A little background info:
I am using Netbeans IDE 7.3, I have an SQL server running and I am trying to create a html application to insert data into the connected sql server/database structure.
I hope that made enough sense to see what I'm asking.
My question: I simply want to create a page on the HTML application
which asks a user to enter information about a person such as their
first name, last name, address, phone number, etc.
I want it to appear in this manner to the user:
First Name: [text area]
Last Name: [text area]
etc....
Then at bottom I want a submit button.
At this point the information in the fields above would be sent to the "person" table in the database with each column/attribute filled with the appropriate information above.
A new row is created in the table at this point.
How can this be done? Examples of code would be great if you know of any.
Thanks in advance.
That cannot be done with HTML alone, you'll need a scripting language like PHP to do the job.
Build a form and use PHP to process it (or some other scripting language, I use PHP):
<form method="post" action="path_to_script.php">
<label for="username">Username:</label>
<input type="text" name="username" />
</form>
PHP:
if(isset($_POST['username'])){
$username = $_POST['username'];
}
// Use $username as a parameter in your query
$stmt = $yourDatabaseConnection->prepare("INSERT INTO yourTableHere (usernameColumn) VALUES (:username)");
$stmt->bindParam(':username', $username);
$stmt->execute();
Learn more about prepared statements here
Related
At the moment i have htp.print and DBMS_output to show the me the end result of user input. however, htp.print shows the confirmed message on the web browser and my DBMS_output doesn't work for some reason. But what i'm looking for is the confirmation message which will pop up and show to the user. i have tried java script and for some reason that is not working either. below are the syntax.
-- button and input text field
HTP.FORMOPEN ('BANINST1.UAP.P_UNSUSPEND_SEARCH', 'post');
HTP.P ('<input type="text" method="post" name="bannerid" id="bannerid" placeholder="e.g. 000123456" maxlength="9"
autocomplete="off" required>');
HTP.FORMSUBMIT ('', 'Submit', cattributes => 'onclick="confirmMsg()"');
HTP.FORMCLOSE;
-- javascript confirmation message which is not working
htp.p ('<script type="text/javascript">
function confirmMsg() {
var field1 = document.getElementById("bannerid").value;
alert(field1+" has been unsuspended");
}
</script>');
Assuming you are looking for ways to generate log messages from the DB Backend, I see basically 2 ways to achieve this:
(1) Persist your messages to a table inside an autonomous transaction. A complete example can be found here.
(2) If you have access to the DB servers file system, you can also write messages to text files using the UTIL_FILE package.
After i knew how to secure upload image Bypassing forms input fields to upload unwanted files i would like to give another example of from with 2 filed, one of them are hidden.
SQL Table (id,name,jod,number)
CREATE TABLE `users` (
`id` bigint(20) unsigned NOT NULL auto_increment,
`name` varchar(255) default '0',
`job` varchar(255) default NULL,
`number` varchar(255) default NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
Form Code (support member will edit own informations)
<form action="send.php" method="post" name="send" id="send">
<input type="text" name="name" id="name" value="John"/>
<input type="text" name="job" id="job" value="Plumber"/>
<input type=hidden name="number" id="number" value="1234"/>
<input type="Submit" name="Submit" value="Submit"/>
</form>
Later there was an firefox extension that can bypassing different input to the server-side bypassing checking and might case a lot of damage so here it can stop the whole process and makes you able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.
That extension is working as following, It can fake input data before it passed to server side.
PHP Code Send.php
if(isset($_POST['send'])){
$name = mysql_real_escape_string($_POST[name]);
$job = mysql_real_escape_string($_POST[job]);
$number = mysql_real_escape_string($_POST[number]);
$sql= "update users SET name='$name',job='$job' WHERE number='$number'";
mysql_query($sql) or die("query failed: $sql".mysql_error());
echo "Update Done";
} else {
echo "Nothing to update";
}
The question
How then to protect this simple form from such input form ? ~ Thanks
this problems really hurts cause it made my website free to be hacked :)
If the user authorization is not an option in your cause, you could try the following techniques:
Set the hidden field with a hash of the number salted with some other information
Set the hidden field with the number encrypted (possible salt could increase security here also)
Of course it would add extra steps when sending the form HTML and validating the post information, but at least it would be much harder to the attacker fake a valid number on the post. Although it would not save you if the attacker knows the encrypted/hashed number of a different user unless the salted information withing the hidden field is used wisely.
You can't control what data people submit to your server.
You have to check, on the server, to see if the user is authorised to see the information or to make the change they are asking for.
For example:
able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.
The process would be something like:
Is anybody allowed to edit this field? If so, then OK.
Is the request coming from an authenticated user? If not, then return an error message and a login form
Is the request coming from the user with id=1? If so, then OK
If the request coming from a user who has admin permissions? If so, then OK
Return an error message.
If you have a form and any users to edit the values, this problem is going to be there. A better approach is to authenticate the users. Allow only the users who have logged in with an account to make the changes to their respective accounts.
Also, don't use mysql_query or anything like mysql_*, they are insecure and depreciated in php5.
A hidden field cannot be secured. It's 100% impossible to prevent malicious people from editing it.
