I have been searching for ages and couldn't find a way to encrypt my javascript variable, because its used for a password:
function lg() {
var input = document.getElementById("values").value;
if (input == pass) {
$("nil").replaceWith($("<success>" + "Success!" + "</success>"));
sleep(4000);
sleep(2000);
window.location.replace("http://google.com");
}
else if (input == "") {
$("nil").replaceWith($("<error>" + "Error: No input detected!" + "</error>"));
}
else {
$("nil").replaceWith($("<error>" + "Incorrect Password!" + "</error>"));
}
}
var pass="test3r"; // The one I need to encrypt
I don't think you would need my html or css as its just my javascript variable I need to encrypt. The variable I need to encrypt is my var pass one.
If your javascript is running on client side so it's not best decision to hold password in js code. And any user can just skip password check by editing code.
But if you really need this, only option I see is to use hash of password and some js library to create exact hash of user input.
For example if you will you md5 hash function (not really strong one, but there are lost of implementations in js) your password hash will look like a50bdfb74649a14c1f86b6d012f2caad
And password check will looks like if (md5(input) == pass) { ...
}
You should read about hash functions and use "salt" when hashing password to make decoding your password harder.
Related
On the site, the login is made using a code of the type if the entered password matches the variable in which the password is stored, then the person enters the site. How to protect the site from the magic F12 button? I.e. how to make the password impossible to find
out
p.s. I have never done anything like this so the experience is 0.
I wrote the code and don't know how to protect passwords.
function checkUsernamePassword() {
var username = document.getElementById("username").value;
var password = document.getElementById("password").value;
if (username == "admin" && password == "12345") {
window.location = "../index.html";
}
else {
window.location = "invalid-login.html";
}
}
Ordinarily, your approach would be easily bypassed.
However, with the WebCrypto API you can use strong encryption to protect the data that needs to be accessed with a password.
You'd use a salted PBKDF2 to stretch the password into a symmetric encryption key. Then, the data can only be accessed when the correct password is entered.
This approach relies on the password being of sufficient entropy to prevent a brute-force attack.
I am using sockets.io to insert user-generated messages into MySQL, but I'm running into issues inserting records with an apostrophe. I've been trying to use the replace() method on the client side script, but the input text is passing with the apostrophe.
socket.on('refresh feed',function(msg){
str=msg.replace("'", "\'");
alert(str);
$("#chtxt").append(str + '<br />');
});
The above attempt will alert any string without the special character, but does not alert when it exist. I believe that I'm actually alerting after the message has been sent to sockets.
So, I tried adapting this code which watches for the enter key press to also watch for the apostrophe, with no luck there either.
$('#omnibox').keypress(function (e) {
var key = e.which;
if(key == 13) // the enter key code
{
$('input[name = "clicky"]').click();
return false;
}
if(key == 222) // the apostrophe key code
{
alert('Apostrophe!')
return false;
}
});
I researched the question of how to replace special characters for MySQL using javascript but found outdated stacks explaining why client-side validation for this is not a good idea.
That's fine. If I shouldn't do this client side, I need to know then how to do it in my server.js node script, then. It is still javascript, so a solution on either side, provided it's secure would be great.
Server-side code:
var add_status = function (status,callback) {
pool.getConnection(function(err,connection){
if (err) {
callback(false);
return;
}
connection.query("INSERT INTO `videosub` (`url`) VALUES ('"+status+"')",function(err,rows){
connection.release();
if(!err) {
callback(true);
}
});
connection.on('error', function(err) {
callback(false);
return;
});
});
}
Thanks!
Don't do it
You are asking about the wrong solution to the problem.
To replace the apostrophes with backslash-apostrophes you might use:
str = msg.replace(/'/g, '\\\'');
but you should not do that. I am only providing that info because that's what your question asks about but read below.
