I am in the process of importing data from another application to ExpressionEngine. I know that EE expects screen_names to be unique as of Sept 2012.
The question is whether I have to make the username unique too or if I can use a combination of first name and last name (e.g. "johndoe") risking that there might be more then one "john doe" in the imported data.
Thanks for any hints.
Yes, username must be unique. In total, username, screen_name, and email all must be unique for a successful import using EE's member import utility.
This is not documented but you can confirm this (if you're curious) by looking at the validate_xml() method in system/expressionengine/controllers/cp/tools_utilities.php.
Related
I am working on a little package using PHP and MySQL to handle entries for events. After completing an entry form the user will see all his details on a page called something like website.com/entrycomplete.php?entry_id=15 where the entry_id is a sequential number. Obviously it will be laughably easy for a nosey person to change the entry_id number and look at other people's entries.
Is there a simple way of camouflaging the entry_id? Obviously I'm not looking to secure the Bank of England so something simple and easy will do the job. I thought of using MD5 but that produces quite a long string so perhaps there is something better.
Security through obscurity is no security at all.
Even if the id's are random, that doesn't prevent a user from requesting a few thousand random id's until they find one that matches an entry that exists in your database.
Instead, you need to secure the access privileges of users, and disallow them from viewing data they shouldn't be allowed to view.
Then it won't matter if the id's are sequential.
If the users do have some form of authentication/login, use that to determine if they are allowed to see a particular entry id.
If not, instead of using a url parameter for the id, store it in and read it from a cookie. And be aware that this is still not secure. An additional step you could take (short of requiring user authentication) is to cryptographically sign the cookie.
A better way to implement this is to show only the records that belong to that user. Say the id is the unique identifier for each user. Now store both entry_id and id in your table (say table name is entries).
Now when the user requests for record, add another condition in the mysql query like this
select * from entries where entry_id=5 and id=30;
So if entry_id 5 does not belong to this user, it will not have any result at all.
Coming towards restricting the user to not change his own id, you can implement jwt tokens. You can give a token on login and add it to every call. You can then decrypt the token in the back end and get the user's actual id out of it.
I'm new to MySQL.
I'm trying to create table "Customer" with attribute "Password".
I'd like to know is it possible in DDL to make a constraint,that password has to contain 5 chars, while the last one is digit(one of this: 0-9)
I have tried to search for the answer, but could not find one.
I'm pretty sure that I cant satisfy this condition, but I will be glad to hear an oponion of someone who understands better then me.
Thank you!
Your requirement should never be an actual consideration, because you should not be storing clear text passwords in your MySQL database in the first place. Instead, you should be checking password creation in your PHP server code (as well as possibly on the front end). If valid, you should be hashing your passwords irreversibly, and then storing the hash in the user table. Your exact specified requirements can be gotten using the following regex pattern:
^.{4,}\d$
This would match 5 or more characters of any kind, the last of which is a digit. For some more ideas on a better password strength, and how to write a regex for that, consider reading the canonical SO question
Regex to validate password strength.
Edit:
Given that it appears you are using SQL Server, if you really needed a clear text password column with your requirements, you could use a check constraint:
CREATE TABLE users (
id INT NOT NULL,
password VARCHAR(100) NOT NULL,
CONSTRAINT check_password
CHECK (LEN(password) >= 5 AND RIGHT(password, 1) LIKE '[0-9]')
);
Why not make a PHP page for the entries and place all restrictions on that page?
As in MySql, you can't have so many restrictions.
You can also sue MySql procedure for inserting values and place restrictions from there.
how are you?
I'm working on a project that contains accounts with mailing list.
The account has 3 packages he can buy. Each package has it's own settings. e.g.: first package the user gets 1 email per day, and in second package he gets 5 emails per day.
Another feature that I want is the opertunity to override some of the package settings. Which means, for one account I'll set daily email limit as 7.
One more feature I need in this system is email providers. I want the first package to get emails only from first provider, second package from 2 providers and so on.
So I have a problem designing my DB.
I created table emailSubscriptions which has EmailID and name.
I created table accountsGroup which only contains GroupId and name.
I created table accounts which has AccountID, GroupID (foreign key), Email, password and investment. (According to his investment he gets his package).
I've created table accountsSubscriptions which has SUBSCRIPTION ID, AccountID, EmailID and IsActive.
I created table packages which contains PackageID, GroupID, from investment and to investment, and all other package settings e.g. maxEmailsPerDay ....
Of course the end user has. GUI that he can see his settings and edit what he can according to his current package. The admin of the users has GUI too.
Any way, now I got stuck.
I thought about adding to accounts all package columns and then when I want to send emails, I'll take the settings from the group and where ever it's not 0 / empty just override, but the problem is when some settings are 0 / 1, then the column is default 0 and if the groupSettings is 1 for something and I want to turn it off I can't. So this is the first problem
The second problem is with allowed emails subscriptions ... Same problem actually.
I thought about adding to package the allowedEmails, but then it means when ever I send the emails I need to use LIKE operator - and this is not good for runtime.
So I really need you help... Hope you can help me.
Thanks !!
The requirements part lacks clarity, I'd say.
But let's go for it anyway.
Let's extract entities from this messy field of things.
Each entity would generally means one table.
Start from Account.
