So I have a log in system that uses 3 inputs to log you in and all the details are in a SQL database. I want to know how to check if all three are true based on the first one but the only way I can think to do it is to use nested if loops.
After I've queried the database and input data into the I have 3 if statements which I know think can't be nested.
<c:forEach var="i" begin="0" end="3">
<c:if test="${param.Login == result.rows[i]['Login']}">
<c:if test="${param.Cust_Acc_No == result.rows[i]['Cust_Acc_No']}">
<c:if test="${param.password == result.rows[i]['password']}">
<c:set var="Greeting" value="Congratulations Mr.${result.rows[i]['surname']}" scope="session"/>
</c:if>
</c:if>
</c:if>
</c:forEach>
So I want to loop through all the tuples in the table and if the login entered matches the login of the tuple then look to see if the entered account number matches and then finally the password. Then the name of person will be stored in a greeting and they'll eventually be forwarded to the accounts page and greeted and they can see all their details. Any ideas? To either make this nested or how, if possible, I can use (not entirely sure how to use that though!)
I would not do those checks on my JSP page. If you want something custom for authentication I suggest to use a servlet to handle the parameters and see if you are dealing with an authorized user and use a filter to project your restricted content.
I also would like to advice you to think about using a security framework like Apache Shiro where you can create your own authentication handler.
Related
I have few checkboxes in my template whos value is the id of database row. I am using AJAX to post these values back and forth.
{% for item in sale_order_items %}
<tr>
<td class="text-center">
<input type="checkbox" name="saleorderitem" value="{{item.id}}">
</td>
</tr>
item.id for instance renders to 1. Now what if the user changes the value from 1 to 2 in browser using "inspect" and submits the form. what can I do at the frontend or django backend to prevent this and check if the user is submitting the same values as intended?
This depends on many different things but to take you back to the basics: When you create a function in order to bulletproof it out of any errors you use type and value checks.
I would think the best approach to this is to add some back-end checks. The form values returned would have to adhere a set of rule such as a value threshold. If the value returned is beyond that threshold then that would mean that something has changed in the HTML.
You add a check if it fails then the back-end would return an error. In collaboration with front-end you refresh the page and return an error message. It might be really terrible UX but an average end user would never change values using their inspector.
The other alternative is to use javascript to detect any kind of HTML/DOM mutations or changes which I would advice against. Having values to be checked against specific criteria (using the back-end) is best as it foolproofs info passed on to your server against any change.
I found a solution, in this scenario django session variable can be used to store data between requests. When I load the form, I set the session variable to the required values, then on form submission, I check the submitted values with the values in session variable. And it works.
I am working on a small app using phalcon for php framework. I have implemented multiple controllers and models, but so far when I want to edit a user for example, i use a link that links to
localhost/myappname/User/edit/11 "user's id"
I was told this is not the best way to do this, and I am trying to do this without passing the id through the url, like using post method like in forms but without success so far.
Is this the only correct way to edit or delete an entry or it there something better?
I tried to search for the problem but couldn't figure how to name this question so I am yet to find an answered question.
If you don't want to let everyone access to edit page you can do this in a few ways.
Solution #1
You can use Phalcon ACL to block user's who has no permission to edit this page so only allowed people like managers can edit user or whatever.
See Access Control Lists ACL
Solution #2
You can crypt/decrypt user id so in URL it will not be readable by humans and then in edit method try to dectypt that id and if it is not a valid echo error.
<?php
use Phalcon\Crypt;
// Create an instance
$crypt = new Crypt();
$key = 'le password';
$user_id = 5;
$encrypt = $crypt->encryptBase64($user_id, $key);
// Use $encrypt for URL like Edit
// Use decrypt to get the real id of a user
$crypt->decryptBase64($encrypt, $key);
?>
In this way users will see URL something like
localhost/myappname/User/edit/nomGPPXd+gAEazAP8ERF2umTrfl9GhDw1lxVvf39sGKF34AFNzok31VdaT/OwADPPJ4XgaUNClQKrlc/2MfaXQ==
For more info see Encryption/Decryption
But my personal opinion is that it is better to go with ACL. After all ACL was made for that kind of things.
