I would like to install on my website a «verefied account» feature. But I wondered what was the best way to get there, with MySQL and PHP?
I tried to put a column «verified», in witch I post the badge picture name (verified.png), but by doing it this way, users with no verified account saw the space occupied by the badge, with empty space with an X in the upper left corner.
So, any idea on the best way to achieve this?
Thanks!
You need to go deeper. You are missing huge part of web design and PHP.
What's the correct way too implement this?
1- Add a Boolean/Bit "Verified" Column 0/1
2- In your PHP page, you need a simple condition:
If(Column("Verified") == True) {
echo '<img src=\"verified.png\" />'
} else {
//Nothing!
}
Create a column verified_account in your users table. When you want to validate an account, you should add something like YES or NO to the proper user. Then, on your page, you only have to call something like:
SELECT verified_account FROM users WHERE ID = $session_id
IF verified_account = YES
echo = YOUR_IMAGE_HERE
you can try to add a row to your mysql database that is of type ENUM, and set it value to 0 if not verified, and 1 if verified. Then check the value of the ENUM for that particular user and if it is one, display the image.
Related
I'd like to build a website which has the following features:
There should be a few fields which store numerical values.
These fields should be editable by anyone who visits the site
A second order feature which would be nice, but isn't necessary
It would be nice if when multiple people are visiting the site and one visitor updates a value, the webpage reloads for all visitors once the value is saved, updating the value seen for all users
How would I go about implementing the above?
I'm not sure what terms I should even be googling to approach this question, so any advice is appreciated.
To your first question:
const editMe = document.getElementById('edit-me');
editMe.addEventListener('input', () => {
const editedToInt = Number(editMe.innerHTML);
if (!Number.isInteger(editedToInt)) {
// Value is invalid
editMe.style.border = "2px solid red";
}
else {
// Value is valid. Do something with it...
editMe.style.border = "inherit";
}
})
<div id="edit-me" contenteditable>100</div>
The user can edit the content and only numbers are allowed.
To your second question:
You could save the value which the user has typed in your database. Also you need to use Ajax to check the value in your database every 5 seconds. If the value in your database is different than the value in the DOM, you will replace it.
So as the title says I'm curious, can user change the ID of an element through browser? I have a list of inputs - checkboxes, when you click on one of them ajax takes ID of that element and uses it to get data from database, so basically what I'm thinking is that if it is somehow possible to change the ID of the element my database wouldn't be secured. If that's possible, how I should protect it?
Okay, So I get the idea that it wouldn't be secured, If I'd use this way:
<?php
$mysqli = new mysqli("host", "user", "password", "database");
$usuario = $mysqli->real_escape_string($_POST["usuario"]);
$clave = $mysqli->real_escape_string($_POST["clave"]);
$sql=' SELECT * FROM usuarios
WHERE username="'.$usuario.'"
AND pass="'.$clave.'"
';
$mysqli->query($sql);
$mysqli->close();
?>
would it be enough, or there aren't actually safe enough way to protect data?
You are correct that this would be a security hole. The ID attributes could indeed be changed via the browser console.
Yes, they can change it or just make while request faked and you won't tell the difference. Rule of thumb here is NEVER trust any data that comes from user. It means - always validate, sanitize data on server-side, and always assume data that comes in request are there to fool/trick/hack you.
Yes. The user can do anything they like to the DOM once it is in their browser.
They can also execute any JS they like there.
You're worrying about the problem in the wrong place though. Your control ends at the edge of the webserver. Clients can make any HTTP request they like to it and include any id value they want. You need to address security there and not in the browser.
If you want to secure your database then you need to either allow no HTTP request to lead to the secret data being released / changed or you need to write server side rules that limit which HTTP requests can change them.
Typically this would involve Knowing Who The Request Comes From (Authentication) and Knowing Who Can Access Which IDs (Authorization).
A simple approach would be to keep a database that has a users table (including hashed passwords), a "things" table, and an ownership table (which has a column of user ids and a column of thing ids). If the request doesn't include a username and password you can cross reference from the thing id across the ownership table - return an error message instead of what was asked for.
I have a database structure where one of my columns (innerLink) has a URL within it.
So that innerLink column will have a URL structured as follows
http://www.123456.com/forums/showthread.php?t=123456
I wanted to change the http://www.123456.com to a wholly different URL --> http://789.123.com without affecting the rest of the URL structure (ie. /forums/showthread.php?t=123456 )
I need this change to hit every URL in that column that is on the 123456 domain. I have other URLs such as cnn.com or msnbc.com so I dont want those affected. The change should only be to make www.123456.com to 789.123.com
I've never done this type of manipulation with MYSQL before, so was hoping for a bit of guidance before I hose my entire database of about 4000 records :) I will be doing this through PHPMYADMIN
Thanks for any help!!
You want to use the REPLACE() string function
UPDATE `table` SET `innerLink` = REPLACE('www.123456.com', '789.123.com');
Hopefully this question isn't too naive...
I'm attempting to implement The Giving Lab API in order to allow users of my site to donate to charity.
Using a URL such a this:
https://www.thegivinglab.org/api/donation/start?donationtype=0&amount=10&charityid=84ed3c54-6d8c-41c5-8090-f8ec800f45a7&returnurl=mywebsite.com/
the user is directed to the donation page and then returned to the returnURL after the donation has been made.
I want to be able to add how much the user donated to my databases if they successfully complete a payment. Would it be possible to use the returnURL to do this? Ie could I use a returnURL in the form of mywebsite.com?q="amount_donated" and then use this to update my databases?
I can see that this would allow someone to update my databases by just entering the returnURL into their browser.
Is there a generally better method, that removes this problem?
Many thanks.
Dutch banks use a thing called a sha-sign (and they're probally not the first)
All you have to do is add a key which only you can know:
function makeSecureCode($var1, $var2){
$secretCode = 'example';
$secretKey = '';
$secretKey.= $var1 . $secretCode;
$secretKey.= $var2 . $secretCode;
return sha1($secretKey);
}
Then make the url like this: ?var1=foo&var2=bar&key=5e8b73da0b20481c1b4a285fb756958e4faa7ff1
And when you process the code after payment, makeSecureCode( $_GET['var1'], $_GET['var2']) should be equal to $_GET['key']. If not, someone changed it.
This is a simplefied version with only two vars. You can make it have more input arguments, or an array, whichever you prefer.
I need to design database with frontend as HTML.
This is my first attempt to do this.
What I need is,
- User can input a word from HTML page, click submit
I will query the word to get a URL from database and user sees that webpage(pointed by URL).
Just enter word, submit and get the webpage displayed.
People suggested using JSP/Access. I am new to everything.
Can you please point out what exactly I need to do?
Thanks a ton.
Following is the way you need to approach
Step1:
Create an HTML page which can take an input from the users
Step 2:
After getting the data from the user, create a connection to the database and pass the searched string as an input paramater.
Step 3:
You will get a result set from a database
Step 4:
Iterate through the result set and display in the html page, if you require the url to be given for those url, so when user clicks So that he will be directed to those websites.
Sample Query:
Select * from table1 where url_Word like '%Search_String'
This will be the procedure that you need to follow to complete your work.
You do not need a database you need a text file. If this is a school project you need more information.