The best you can possibly do is validate its data.
For the example field, the best you can do is make sure it's actually a number.
But that doesn't help any.
What you need to do is have the OLD data sent as hidden data. ALL of it. Complete with the old id.
Then you validate both the old and new data. Make sure there's no injected sql code in them. Having done this you would have
$name
$job
$id
$old_name
$old_job
all set. Then you can.
select * from users where name="$old_name" and job="$old_job
if you get back a row, then you can
update users set name="$name", job="$job$" where id=$id
Now, even if the user changes the ID, it won't do a thing, because the select will return 0 rows, ad the edit attempt will abort.
Now if someone happens to know all three fields for someone else's entry, they can still change it. The only way around that is force authentication, and have another database tying username/password pairs to IDs.
I am working on a small app using phalcon for php framework. I have implemented multiple controllers and models, but so far when I want to edit a user for example, i use a link that links to
localhost/myappname/User/edit/11 "user's id"
I was told this is not the best way to do this, and I am trying to do this without passing the id through the url, like using post method like in forms but without success so far.
Is this the only correct way to edit or delete an entry or it there something better?
I tried to search for the problem but couldn't figure how to name this question so I am yet to find an answered question.
If you don't want to let everyone access to edit page you can do this in a few ways.
Solution #1
You can use Phalcon ACL to block user's who has no permission to edit this page so only allowed people like managers can edit user or whatever.
See Access Control Lists ACL
Solution #2
You can crypt/decrypt user id so in URL it will not be readable by humans and then in edit method try to dectypt that id and if it is not a valid echo error.
<?php
use Phalcon\Crypt;
// Create an instance
$crypt = new Crypt();
$key = 'le password';
$user_id = 5;
$encrypt = $crypt->encryptBase64($user_id, $key);
// Use $encrypt for URL like Edit
// Use decrypt to get the real id of a user
$crypt->decryptBase64($encrypt, $key);
?>
In this way users will see URL something like
localhost/myappname/User/edit/nomGPPXd+gAEazAP8ERF2umTrfl9GhDw1lxVvf39sGKF34AFNzok31VdaT/OwADPPJ4XgaUNClQKrlc/2MfaXQ==
For more info see Encryption/Decryption
But my personal opinion is that it is better to go with ACL. After all ACL was made for that kind of things.
Note! If you want to use Encrypt/Decript remember to wrap decryption
in edit method in try/catch block and catch exception so you don't
get Error if someone tries to guess sone id.
Solution #3
If you still want to do that using POST then don't use Edit instead you can try something like:
<form method="POST">
<input type="hidden" name="uid" value="{{ user_id }}"/>
<button type="submit">Edit</button>
</form>
And then in edit method catch that id like:
<?php
$user_id = $this->request->getPost("uid");
?>
NOTE! In this way your URL will not contain user id but someone still
can POST another uid so you can try to hide that real user id even
from input type hidden. You can use again crypt/decrypt so input
hidden uid can be crypted and then decrypt post data in method.
you could use sessionStorage. It would store the value of the userId in the browser and be deleted as soon as they leave the page.
http://www.w3schools.com/html/html5_webstorage.asp
set on one page
sessionStorage.userId = 11;
access on another
var user = sessionStoarge.userId;
I'm having a lot of trouble trying to handle username / passwords from my HTML page. I've set up a basic page which uses:
<form action="myCFile.cgi" method="post">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Create Account" />
This information is sent to myCFile.cgi which of course in my actual code is an exact http address. I've confirmed that the information is successfully passed to the C file. Within this file I want to be able to check if that username already exists in an .ssv file that I have created (which is in the format: username password), and if it does not, I wish to append the document with the username and password information.
My trouble comes in trying to identify exactly what information being passed is the username. When "post" is used I know it sends information in the form:
username=xyz&password=abc
What is the best way to extract the username "xyz" from the above given that I won't know the length of the username? I want to stick only to C.
Thanks for your help
use strtok_s() or non-standard strtok_r() and strcmp(). Details left as an exercise for the reader.
Also, details of URLDecode are not handled.
You can use
strchr(text, '=')
strchr(text, '&')
(see C++ referrence to locate the borders of UN and PW. Be aware that these characters are encoded if part of the password (e. g. '&' is '%26').
I need to design database with frontend as HTML.
This is my first attempt to do this.
What I need is,
- User can input a word from HTML page, click submit
I will query the word to get a URL from database and user sees that webpage(pointed by URL).
Just enter word, submit and get the webpage displayed.
People suggested using JSP/Access. I am new to everything.
Can you please point out what exactly I need to do?
Thanks a ton.
Following is the way you need to approach
Step1:
Create an HTML page which can take an input from the users
Step 2:
After getting the data from the user, create a connection to the database and pass the searched string as an input paramater.
Step 3:
You will get a result set from a database
Step 4:
Iterate through the result set and display in the html page, if you require the url to be given for those url, so when user clicks So that he will be directed to those websites.
Sample Query:
Select * from table1 where url_Word like '%Search_String'
This will be the procedure that you need to follow to complete your work.
You do not need a database you need a text file. If this is a school project you need more information.