I'm having a lot of trouble trying to handle username / passwords from my HTML page. I've set up a basic page which uses:
<form action="myCFile.cgi" method="post">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Create Account" />
This information is sent to myCFile.cgi which of course in my actual code is an exact http address. I've confirmed that the information is successfully passed to the C file. Within this file I want to be able to check if that username already exists in an .ssv file that I have created (which is in the format: username password), and if it does not, I wish to append the document with the username and password information.
My trouble comes in trying to identify exactly what information being passed is the username. When "post" is used I know it sends information in the form:
username=xyz&password=abc
What is the best way to extract the username "xyz" from the above given that I won't know the length of the username? I want to stick only to C.
Thanks for your help
use strtok_s() or non-standard strtok_r() and strcmp(). Details left as an exercise for the reader.
Also, details of URLDecode are not handled.
You can use
strchr(text, '=')
strchr(text, '&')
(see C++ referrence to locate the borders of UN and PW. Be aware that these characters are encoded if part of the password (e. g. '&' is '%26').
Related
Im trying to send a post request with a payload that includes a username and password. The post request works fine on its own but I'm not sure how to get the user and pass that are entered and use them with the post request. Trying to take the data entered into the html and use it in a view
I've looked around online and found something suggesting something similar to which doesn't fail but instead returns none:
username = response.GET.get['username']
password = response.GET.get['password']
I see this stack overflow:Django request.POST.get() returns None that definitely has the correct answer in it but I don't quite understand whats going on/what I need to do in order to get the result im trying for. I can see its something to do with that I have to post the data to the url or something for it to be eligible to grab from the above statements or something, but again, I don't really understand whats happening.
Honestly what im looking for here is an ELI5 of the answer from the link
This is what your template(html) should look like:
<form method="POST">
{% csrf_token %}
<input type="text" class="form-control" name="username">
<input type="password" class="form-control" name="password">
</form>
<input type="submit" value="Submit">
This is what your views.py should look like to use the 'POST' data sent from your form:
def myView(request):
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')
# to print on the console
print(username, password)
return render(request, 'myView')
In order to pass data from html to Django you need html forms.
There's a great tutorial about them in the Django documentation: https://docs.djangoproject.com/en/4.1/topics/forms/
At the moment i have htp.print and DBMS_output to show the me the end result of user input. however, htp.print shows the confirmed message on the web browser and my DBMS_output doesn't work for some reason. But what i'm looking for is the confirmation message which will pop up and show to the user. i have tried java script and for some reason that is not working either. below are the syntax.
-- button and input text field
HTP.FORMOPEN ('BANINST1.UAP.P_UNSUSPEND_SEARCH', 'post');
HTP.P ('<input type="text" method="post" name="bannerid" id="bannerid" placeholder="e.g. 000123456" maxlength="9"
autocomplete="off" required>');
HTP.FORMSUBMIT ('', 'Submit', cattributes => 'onclick="confirmMsg()"');
HTP.FORMCLOSE;
-- javascript confirmation message which is not working
htp.p ('<script type="text/javascript">
function confirmMsg() {
var field1 = document.getElementById("bannerid").value;
alert(field1+" has been unsuspended");
}
</script>');
Assuming you are looking for ways to generate log messages from the DB Backend, I see basically 2 ways to achieve this:
(1) Persist your messages to a table inside an autonomous transaction. A complete example can be found here.
(2) If you have access to the DB servers file system, you can also write messages to text files using the UTIL_FILE package.
After i knew how to secure upload image Bypassing forms input fields to upload unwanted files i would like to give another example of from with 2 filed, one of them are hidden.
SQL Table (id,name,jod,number)
CREATE TABLE `users` (
`id` bigint(20) unsigned NOT NULL auto_increment,
`name` varchar(255) default '0',
`job` varchar(255) default NULL,
`number` varchar(255) default NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
Form Code (support member will edit own informations)
<form action="send.php" method="post" name="send" id="send">
<input type="text" name="name" id="name" value="John"/>
<input type="text" name="job" id="job" value="Plumber"/>
<input type=hidden name="number" id="number" value="1234"/>
<input type="Submit" name="Submit" value="Submit"/>
</form>
Later there was an firefox extension that can bypassing different input to the server-side bypassing checking and might case a lot of damage so here it can stop the whole process and makes you able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.
That extension is working as following, It can fake input data before it passed to server side.