Why it's a bad idea
You shouldn't do it on the client side and you shouldn't do in on the server side either. If avoiding SQL injection vulnerabilities was a simple matter of replacing apostrophes with backslash-apostrophes then it wouldn't be an issue. Unfortunately it's more complicated.
Having the info that you provided it's even impossible to tell whether backslash-apostrophe would even do what you expect in the first place without seeing your code that actually makes the database queries. But it doesn't matter because you should never ever do that. Never. See those answers to see why - those questions are not about SQL injections but the code examples included SQL injection vulnerabilities and the answers explain it:
cannot use backtick when using nodejs 7.3.0
Node js - Promise Rejection Warning when process a lot of data
Is it possible to listen for object instantiation in Node.js?
Obligatory comic strip
What you should do instead
That having been said, you didn't tell what module you're using to query the database but no matter if you're using the mysql module or Sequelize or anything worth its salt, there should always be a mechanism of interpolating variables in a safe manner without manually escaping and concatenating the strings.
Examples
You didn't show even a single line of code that is relevant here so I cannot tell you how to fix it but consider this example:
Unsafe:
connection.query(
"SELECT * FROM player WHERE nick = '"
+ data.login + "' AND pass = '" + data.pass + "'",
function (err, rows) {
//...
}
);
Still unsafe, complex, unreadable, unmaintainable and unreliable:
connection.query(
"SELECT * FROM player WHERE nick = '"
+ data.login.replace(/'/g, '\\\'') + "' AND pass = '" + data.pass.replace(/'/g, '\\\'') + "'",
function (err, rows) {
//...
}
);
Safe and simple:
connection.query(
"SELECT * FROM player WHERE nick = ? AND pass = ?", [data.login, data.pass],
function (err, rows) {
// ...
}
);
More info
For more info see the docs:
https://www.npmjs.com/package/mysql
http://docs.sequelizejs.com/en/v3/
I'm currently fetching a query (e.g, http://localhost:49781/HTML/index.html?inputName=Marcus) from a html form using this following JavaScript:
function setSignedName() {
if (window.location.search.indexOf("=") >= 0) {
var split = window.location.search.split("=");
document.getElementById("signed_in_name").innerHTML += split[1];
} else {
document.getElementById("signed_in_name").innerHTML = "Not signed in";
}
running the script will get the result: Marcus.
I want this string to be persisted through out my site, so when the user navigates to another page the inputName will still be Marcus.
What is the best way of achieving this?
Edit: This approach is only for display/non-production use, I know using a server side language like PHP is the best approach.
I believe the best way is using localStorage. It works in all major browsers and it's easy to use:
function setSignedName() {
var userName = "";
if (window.location.search.indexOf("=") >= 0) {
var split = window.location.search.split("=");
userName += split[1];
} else {
userName = "Not signed in";
}
document.getElementById("signed_in_name").innerHTML = userName;
localStorage.setItem("userName", userName);
}
To access it:
var userName = localStorage.getItem("userName");
And this is it. Check for it in the Resources tab in Developer tools(F12) in your fav broswer.
You'll want to either repopulate it through GET parameters in your server side language, or if you want to hack it together, use a cookie and repopulate it with JavaScript on page load with "pushState".
https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Manipulating_the_browser_history#The_pushState()_method
I use the nodejs bcrypt library for better password protection.
I am not sure i understand exactly how to use it, but i got this so far:
//A module containing this login function:
login: function(credentials,req,res) {
//"credentials" is containing email and password from login form
var query = 'SELECT password, email FROM users WHERE email = ? LIMIT 1';
client.query(query,[credentials.email], function(err, results) {
if (results[0]) {
//Compare passwords
if (bcrypt.compareSync(credentials.password, results[0].password)) {
//Set session data and redirect to restricted area
}
}
});
}
I removed all the error handling here in the example so that its easier to read the code.
1.This works and i am able to login and set the session. But is this all there is to it? Am i missing something?
2.Looks like the salt is prepended to the password when generating hash. Dont I have to save the salt in db?
