I am creating user profiles (javascript webpage) that I store in a SQL database
Those profiles have a primary key ID that has auto increment feature.
When the user is creating its profile, he has to upload a file.
I'd like this file to be named id.ext, the problem is I upload the file through ajax during the creation of the profile, before the profile is saved in database as the user need to profide information about this file in order for the profile to be acceptable.
I could retried the max(id) in database and use it during my ajax upload but if 2 people are creating a profile at the same time : problem.
I've come up with other solutions :
naming the file bigrandom.ext and storing this name in database, but my boss absolutely wants id.ext
creating blank profile with an "uncomplete" flag + date at upload and run a batch each month to delete uncomplete entries in database
upload with id.ext, if the file already exist, name it id+1.ext and inform the webpage through json message in return of the POST query
As I think it's a common problem I guess there is some best practices about this, maybe even a feature from SQL I don't know.
A sequence object in the DBMS is far safer and more robust than taking your chances with MAX(id) +1. MS SQL Server has supported sequences since SQL Server 2012, and other database platforms have had them for an even longer time.
try adding a Guid field in the Table and create it when uploading the image. it will be unque always. U can save the image with this Guid as name.
Related
Is there anyway to like encrypt the url, I have a copy of a file that is stored somewhere else (var linkoffile = url where that file is saved) , and when a user requested for that file, I will make a copy of that url in another collection in mongodb and it has an expiration time , a time duration where that file will be available for that user, after that time , the copy of that url will be removed for that user (here I used TTL Indexes of mongodb). But Im thinking that since the url of that file is exposed in the frontend or in the client side, even if you removed the url copy in the mongodb , any user that already copied the url before it expired can still access the document, so im thinking of like encrypting the url so that user will not now where that file is coming.
Is there any way to achieve this? or is there any other solution that can also achieve what im planning to do?
i'm building a web application in node.js, and using mysql as a database, now, if i implement a login, how do i know what information to show in my pages, and of course how do i keep track of the user to show them different pages that retrieves data from the database, because all the queries i'm doing needs to take in consideration the user ID, which i guess i can get it in the login page since the username is unique, what is this called? i heared of sessions but don't know what they are and if they are what i need. and if i make a variable to store this id, where do i call it? in the app.js file? thanks
You can keep trace of the last id insert by calling an anonymous function in callback taking error and result as parameters. The last insert id will be in the InsertId property of your result.
See Retrieve last inserted id with Mysql
Hope it helps :)
In one of my applications users have an option to upload the document. In that process I upload the document on the server in specific folder and save the path in database column. After process successfully saved the file path column looks like this:
C:\wwwroot\myapp\documents\Document 03072017.pdf
This path should give me direct access to this file. However, now I have administrator portal where they should be able to download the file. Each record in database is saved with unique key. The document above for example has key column with the value 09824982. When I show records on the screen for administrators, I would only show the icon for the document type. For example if document is pdf they will see pdf icon. If document does not exist for that record then it will be blank. My question is what is the best way to process the download int his case? Ideally I do not want to show the document path to the user. If they use dev tools I do not want to display that document root. Is there approach to download the file based on the key that I showed above? For example send ajax request with that key and then look up in the database record pull the path and download the document? I use JavaScript/JQuery with ColdFusion 10 and Oracle database. In the past I used ColdFusion to download/deliver files to the browser. This time I have single page app and CF is only used on the back end. If anyone can provide some example or suggestion please let me know.
Basically my question is similar to this one:
How to secure php scripts?
with one slight difference, the other side is Shopify.
Background info:
Shopify user bought some credits (Audible style), and wants to know how many he has available. He logs in into his account, and it says there that he has X credits.
That number comes from AJAX call to my server (I have full control), where there is a simple php script which checks the value in db (which is updated using webhooks from Shopify, each of which needs to be verified so they are secure, I think).
The script uses customers ID for a look up, and that value needs to be passed to the script somehow, and that allows someone external to just keep running it until he has all IDs and corresponding credits values.
So, my questions is, how do I stop that? How do I ensure that only authenticated users can check it, and only for their IDs.
There is plenty of info on Shopify docs about securing the connections the other way, i.e. to make sure only correct scripts have access to the Shopify db, but nothing about my problem.
As far as I know I only I only have access to JS on Shopify, which creates the problem, because everything I send to my server is visible to all.
Thanks
EDIT: I just read up on CSRF. I can easily implement checks for origin and headers, but these can be faked, right?
