I am setting a cookie. Something like:
$_COOKIE['test'] = SHA1('124'.'mysalt');
Now 124 is my id which I want. So in my MySQL table, I am trying to run a query like:
$sql = ("SELECT * FROM users WHERE SHA1(`id`) = '".mysql_real_escape_string($_COOKIE['test'])."'");
How to add the "mysalt" to the SQL query? Because else I want get the correct id.
Use can use Concat() for that.
SELECT ... Sha1( Concat(`id`, 'mysalt') )=...
The query should be:
$sql = ("SELECT * FROM users WHERE SHA1(CONCAT(`id`,`mysalt`)) = '".mysql_real_escape_string($_COOKIE['test'])."'");
if I understand correctly what you're trying to do.
The solutions already provided probably will work just fine, however are you certain you want to do this? If the field "id" is really a distinct identification you can use "LIMIT 1" to stop mysql from searching thru all your items. Another thing is, why don't you use a separate precomputed field for this? I mean in every query mysql unnecessarily needs to compute all these sha1 values.. One last thing. I'm uncertain why you are using your approach, but my best guess is to implement some sort of session key. I thing this is a bad idea for a couple of reasons: If someone gets holds on your salt, he has access to all your accounts. If someone sniffs one "session" he can reuse it whenever he wants to. Choosing a weak salt could have serious consequences. HTH.
Use CONCAT:
$sql = ("SELECT * FROM users WHERE SHA1(CONCAT(`id`,'mysalt')) = '".mysql_real_escape_string($_COOKIE[''test''])."'");
Related
Sorry about the title, I wasn't sure how to word it
I'm wanting to make a instant messaging system with PHP (I've done ajax for it) but I'm not sure how to get the query, I'm wanting something like this:
"SELECT * FROM messages WHERE user='$to' AND sender='$username' OR user='$username' AND sender='$to'"
Does anyone know if this is possible? Or a mysqli_fetch_array for two invididual queries on the same variable.
You can use parenthesis to use multiple operations to work as single operation in query. This is the typical approach anyway, and very useful for using multiple AND, OR operators in a query.
For you case, query should be like
"SELECT * FROM messages WHERE ( user='$to' AND sender='$username' ) OR ( user='$username' AND sender='$to' )"
Notice that tho we used 4 conditions, but with parenthesis we shrieked it into 2 separate conditions and ultimately one OR operation in the query.
Some good reading about this stuff at this article in case you want to dig it more
After selecting some products a user clicked on proceed button. Now I need to display the selected data on next page. I was successful in getting the id's of selected data using the following code.
String[] array = request.getParameterValues("arrayid");
Now I need to query mysql database using "select * from table where id=?"
I can use this query in a loop. But is there any other or a better way to do this?
Use IN keyword while selecting as select * from table where id IN(comma separated ids)
String[] array = request.getParameterValues("arrayid");
String sql = "SELECT * FROM TABLENAME WHERE id IN ?";
PreparedStatement ps = con.prepareStatement(sql);
ps.setArray(1,con.createArrayOf("CHAR", array));
If your question is how to query for a set of IDs in a table, the other answers correctly refer you to SQL's IN keyword. However if you're asking specifically how to do it in Java, JDBC's PreparedStatement, which is the generally recommended way of executing queries in Java, does not make constructing these IN statements easy. I posted a suggested way to address this issue reasonably cleanly here: Can PreparedStatement.addBatch() be used for SELECT queries?
Delving into the documentation and the api, I seem to be missing how to update one field in multiple rows at once.
Something like
Table.select(:field).update("update to this").where(id: 4,5,6)
would be nice.
Does something like this exist? It would be much better than having to store everything in an array, set it to a value, and calling save every time.
You can use the update_all method, for example:
Table.update_all("field = 'update to this'", ["id in (?)", ids])
Evening all,
Before i make my site live i obviously want to ensure it's secure (or as secure as possible).
I have a search form, an opportunity for a user to upload an entry to a database, and that's about it i think.
So i just want to check what i should be doing to protect things. Firstly, my database is accessed by a dedicated user account (not admin or root), so i think i've got that part locked down.
Secondly, on all my search queries i have this sort of format:
$result = mysql_query(
"SELECT *
FROM table
WHERE fieldname = '" . mysql_real_escape_string($country) . "'
AND county = '" . mysql_real_escape_string($county) . "'
ORDER BY unique_id DESC");
Finally, on the $_POST fields from my submission form, i treat the variables with this BEFORE they are inserted into the database:
$variable = mysql_real_escape_string($variable);
$result = mysql_query(
"INSERT INTO table (columnone)
VALUES ($variable)";
Could anyone let me know what else i should be considering or whether this is acceptable enough?
Thanks in advance, as always,
Dan
The code looks fine, though you should look into using PDO prepared statements if at all possible.
Beyond that, make sure that whatever account your PHP code is using to connect to MySQL has the absolute minimum in the way of permissions. Most web-facing scripts do NOT need alter/drop/create type privileges. Most can get away with only update/insert/select/delete, and maybe even less. This way, even if something goes horribly wrong with your code-level security, a malicious user can't send you a '; drop table students -- type query (re: bobby-tables.com)
Everything you show looks fine in terms of protection against SQL injection, except for
$variable = mysql_real_escape_string($variable);
$result = mysql_query(
"INSERT INTO table (columnone)
VALUES ($variable)";
this desperately needs quotes around $variable - or as #Dan points out, a check for whether it's a number - to be secure. mysql_real_escape_string sanitizes string data only - that means, any attempt to break out of a string delimited by single or double quotes. It provides no protection if the inserted value is not surrounded by quotes.
Have you considered using like MYSQL PDO and bound parameters in your SQL?
http://php.net/manual/en/pdostatement.bindparam.php
My understanding is that this is considerably more secure that using mysql_real_escape_string.
I need to take a MySQL query and insert a string before each table name. The solution doesn't need to be one line but obviously it's a regex problem. It will be implemented in PHP so having programming logic is also fine.
Rationale and Background:
I'm revamping my code base to allow for table prefixes (eg: 'nx_users' instead of 'users') and I'd like to have a function that will automate that for me so I don't need to find every query and modify it manually.
Example:
SELECT * FROM users, teams WHERE users.team_id = teams.team_id ORDER BY users.last_name
Using the prefix 'nx_', it should change to
SELECT * FROM nx_users, nx_ teams WHERE nx_ users.team_id = nx_ teams.team_id ORDER BY nx_ users.last_name
Obviously it should handle other cases such as table aliases, joins, and other common MySQL commands.
Has anybody done this?
How big of a code base are we talking about here? A regular expression for something like this is seriously flirting with disaster and I think you're probably better off looking for every mysql_query or whatever in your code and making the changes yourself. It shouldn't take more than the hour you'd spend implementing your regex and fixing all the edge cases that it will undoubtedly miss.
Using a regex to rewrite code is going to be problematic.
If you need to dynamically change this string, then you need to separate out your sql logic into one place, and have a $table_prefix variable that is appropriately placed in every sql query. The variable can then be set by the calling code.
$query = "SELECT foo from " . $table_prefix . "bar WHERE 1";
If you are encapsulating this in a class, all the better.
This example does not take into consideration any escaping or security concerns.
First off, regular expressions alone are not up to the task. Consider things like:
select sender from email where subject like "from users group by email"
To really do this you need something that will parse the SQL, produce a parse tree which you can modify, and then emit the modified SQL from the modified parse tree. With that, it's doable, but not advisable (for the reasons Paolo gave).
A better approach would be to grep through your source looking for either the table names, the function you use to sent SQL, the word from, or something like it at script something to throw you into an editor at those points.