Using MD5 and CONCAT in MuSQL WHERE clause - mysql

I am creating a reset password procedure. this way:
1- Send reset email to the user (whom forgot his/her password), and this email contain a link to this address:
http://www.example.com/resetpassword.php?userid=1b2798bad6ee465d967cdb71ced504f7
The value of the parameter [userid] is generated by this PHP code:
<?php
md5($row_Recordset2['userID'].date('d-m-Y'));
?>
Note: I did this so that I can get a unique parameter value containing: The MD5 hash of the real user id + the current date (concatenation) , Why? so the link in the email will be available for the current date only. I do not want that link to work in the next day.
2- When the person click on the above link, he/she will be taken to the page [resetpassword.php]
3- In the page [resetpassword.php] page I have this piece of code:
$colname_Recordset1 = "-1";
if (isset($_GET['userid'])) {
$colname_Recordset1 = $_GET['userid'];
}
mysql_select_db($database_aaa_database, $aaa_database);
$query_Recordset1 = sprintf("SELECT * FROM users WHERE md5(CONCAT(userID,
DATE_FORMAT(NOW(),'%d-%m-%Y'))) = %s ", GetSQLValueString($colname_Recordset1,
"text"));
$Recordset1 = mysql_query($query_Recordset1, $aaa_database) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
The SELECT statement return [Query was empty] ... What is the problem and how to solve it?
I have tested this MySQL statement manually:
SELECT userFirstName, md5(CONCAT(userID, DATE_FORMAT(NOW(),'%d-%m-%Y'))) from users
And it return many rows, one of the rows is like this:
Sam 1b2798bad6ee465d967cdb71ced504f7
So, the:
md5(CONCAT(userID, DATE_FORMAT(NOW(),'%d-%m-%Y')))
works fine and it return the same exact value generated by the PHP code :
<?php
md5($row_Recordset2['userID'].date('d-m-Y'));
?>
PHP give: 1b2798bad6ee465d967cdb71ced504f7
MySQL give: 1b2798bad6ee465d967cdb71ced504f7
But this:
md5(CONCAT(userID, DATE_FORMAT(NOW(),'%d-%m-%Y')))
seems to be NOT WORKING in the WHERE clause:
sprintf("SELECT * FROM users WHERE md5(CONCAT(userID,
DATE_FORMAT(NOW(),'%d-%m-%Y'))) = %s ", GetSQLValueString($colname_Recordset1,
"text"));
By the way, I am using Dreamweaver.
I don't know how to solve this problem. Any help will be highly appreciated.

Related

Mysql validate and find the wrong emails

Suppose I have a table for user info records, each user may have email, but suppose instead of 'a#gmail.com', system inserted a#gmial.com or a#gmile.com and the same for yahoo, outlook, and hotmail.
But now I should find all the wrong emails, and replace the wrong domain name with correct one.
Something that i have tried before, but not bring the correct result:
select * from users where id not in
(select id form users where
strcmp(email,'#gmail') > 0 OR
strcmp(email,'#yahoo') > 0 OR
strcmp(email,'#hotmail') > 0 OR
strcmp(email,'#outlook') > 0
)
You can use the similar_text() http://php.net/manual/es/function.similar-text.php php function or the levenshtein(), i.e:
$users = //result from select * from users;
foreach($users as $user){
$u = end(explode('#',$user); //store the part of the email after '#'
echo "<br />Gmail:".similar_text($u,"gmail.com",$percent);
echo "<br />Yahoo:".similar_text($u,"yahoo.com",$percent);
echo "<br />Hotmail:".similar_text($u,"hotmail.com",$percent);
echo "<br />outlook:".similar_text($u,"outlook.com",$percent);
}
In this way, you will see the % of similarity between the emails, and then you can set the limit and replace the email for each email provider:
if(similar_text($u,"outlook.com",$percent) > 70){ //If the similarity is up to 70%
$user = substr(0,(str_pos($user,'#')-1))."#outlook.com"; //change the last part of the email for the desired one.
}
This is only a idea, i guess is not the better way to do it...
This would do what you want:
SELECT * FROM `users`
WHERE NOT(email LIKE '%#gmail%'
OR email LIKE '%#hotmail%'
OR email LIKE '%#yahoo%'
OR email LIKE '%#outlook%')
I would also suggest to extend your pattern a bit:
email LIKE '%_#gmail.__%'
This way you check also
There is at least one character before '#'
There is at least a two character domain extension
The obvious way to replace text is the REPLACE() function:
-- Untested
UPDATE users
SET email=REPLACE(email, '#gmile.', '#gmail.')
WHERE email like '%#gmile.%';
Repeat for each string (since it's a one time operation, trying to fit everything into a single query is just not worth the effort.)
In case you wonder, STRCMP(a, b)>0 is basically a convoluted replacement for a>b.
You can use strpos()
select * from users where id not in
(select id form users where
strpos(email,'#gmail') > 0 OR
strpos(email,'#yahoo') > 0 OR
strpos(email,'#hotmail') > 0 OR
strpos(email,'#outlook') > 0
)
Try this using INSTR:
select * from users
where
INSTR(email,'#gmail') +
INSTR(email,'#yahoo') +
INSTR(email,'#hotmail') +
INSTR(email,'#outlook')
= 0;
Did you realize that your nested query has FORM instead of FROM?
Anyway I would suggest you use LIKE instead of STRCMP.

