I am wondering about the right way of validating data on client and server side.
I have spreadsheet, made with JExcel addon, and I have to check if any user has changed headers. Spreadsheet data is generated using pivot function in database, so the column count and order would vary.
I locked all possibilities of headers editing by ordinary users, but if someone knows how to use console, it may be unlocked. The pivot is similar to the picture below:
The JExcel loads data from dynamic JSON generated by PHP script. I can calculate "checksum" for header order, but how to validate it when user will update spreadsheet? I have to validate if user sends spreadsheet based on the same pattern.
How to do it in best way?
EDIT:
I created process logic:
When the data is called by the user, php generates datahash and assigns it to the php session_id.
Session_id is coded into md5 as well as datahash and all is saved to mysql database.
The datahash is passed via http headers with ajax response (to deliver hash for the client-side verification)
After the data is sent back, server reads all hashes generated within current php session.
If any hash matches - data is valid. This solution is good, because I only need info if this data has been sent to user.
You can use some JWT to sign your data in the server-side.
Related
Can someone advise me how can I encrypt the XHR response with Coldfusion? I have some tables that I create with Datatable, BootstrapTable and serverside function in a CFC.The problem is that the JSON that I get back is unencrypted so anyone can see the column names and other sensitive informations.As I don't have a lot of experience with Coldfusion, and JS I couldn't find a good implementation for this. Is encrypt function better that hash function? For the login part I created a hash system with salt SHA-512 system. But I couldn't find a way to encrypt the JSON in the CFC and decrypt it in the FrontEnd with JS or CF. I use Coldfusion 9 Enterprise. Any advise is helpful.
You want to encrypt the data that's going to be displayed in the HTML anyway? To #AlexBaban's point, this is nothing to be concerned with. If you want to "hide" the actual database column names, just select them with an alias: select tableID as totally_not_my_pk_column.
You should only be retuning data related to a logged in user's roles or privileges. There should be no "sensitive information" returned that they aren't allowed to see.
Update:
For example if i enable the sorting for 2 columns and i set a different name when i try to sort one of those columns because the query is done again to display the new set of data it needs the name of the column otherwise it will break
How are you handling the data submissions? If you submit to a function with arguments, you can do data type validation, data requirement validation and abstract out the communication between the grid control and the database. If your function argument was sort_column, you pass the grid's sort control value and handle mapping the "alias" to the column's real name in your query.
I have been working on a library which enable a website to add a comment section to their website.
The idea was to keep it as lightweight as possible thus I preferred to use JSON for basic data storage like comment's message, website and username. All of these data is public and can be access directly via JSON. I don't mind this since comments are going to get display publicly anyway.
However, the problem arises when I want a user to be notified when someone replies to their comment. Email is there in input field but I don't want it to be stored in the public JSON file. Is there any other server side data storage schema where I can store the email privately and at the same time use those emails from server side scripts to send email?
MySQL and others will make the library clunky, so that's out of the list.
Or even beside these conditions is there any other possible way to do this?
What you need is APIs and not a data source. A data source is a truth where all data lives. Like in your example, if you have email in your data, it will always be there. Unless you keep email field separately.
The way is to create api that will output required data from JSON files (or database). You can choose to hide the data that you don't want to show.
This way, you only expose the api, instead of the file name directly, which has risks of being modified or altered or hacked very easily.
Other way without using API is to have multiple JSON files.
One file will have basic data, and other will have confidential data, along with a foreign key like unique key that'd map the confidential or other data with the main record.
Example:
Comments.json:
{
"comments": [{userId: 1, ...},{...}]
}
CommentDetails.json
{...}
Users:
[
1: {"username": "", "email": "asdas#asdas.com",...}
]
You can use a database like MongoDB, that stores JSON documents, to keep the data of users and comments.
Then, the users collection will not be sent completely to the user, filterint the emails and other sensitive data.
Create a second JSON file, or CSV file for that matter, which is kept private, that maps users to their emailIDs.
Interesting project you are attempting, btw. Good luck!! :)
Why not just use a .htaccess in a directory where the data is stored and use something like "Deny from All"?
Your scripts could access then, but no user's browser.
Assuming there will be a mail server involved, can you host a web service with two endpoints?
Endpoints:
sends emails; takes an sender guid instead of an email address
stores an email; takes an email address and returns a sender guid
This web service could then be used by your library from any www accessible server. At the web service host the emails could be stored in the format of your choice. You will also want to secure you web service to prevent others from triggering mail notifications.