EDIT 2: I got around this problem by using metafields. So, instead of storing all that info on my server's db, I just use Customer Metafields to store the available credits. Webhooks are secure so that's brilliant. It still doesn't solve a problem with the next stage though. Customers will still need to be able to use their credits and get digital products, which are generated by my server. So I still need to verify the requests.
EDIT 3: Comment by #deceze and answer by #Jilu got me thinking. Yes, you are correct, I need to do that, but I don't have access to back-end on Shopify, so I cannot create session. However, what I could do (if I figure out how in js) is hash it. PHP login scripts operate on password_hash. That way you do not store a password in the db. Password get's verified again hash (or whatever you call) in the db, and it's either true or false. If true, you are logged in. So I could try to generate a token using a specific string (make it very long) and user id. Send it with the request, and using password_verify or what not, check it against the users. The one that pops positive is logged in user who requested the information. That is assuming I can hide the string in the Shopify...
Step1: Do a session login system.
Step2: Before the Ajax, generate a random token in your form or request page, put it into a input display none, send it with POST.
Verify each time if the token is set and is the same that you got.
You have now verified if the user is really logged in with session.
And you checked that he is from the right page.
You create a token out of shared secret (both Shopify and server have it), and client ID.
On Shopify:
{% assign my_secret_string = "ShopifyIsAwesome!" | hmac_sha256: "secret_key" %}
My encoded string is: {{ my_secret_string }}
On server:
We gonna be checking received hash value against values in our db, so we need to hash local client IDs using the same algo and key (that probably should be done on receiving the Customer Creation webhook).
Hash IDs using: http://php.net/manual/en/function.hash-hmac.php
$hashed_id = hash_hmac('sha256', '$client_id', 'secret_key');
Compare hash using: http://php.net/manual/en/function.hash-equals.php
$check = hash_equals($hashed_id, $received_id);
Then all that's requires is to loop through the db until you find a match. There may be quicker ways of doing it.
This is wat needs to happen:
I need to get user information out a MySql database.
But i don't want to insert the password of my database in the php file. Because that file won't be hosted on my own server. Nobody must see that password when they access the server by ftp and edit the php file.
My first solution that didn't work was opening a php file from my own host and reading the output (i made a script that connects to the database and outputs a long string) and converted the output to an array by splitting the values.
This did not work because of security reasons in php.
I can't create a extra account for my database that has read-only access because my host won't allow me. (hostinger.co.uk)
I also thought about using a iFrame and load the file on my host. And read it using javascript to read it. But again, security won't allow me to edit it.
Does someone know a way to fix this?
OPTION 1:
Since you want to make sure your buddies server doesn't have access to the MySQL server info (username, password, etc), your safest bet is to connect to the database from your server, and just communicate between the two servers what needs to be retrieved.
As Darren mentioned in the comments, an API would do this just fine. Since there are a lot of open source libraries out there that can get the job done, I will recommend you one: pheanstalk
pheanstalk is a php client that works on top of the beanstalk library, which is basically a queue.
You could set up a queue on each server, and configure the communication to happen between the 2 servers. Then you would have worker.php scripts running every second (or 10 seconds or however so often you like) looking for commands being sent from 1 server, taking those commands in, processing them, and sending back the information to the main computer.
OPTION 2:
Instead of accessing your database, you can create a copy of yours, and have his server contain a copy.
Key points of option 2:
If his server isn't capable of carrying a full fledged MySQL database, there is MySQLi, which is very similar, but the only difference is that it is basically a file that you keep in your server. That is the benefit since it is LIGHT (hence the "i" from MySQLi). The downside is that the database isn't as "powerful", some operations might be limited, though that is to be expected, but good none the less.
If your friend has a database however, then better yet since it will have all the capabilities.
Now since I am assuming you would need to keep their copy of your database up-to-date, you can create a function that would send a request to your buddies server on what was updated. This is an API since it is intercommunication between processes behind the scenes, but probably wouldn't need any root access as some other API's might require.
Though the hastle here is that you would literally have to call that function every time you do any updates... :(
Edited:
OPTION 3
After talking a bit with the OP in the comments, another possibility came up. In his particular case, he might be willing to have a file in a public directory available for his buddies user to read. For example, lets say his file was located in:
http://www.example.com/hiddenfiles/dfjios4wr238##.txt
To access what is inside that file, you would have to know the name (and the name was specifically designed to work as a password, hence even though the information isn't sensative for the OP's specific situation, it's always best practice to stay consistent and think safe xD).
To access the file, the following could be done:
$path = 'http://www.example.com/hiddenfiles/dfjios4wr238##.txt';
$fileHandle = fopen($path, "r");
while ($line = fgets($fileHandle))
{
echo "--> {$line}";
}
fclose();