Store Facebook Name in MYSQL

I need to store a users public facebook name in my MYSQL database, when they fill out a form in my canvas based application.
This is what I have, but for some reason the name never makes it into the database - everything else does..
$submit = $_POST['submit'];
if(isset($_POST['submit']) )
{
//form data
$name = $me['name'];
$q1 = $_POST['bromance'];
$q2 = $_POST['couple'];
$q3 = $_POST['prime'];
$email = $_POST['email'];
//register the user
$queryvote = mysql_query("INSERT INTO vote VALUES ('','$name','1','$q1','$q2','$q3','$email')");
I can succesfully echo out the users name by using $me['name'];, so I'm struggling to see why I cannot carry it through to my mysql_query. I've even tried populating it into a readonly field in the form, and inserting that value... again though, it never shows in the database.
I know the code I'm using is depreciated, but its needed for this project. Probably a silly error, but we all miss things!
Thanks!

User Search Query to SQL Where Clause

Are there pre-existing libraries that will take a user input and transform it into a SQL WHERE clause?
For example given a database that has columns first_name, last_name, and address the user could input something like:
John State St
and the library would build a query such that it would return rows that match a guy named John that lived on State St (or a guy named State that lived on John St, for that matter).
It could also support things like specifying the column:
first_name:John address:State
I have some simple code to handle some of these cases already but it's getting a little unwieldily. I would think there are some pre-existing solutions to this problem but I'm having a hard time finding them. Generally, the problem is how to enable the user to easily search a structured database with a single input field.
In this matter you can break down string as multiple values using string manipulation, and then search for each word in each column using "or" conditions.
additionally you can define index on columns so as to achieve faster search.
You might have tried this technique since you mentioned, but you have to look up each word in each column
Jquery UI autocomplete could be what you are looking for. the css along with it is also necessary please see this link http://api.jqueryui.com/autocomplete/ for the .js ans css needed.
$( "#myInputBoxId" ).autocomplete({
source: "search.php",
minLength: 2,
select: function( event, ui ) {
log( ui.item ?
"Selected: " + ui.item.value + " aka " + ui.item.id :
"Nothing selected, input was " + this.value );
}
});
and in search.php
<?php
include 'config.php';
$results =array();
$req = "SELECT product_name "
."FROM table4 "
."WHERE product_name LIKE '%".$_REQUEST['term']."%' LIMIT 5";
$query = mysqli_query($con,$req);
while($row = mysqli_fetch_array($query))
{
array_push($results,$row['product_name']);
}
echo json_encode($results);
}

Is it possible to have a textbox in which they input information to be searched in the column that they can also choose by use of a drop down menu?

For example, user wants to search the movie database, by director's last name, so the user will type in Smith and then in the drop down menu will choose Director's Last Name. I just need to know how to get the post variables into the SELECT --> WHERE function
$columnsch = $_POST["columnsearch"];
$contentsch = $_POST["contentsearch"];
$result = mysql_query("SELECT * FROM movies WHERE $columnsch ='$contentsch'");
if (!$result) {
die ("Database Query Failed: ".mysql_error());
I know the above code is incorrect but it gives the general idea of what I want to achieve.
Zdravko, Im really new to this, Im not sure where your lines of code for example the sql would fit in with what I have.
you can do 2 things: first is to generate the sql based on the search criteria:
sql = sql + 'WHERE ' + SearchField + ' = "'+ SearchValue + '";'
the other is to write sql like this:
WHERE (#SearchField = 'Director' and Ditector = #SearchValue)
OR (#SerarchField = 'Star' and Star = #SearchValue)
....

How to randomly select a line within msql in a table and display result on webpage and send result to 2 email addresses as well?

Basically I am setting up a subscription application of name and email on my website which I am currently building. I have tested out the subscription form and all is working as it sends the data to the msql database and into the appropriate table (subscriptions) then into the 2 fields (subscriptionname, subscriptionemail).
With this I wish to once a month randomly draw a line out of the fields (which would have their name and email) and display this (only their name along with some other text such as "name is the winner of this month's random draw" etc) on the homepage of the website. (Might do as TWO draws same time every month. Unsure yet).
I'd want this to also send an email to the winner using obviously the email address it has as well as send to a predefined email address to me. (This is so I know exactly who has won it as of course there could be 2 or more people with the same name so I would not know which one won it. So within this email it would simply provide me with the name and email so I could supply the prize.)
I really hope someone would be able to help as I am completely clueless as what to do as I know little in the world of codes especially something like this.
I am not sure what language you are using so I will write in python.
Rewritten in PHP
<?php
// your MySql specific parameters
$my_host = "localhost";
$my_user = "user";
$my_pass = "password";
$my_db = "test";
// Connecting, selecting database
$link = mysql_connect($my_host, $my_user, $my_pass);
mysql_select_db($my_db);
// Mysql fast random from http://wanderr.com/jay/order-by-slow/2008/01/30/
// Assuming MySql table called users
$query = "SELECT * FROM subscriptions T JOIN (SELECT FLOOR(MAX(ID)*RAND()) AS ID FROM USERS) AS x ON T.ID >= x.ID LIMIT 1;";
$result = mysql_query($query);
// get the user
$user = mysql_fetch_array($result, MYSQL_ASSOC);
$user_email = user['Subscriptionemail'];
$user_name = user['subscriptionname'];
// Free resultset
mysql_free_result($result);
// Closing connection
mysql_close($link);
//
// Email part
//
// specific to you
$HOST = 'My smtp server';
$my_email = 'me#my_domain.com';
$server = smtplib.SMTP(HOST);
$text = "Hello " + $user_name + " you have won the prize!";
mail($user_email, "You won!", $text, "From: " + $my_email);
$text = $user_name + " has won the prize! Their email is " + $user_email + ".";
mail($my_email, "New winner!", $text, "From: " + $my_email);