Note! If you want to use Encrypt/Decript remember to wrap decryption
in edit method in try/catch block and catch exception so you don't
get Error if someone tries to guess sone id.
Solution #3
If you still want to do that using POST then don't use Edit instead you can try something like:
<form method="POST">
<input type="hidden" name="uid" value="{{ user_id }}"/>
<button type="submit">Edit</button>
</form>
And then in edit method catch that id like:
<?php
$user_id = $this->request->getPost("uid");
?>
NOTE! In this way your URL will not contain user id but someone still
can POST another uid so you can try to hide that real user id even
from input type hidden. You can use again crypt/decrypt so input
hidden uid can be crypted and then decrypt post data in method.
you could use sessionStorage. It would store the value of the userId in the browser and be deleted as soon as they leave the page.
http://www.w3schools.com/html/html5_webstorage.asp
set on one page
sessionStorage.userId = 11;
access on another
var user = sessionStoarge.userId;
I am currently trying to take a value from a drop down list, store it into a variable, and pass it into a controller's action result. When I run my code, the Index is supposed to store the value of the selected item in the dropdown box in the variable SelectedDistrict, then then go to the Query action. Query will take a variable of DistrictViewModel as a parameter and then use var school = getQuery(variable.SelectedDistrict) to go into the function I have. In the function however, it's saying that the variable sd is null whenever i debug. Maybe the value from the drop down box is not storing properly? In the end, I want to display in a table all of the schools in my school table that come from the selected district in the drop down. The table is not being populated because of the null value. Here is my code for more clarity.
District View Model:
School View Model:
Controller w/ getQuery function:
Index View:
Query View:
The table when I run my code:
The problem is that your controller method for Query is expecting some data to be passed in the form of an object, but you aren't passing anything to it. If it's a GET request (and it appears to be because you just set location.href on click), the values would need to be in the query string. Alternatively you can make your form POST to that controller action instead.
You'll need <form> tags. You can GET or POST to your controller method, it won't matter (model binding works either way). It depends on whether you want people to be able to deep-link directly to the search results or not.
<form action="#Url.Action("Query", "District") method="get">
#Html.DropDownListFor(m => m.SelectedDistrict, Model.Districts)
<button type="submit" value="Submit"/>
</form>
That pretty much should do it, or at least get you on the right path.
I need to find where the form is nestled within the code so I can remove a field.
I found the if statements that do the function, but I can't locate where the form is pulled from. THe component I use to process payments doesn't have any fields to adjust, so I have to go to the code.
https://www.chosenpeople.com/main/donate/index.php?option=com_dtdonate&controller=authorizenet&task=authorizenet&Itemid=360
This is the function that pulls the form. . .
if($row->paymentmethod =='authorize.net' && $paymentfrequecy!="once" && $paymentfrequecy!=""){
if(isset($_POST['donations']) && isset($_POST['startdate'])){
$adminmsg.="<tr><td>".JText::_( 'DT_START_DATE').":</td><td> ".$_POST['startdate']."</td></tr>";
$adminmsg.="<tr><td>".JText::_( 'DT_NUMBER_DONATIONS').":</td><td> ".$_POST['donations']."</td></tr>";
Controllers will trigger execution of other views, models etc.
You controller is named something like
/components/com_dtdonate/controllers/authorizenet.php
You need to look at its code (the authorizenet() function) to know what it's doing.
It should be loading the form either from
/components/com_dtdonate/models/forms/authorizenet.xml
or something similar, or building it in code in a view (the view name should be apparent in the controller function you just looked at) i.e.
/components/com_dtdonate/views/someviewname/tmpl/default.php
I am new in java, I am developing an application, where I found some difficulties. Can anyone tell me how to check that an array is set or not, means the array is exist or not.
Actually I'm getting error when I run my jsp page which contains a listing of data with a HTML form. When I submit the form and get results it works fine, but very first time to open the page it doesn't get that resultant array and give the error.
Thanks in advance.
You should be checking if the array is empty or not like this:
<c:if test="${!empty array}">
//list the array
</c:if>
empty is an EL operator which return true if array is null or empty.
You can check whether a variable has been initialized or not by checcking if == null or not.