Account has Subscriptions. It is not clear what's the relation here: if it is 1:1 ("account can have only one subscription") - then reference to it is a part of the Account entity, if it is 1:n - then you'll need a special Account-Subscriptions relation table.
Now Subscription - it is defined by SubscriptionType, or Package, so there must be a table that contains these records (these limits and whatever else you want). Account or Account-Subscription table would refer to it to define what subscription(s) the Account have.
Then Providers - they're referred by SubscriptionType/Packages. If there could be more than 1 Provider per Package/SubscriptionType - then you need additional Package-Provider realtion table.
And finally, the Overrides. That's a trickier part because of the weak requirements on it, but as soon as they're overriding the Package paremeters, I suggest to keep the entity structure same to the package.
You may even place it into the same Package table, sorting 'em out by date, or assign them weights, always keeping the default Package record with the lowest weight.
Then, when you create an override, you copy the whole default record except for the overridden fields, and assign it next weight (or current date), and when you query it - group it and get the MAX().
There's no Email entity itself - but you didn't mention it in your requirements sections whatsoever.
So, that's pretty much it: Accounts, Subscriptions, (optional) Account-Subscription, Packages, Providers, (optional) Package-Provider, (optional, may be incorporated into Packages) Overrrides.
Works for you?
As we all know that cakephp has default save command for inserting record into the database.
But i want to know can i create my own save command in cakephp or modify the existing one.
Can I do this?
You must be asking why i'm asking why i'm saying that? let me give you an live example for this----
Suppose i have an textbox which contains the username entered by the user.I'm not taking this as unique, hence more than one user will insert same username(possible..).
Ex-My name is prakash Gupta and i'm taking the username 'prakash'. There will be other users also whose name can be prakash gupta and they will provide the same username.Now inorder to solve this i'm using random function and attaching some digits behind the username, so that
it will be different for every one.
Now 'save' command will take the username which i entered in the textbox and insert into the database but i want to insert the modified username into the database which i generated
by random function. can this be possible???
if yes let me know....
Normally you don't change the standard one but either add another one or use the beforeSave etc. hooks.
The save functions are part of the Models. Normally you modify them with: Behaviors. See: http://book.cakephp.org/2.0/en/models/behaviors.html They let you modify the models, saving etc. without having to code all directly into your models.
Based on your edit:
Unique constraint
As I see you want a unique username. There are multiple solutions for that. First make sure to set a constraint. Even your random() trick will possibly generate a duplicate since random can create also the same. So username.random(4) could generate multiple times: username1234. You cannot be sure.
Constraints should be set at for example your model level. Start this unique check with validations of CakePHP.
When do you know the username is already used
You will know when the validation failed. So first just validate the record. So before save call model::validate() to check whether your unique constraint is ok. If yes just save.
http://book.cakephp.org/2.0/en/models/data-validation.html
If not you can add your random string and check again. Call model::validate to see if it is now ok. This part could be implemented for example in a behaviour in the beforeSave() method.
Now you have a unique one save your record. Make sure to check whether it succeeded because it is possible that in the meantime another record with that username was added. In that case re-run the process.
Lots of work
It is hard because multiple clients can add data same time in a database before you even know. Most simple is to catch the error, so just call save with your username. If it fails because of your unique constraint add the random() string and try again and again. It should be possible to save. Trick here with your random string because if it is short and a username is used a lot you can run into issues. If your random string is 3 numbers you can have the same username 1000 times, from 000 to 999.
Other option
What you sometimes see is suggestions, the interface suggests some free names based on your username input. You still need the check though.
Another option
Just tell the user it is in use. Maybe add an ajax check so you can instantly show the result by validating the field.
In my every application i want to create a unique url for users profile as http://app.com/username .
I have the name of user is : 'Vijay Kumbhar' i can create http://app.com/vijay_kumbhar, but if there is another user registers with the same name then what will be better way of creating url for that user.
one way is to add vijay_kumbhar_1, but i dont think this is the proper way of creating a unique url
Can you please suggest me the better way of doing this.
Keeping in the User experience in consideration, firstly provide the user with unique id, through which you can identify the User easily. After that you can allow the User to opt for any new User Name (screen name), but there should be a check again that the user name has to be unique again. Depends upon your requirement. Do keep us posted what way you opted at last.
You can use the same approach as stackoverflow using
stackoverflow.com/users/unique-number/user-name
Usually user names must be unique. If you're using login in the URL, then they urls will be unique. It is common thing to prevent registering two users with the same login.
EDIT:
If you'd like to keep usernames not showing (e.g. for some security reasons), you can use in URL hashes from users logins, not the logins e.g.
app.com/mylogin > app.com/123123123
You keep your registered users most likely in some kind of a database. In SQL it is natural that every row has a unique ID. You could use such an ID as a part of the url, instead of an own running number for every name combination.
You definitely need to make sure you do NOT show the actual "username" in the URL if you have a publicly accessible URL.
If you use an ID number, just remember to avoid the error that Wordpress made - creating the user IDs sequentially, starting with the default admin user as "1".
That made it easy for hackers to query with something like
example.com/profile?author=1
That would return
example.com/admimuser
And show him the actual username of the admin... and then cracker starts pounding away trying to brute force the admin username's password.
And never show the login name to anyone or in any URL other than to the user or admins!