Any help appreciated
Yes, this is all there is to it! The salt you generate when encrypting the password originally is used to prevent against rainbow table attacks; you do not need to persist it.
I'm using the built-in api for scripting against Google Spreadsheets to send some booking confirmations, and currently my script breaks if someone has filled in an invalid email. I'd like it to just save some data to a list of guests that haven't been notified, and then proceed with looping through the bookings.
This is my current code (simplified):
// The variables email, subject and msg are populated.
// I've tested that using Browser.msgBox(), and the correct column values are
// found and used
// The script breaks here, if an incorrect email address has been filled in
MailApp.sendEmail(email, subject, msg)
According to the documentation the only two methods on the MailApp class are to send emails and check the daily quota - nothing about checking for valid email addresses - so I don't really know what criteria must be fulfilled for the class to accept the request, and thus can't write a validation routine.
If you need to validate email addresses beforehand, create a blank spreadsheet in your drive. Then, run the function below, changing the testSheet variable to point to the spreadsheet you created. The function will do a simple regex test to catch malformed addresses, then check if the address is actually valid by attempting to temporarily add it as a viewer on the spreadsheet. If the address can be added, it must be valid.
function validateEmail(email) {
var re = /\S+#\S+\.\S+/;
if (!re.test(email)) {
return false;
} else {
var testSheet = SpreadsheetApp.openById(arbitrarySpreadsheetInYourDrive);
try {
testSheet.addViewer(email);
} catch(e) {
return false;
}
testSheet.removeViewer(email);
return true;
}
}
regex from How to validate email address in JavaScript?
Stay calm, catch and log the exception and carry on:
try {
// do stuff, including send email
MailApp.sendEmail(email, subject, msg)
} catch(e) {
Logger.log("Error with email (" + email + "). " + e);
}
On the otherhand, avoid Checking email in script and get rid of loses quota or try-catch etc. I used that I got a valid email when user attempt to send an email, by signing him in an email and got that email:
private void handleSignInResult(Task<GoogleSignInAccount> completedTask) {
try {
GoogleSignInAccount account = completedTask.getResult(ApiException.class);
String s = account.getEmail(); // here is the valid email.
} catch (ApiException e) {
// The ApiException status code indicates the detailed failure reason.
// Please refer to the GoogleSignInStatusCodes class reference for more information.
Log.w(TAG, "signInResult:failed code=" + e.getStatusCode());
}
}
Full procedure Here.
This answer is much later than this question was asked, but I piggy-backed off of remitnotpaucity's answer based on a comment in his answer. It does basically the same thing, adding the email to the spreadsheet and catching the error, however in my case it creates a new spreadsheet, attempts to add the user, and then after attempting to add the user, deletes the spreadsheet. In both cases, that the email is a valid email or not, it deletes the newly created spreadsheet.
Some things to note:
I am not as familiar with regular expressions, so I only check to see if the # symbol is within the email read into the function, and do not check for whitespaces.
I believe that even if it passes the first if-statement, even if it's not a valid email, an error will still be thrown and caught because Google will still catch that it's not a valid email, making the first if-statement redundant
If you are trying to validate an email outside your company, I'm unsure how it would react, so be fore-warned about that
This validation method takes a few seconds because you are creating and then deleting an email all within a single function, so it takes a fair bit longer than remitnotpaucity's
Most importantly, if you are able to, I would use an API. I believe that this one would work perfectly fine and should be free, it just may take some extra elbow-grease to get to work with GAS.
function validateEmail(email){
let ss = SpreadsheetApp.openByUrl(SpreadsheetApp.create('Email Validation Spreadsheet', 1, 1).getUrl())
if(!new RegExp('[#]').test(email)){
return false
} else{
try{
ss.addViewer(email)
} catch(e){
setTrashed()
return false
}
setTrashed()
return true
}
function setTrashed(){
DriveApp.getFilesByName('Email Validation Spreadsheet').next().setTrashed(true)
}
}