name,jod,number)
CREATE TABLE `users` (
`id` bigint(20) unsigned NOT NULL auto_increment,
`name` varchar(255) default '0',
`job` varchar(255) default NULL,
`number` varchar(255) default NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
Form Code (support member will edit own informations)
<form action="send.php" method="post" name="send" id="send">
<input type="text" name="name" id="name" value="John"/>
<input type="text" name="job" id="job" value="Plumber"/>
<input type=hidden name="number" id="number" value="1234"/>
<input type="Submit" name="Submit" value="Submit"/>
</form>
Later there was an firefox extension that can bypassing different input to the server-side bypassing checking and might case a lot of damage so here it can stop the whole process and makes you able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.
That extension is working as following, It can fake input data before it passed to server side.
PHP Code Send.php
if(isset($_POST['send'])){
$name = mysql_real_escape_string($_POST[name]);
$job = mysql_real_escape_string($_POST[job]);
$number = mysql_real_escape_string($_POST[number]);
$sql= "update users SET name='$name',job='$job' WHERE number='$number'";
mysql_query($sql) or die("query failed: $sql".mysql_error());
echo "Update Done";
} else {
echo "Nothing to update";
}
The question
How then to protect this simple form from such input form ? ~ Thanks
this problems really hurts cause it made my website free to be hacked :)
If the user authorization is not an option in your cause, you could try the following techniques:
Set the hidden field with a hash of the number salted with some other information
Set the hidden field with the number encrypted (possible salt could increase security here also)
Of course it would add extra steps when sending the form HTML and validating the post information, but at least it would be much harder to the attacker fake a valid number on the post. Although it would not save you if the attacker knows the encrypted/hashed number of a different user unless the salted information withing the hidden field is used wisely.
You can't control what data people submit to your server.
You have to check, on the server, to see if the user is authorised to see the information or to make the change they are asking for.
For example:
able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.
The process would be something like:
Is anybody allowed to edit this field? If so, then OK.
Is the request coming from an authenticated user? If not, then return an error message and a login form
Is the request coming from the user with id=1? If so, then OK
If the request coming from a user who has admin permissions? If so, then OK
Return an error message.
If you have a form and any users to edit the values, this problem is going to be there. A better approach is to authenticate the users. Allow only the users who have logged in with an account to make the changes to their respective accounts.
Also, don't use mysql_query or anything like mysql_*, they are insecure and depreciated in php5.
A hidden field cannot be secured. It's 100% impossible to prevent malicious people from editing it.
The best you can possibly do is validate its data.
For the example field, the best you can do is make sure it's actually a number.
But that doesn't help any.
What you need to do is have the OLD data sent as hidden data. ALL of it. Complete with the old id.
Then you validate both the old and new data. Make sure there's no injected sql code in them. Having done this you would have
$name
$job
$id
$old_name
$old_job
all set. Then you can.
select * from users where name="$old_name" and job="$old_job
if you get back a row, then you can
update users set name="$name", job="$job$" where id=$id
Now, even if the user changes the ID, it won't do a thing, because the select will return 0 rows, ad the edit attempt will abort.
Now if someone happens to know all three fields for someone else's entry, they can still change it. The only way around that is force authentication, and have another database tying username/password pairs to IDs.
I am working on a small app using phalcon for php framework. I have implemented multiple controllers and models, but so far when I want to edit a user for example, i use a link that links to
localhost/myappname/User/edit/11 "user's id"
I was told this is not the best way to do this, and I am trying to do this without passing the id through the url, like using post method like in forms but without success so far.
Is this the only correct way to edit or delete an entry or it there something better?
I tried to search for the problem but couldn't figure how to name this question so I am yet to find an answered question.
If you don't want to let everyone access to edit page you can do this in a few ways.
Solution #1
You can use Phalcon ACL to block user's who has no permission to edit this page so only allowed people like managers can edit user or whatever.
See Access Control Lists ACL
Solution #2
You can crypt/decrypt user id so in URL it will not be readable by humans and then in edit method try to dectypt that id and if it is not a valid echo error.
<?php
use Phalcon\Crypt;
// Create an instance
$crypt = new Crypt();
$key = 'le password';
$user_id = 5;
$encrypt = $crypt->encryptBase64($user_id, $key);
// Use $encrypt for URL like Edit
// Use decrypt to get the real id of a user
$crypt->decryptBase64($encrypt, $key);
?>
In this way users will see URL something like
localhost/myappname/User/edit/nomGPPXd+gAEazAP8ERF2umTrfl9GhDw1lxVvf39sGKF34AFNzok31VdaT/OwADPPJ4XgaUNClQKrlc/2MfaXQ==
For more info see Encryption/Decryption
But my personal opinion is that it is better to go with ACL. After all ACL was made for that kind of things.
Note! If you want to use Encrypt/Decript remember to wrap decryption
in edit method in try/catch block and catch exception so you don't
get Error if someone tries to guess sone id.
Solution #3
If you still want to do that using POST then don't use Edit instead you can try something like:
<form method="POST">
<input type="hidden" name="uid" value="{{ user_id }}"/>
<button type="submit">Edit</button>
</form>
And then in edit method catch that id like:
<?php
$user_id = $this->request->getPost("uid");
?>
NOTE! In this way your URL will not contain user id but someone still
can POST another uid so you can try to hide that real user id even
from input type hidden. You can use again crypt/decrypt so input
hidden uid can be crypted and then decrypt post data in method.
you could use sessionStorage. It would store the value of the userId in the browser and be deleted as soon as they leave the page.
http://www.w3schools.com/html/html5_webstorage.asp
set on one page
sessionStorage.userId = 11;
access on another
var user = sessionStoarge.userId;
A little background info:
I am using Netbeans IDE 7.3, I have an SQL server running and I am trying to create a html application to insert data into the connected sql server/database structure.
I hope that made enough sense to see what I'm asking.
My question: I simply want to create a page on the HTML application
which asks a user to enter information about a person such as their
first name, last name, address, phone number, etc.
I want it to appear in this manner to the user:
First Name: [text area]
Last Name: [text area]
etc....
Then at bottom I want a submit button.
At this point the information in the fields above would be sent to the "person" table in the database with each column/attribute filled with the appropriate information above.
A new row is created in the table at this point.
How can this be done? Examples of code would be great if you know of any.
Thanks in advance.
That cannot be done with HTML alone, you'll need a scripting language like PHP to do the job.
Build a form and use PHP to process it (or some other scripting language, I use PHP):
<form method="post" action="path_to_script.php">
<label for="username">Username:</label>
<input type="text" name="username" />
</form>
PHP:
if(isset($_POST['username'])){
$username = $_POST['username'];
}
// Use $username as a parameter in your query
$stmt = $yourDatabaseConnection->prepare("INSERT INTO yourTableHere (usernameColumn) VALUES (:username)");
$stmt->bindParam(':username', $username);
$stmt->execute();
Learn more about prepared statements here