PHP Code Send.php
if(isset($_POST['send'])){
$name = mysql_real_escape_string($_POST[name]);
$job = mysql_real_escape_string($_POST[job]);
$number = mysql_real_escape_string($_POST[number]);
$sql= "update users SET name='$name',job='$job' WHERE number='$number'";
mysql_query($sql) or die("query failed: $sql".mysql_error());
echo "Update Done";
} else {
echo "Nothing to update";
}
The question
How then to protect this simple form from such input form ? ~ Thanks
this problems really hurts cause it made my website free to be hacked :)
If the user authorization is not an option in your cause, you could try the following techniques:
Set the hidden field with a hash of the number salted with some other information
Set the hidden field with the number encrypted (possible salt could increase security here also)
Of course it would add extra steps when sending the form HTML and validating the post information, but at least it would be much harder to the attacker fake a valid number on the post. Although it would not save you if the attacker knows the encrypted/hashed number of a different user unless the salted information withing the hidden field is used wisely.
You can't control what data people submit to your server.
You have to check, on the server, to see if the user is authorised to see the information or to make the change they are asking for.
For example:
able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.
The process would be something like:
Is anybody allowed to edit this field? If so, then OK.
Is the request coming from an authenticated user? If not, then return an error message and a login form
Is the request coming from the user with id=1? If so, then OK
If the request coming from a user who has admin permissions? If so, then OK
Return an error message.
If you have a form and any users to edit the values, this problem is going to be there. A better approach is to authenticate the users. Allow only the users who have logged in with an account to make the changes to their respective accounts.
Also, don't use mysql_query or anything like mysql_*, they are insecure and depreciated in php5.
A hidden field cannot be secured. It's 100% impossible to prevent malicious people from editing it.
The best you can possibly do is validate its data.
For the example field, the best you can do is make sure it's actually a number.
But that doesn't help any.
What you need to do is have the OLD data sent as hidden data. ALL of it. Complete with the old id.
Then you validate both the old and new data. Make sure there's no injected sql code in them. Having done this you would have
$name
$job
$id
$old_name
$old_job
all set. Then you can.
select * from users where name="$old_name" and job="$old_job
if you get back a row, then you can
update users set name="$name", job="$job$" where id=$id
Now, even if the user changes the ID, it won't do a thing, because the select will return 0 rows, ad the edit attempt will abort.
Now if someone happens to know all three fields for someone else's entry, they can still change it. The only way around that is force authentication, and have another database tying username/password pairs to IDs.
I am trying to develop a profile form in Joomla so users can update their information - including changing their password.
However, as can be seen in the below example, the dots just flow beyond the viewable string in the field. Is there a way I can show the correct number of dots for the users password? For example, a user with an 8 character password:
<form>
<input type="password" name="psw" value="********">
</form>
<form>
<input type="password" name="psw" placeholder="********">
</form>
I'm getting the input field populated as this:
PS I'm aware aware of identifying password length as in this question. However, with hashing/salting for the type of site this is that it is acceptable
Updated slightly to incorporate the comments.
In the first example (with "value") what you are doing is setting the actual value of the password to a series of '*' if the form is saved. Then the Joomla password field is doing what it does which is to obfuscate the new password.
I don't know if you can use a place holder give that the field has a value (although the value is not displayed). If it would the placeholder would be something like "Enter new password". The password will be automatically obfuscated as the user types it. However if a password already exists neither a placeholder nor a value would be rendered by the field.
From what I can tell you are talking about editing the profile, in which case there is an existing password.
The Joomla password field never displays back the original password once it has been set, it just provides a blank space for the user to change passwords if desired. If a user is changing their password they should just see an empty field and then one dot for each character they type. The password field cannot show the existing password because it is hashed in the database. There is no way for the field to retrieve the actual password, only the hashed password. The only way to get the real password is for the user to type it in.
You don't say where $pass is coming from but if you are pulling it from the database it is the hashed value and then it is going to be double hashed on save.
Is there really a good reason not to use the Joomla profile edit form? Or if there is not to just copy and modify it?
A little background info:
I am using Netbeans IDE 7.3, I have an SQL server running and I am trying to create a html application to insert data into the connected sql server/database structure.
I hope that made enough sense to see what I'm asking.
My question: I simply want to create a page on the HTML application
which asks a user to enter information about a person such as their
first name, last name, address, phone number, etc.
I want it to appear in this manner to the user:
First Name: [text area]
Last Name: [text area]
etc....
Then at bottom I want a submit button.
At this point the information in the fields above would be sent to the "person" table in the database with each column/attribute filled with the appropriate information above.
A new row is created in the table at this point.
How can this be done? Examples of code would be great if you know of any.
Thanks in advance.
That cannot be done with HTML alone, you'll need a scripting language like PHP to do the job.
Build a form and use PHP to process it (or some other scripting language, I use PHP):
<form method="post" action="path_to_script.php">
<label for="username">Username:</label>
<input type="text" name="username" />
</form>
PHP:
if(isset($_POST['username'])){
$username = $_POST['username'];
}
// Use $username as a parameter in your query
$stmt = $yourDatabaseConnection->prepare("INSERT INTO yourTableHere (usernameColumn) VALUES (:username)");
$stmt->bindParam(':username', $username);
$stmt->execute();
Learn more about prepared statements here