The use case is - user will request some data, user can edit that data and user can persist data on server side. In this scenario I want to have some integrity of data. Here legitimate use can resend the request from Developer tool by putting some malicious values(user is editing in rich text editor) in the JSON data.
To resolve this I am using an approach of calculating MD5/SHA256 of JSON data and send that hash along with data and at server side recalculate the hash from data and compare that hash with input hash. To make it tough I am using salt while generating the hash. The approach I am using is when user logs in- create a Salt and store that in user's session. When user requests the page i am sending the Salt in ModalMap. When user sends request to persist that JSON data, I will use the salt+data to generate hash
Now, my problem here is I want the salt to be hidden from user. The EL evaluated attributes are visible to user from page source and same is the case for scriptlet or jstl.
So, is there any way of accessing some attribute secretly on JSP page?.
I understand that when JSP gets parsed all those tags gets evaluated.
Minification of JS will make it little harder to find but is will not be impossible to retrieve the salt value.
I also understand that I should have such logic at server side but the requirement is preventing me to do that.
If I cannot access attributes secretly then is there any other approach of doing that?.
I have not included any source code here because it's generic.
I am trying to make a webpage and server where a user can enter in recipes and have them sent to (using JSON) the server and have the server store them in a file so that if the server is closed and reopened the user can request for something they've entered previously and can get it. I know how to send the JSON object both to the server and how to send the JSON object back to the client. I should note this can't use jquery.
What I need help with is how to store it in a file server side and get the contents from it later using a node.js server. They should all be stored in the same directory and I need to know how to get a list of the recipes in that directory. I've tried looking around but I can't seem to find the answer :(.
Example:
user makes a recipies
{ name:"cheese n waffles"
time:90,
ingredients:"cheese, eggs and waffles",
equipment:stove
};
Browser sends the JSON object to the server.
Client asks for a list of the recipes stored.
user asks for the recipe for spaghetti.
what I need help with:
server gets a list of the recipes it has stored
server takes the JSON object and stores it in /serverRootDir/recepiesStorage
server accesses /serverRootDir/recepiesStorage and gets the spaghetti recipe
You should be using a JSON based database such as MondoDB
It takes some learming however implementing with a text file will eventually become much more work and will function poorly
(Posted on behalf of the OP).
I have solved the problem. I will be using:
To read a file (access a recipe): fs.readFileSync() or fs.readFile().
To save a file (update a recipe): fs.writeFileSync() or fs.writeFile().
To get an array of files in a directory (retrieve the list of recipes): fs.readdirSync() or fs.readdir().
I am looking for a way to use AJAX and jQuery to store data from one form in another without losing the values. I want to be able to keep this data away from the front end user and allow them to remove the information should they wish to. I need to be able to get this information out when the user submits the data. I would like to be able to store the values in an associative PHP array if possible, for example:
<?php
$information = array(
"first_information"=>array(
"name"=>"Sam Swift",
"age"=>21
),
"second_information"=>array(
"name"=>"Example Name",
"age"=>31
)
);
?>
I would have used a database for this but because of volume this will not be possible. I want to keep the data away from the user so that they have no access to it at all, the data should be held where the user has no way to see it, access it or change it. This is due to the nature of the data and all of it should be as secure as possible.
Any information that you store client-side is naturally going to be accessible and mutable by the client. If this sensitive data is data that the user is entering, then you really shouldn't worry about them manipulating the data (because that is what they are supposed to be doing). If however it is data that is being sent by the server - and never displayed or used in that form by the client - this is data that should never leave the server in the first place.
Ajax is not specifically a solution to this problem - whether you send the data asynchronously (i.e., piecemeal with Ajax) or as a full HTTP post is immaterial. You need to store the sensitive data on the server only along with a session ID to associate it with the client session.
Without knowing exactly what data you are storing nor what you are doing with it, it is difficult to advise you how to proceed. You should rethink how you are structuring your application if you are sending sensitive data for the client to work with. The client should only ever see the input and the results. The processing should be done on the server.
For example: perhaps your user is adding an amount to a bank balance. The user enters the amount on the client. but you don't want the client to see or be able to modify the actual value. You could send the balance to the client, perform the addition operation, then send the total back to the server. Far better would be for the client to send the amount to add to the server, which would then add the value to the balance, and return a confirmation for the client to display.