MySQL Security with PHP, javascript, and HTML? - javascript

Okay, I'm very new to web programming. I'm creating my own database-driven website. I'm attempting to setup an admin login to update the site's content. I'm worried about acessing my mySQL databse securely however.
I intend to have the database search for the given username, and then compare the password hash to the hash of the given password.
My worry is in setting up the connection to the mySQL datbase.
from what I see, the way to do this is via:
<?php
$myConn=mysqli_connect(host,user,pass,dbName);
>
Now I intend to pass this to javascript to check all the credentials but if this is defined in the HTML file, then the login details would be plain for all to see yes?
Or, should I define it in an external .js file that will to the checking? I'm still worried if that is safe enough?

I think you are a bit confused there so i will try to explain it very simple.
Front End - Client Side: HTML , CSS , JavaScript
Back End - Server Side: PHP , SQL
Everything on the Front End... can not be trusted, as it is accessible by everyone.
Then why we are validating with JavaScript?
Just to help users with typos... simple as that...
All your security, is at the Back End. You validate with PHP all the values submitted from the Front End and then you perform the required actions on your Database with SQL.
You should never pass anything to JS that you don't want your users to see/access. You should do that via PHP.
Does this help you/clear the things a bit?
PS: from my understanding you are creating a login for your project right? Find below some links with tutorials step by step that might help you.
http://www.phpeasystep.com/phptu/6.html
http://php.about.com/od/finishedphp1/ss/php_login_code.htm
http://www.wikihow.com/Create-a-Basic-Login-Script-in-PHP
http://www.homeandlearn.co.uk/php/php14p2.html
http://phpsnips.com/4/Simple-User-Login#.Uk41QYZmi-0
http://www.html-form-guide.com/php-form/php-login-form.html

Related

making router for parsing javascript request through php

I have seen this request
https://somesite.com/path/script.js?shop=xyz.com
https://somesite.com/path/script.js?shop=abc.com
the output for both requests are different
earlier I was thinking that .js file cant be treated like php and dynamic data cant be passed but I was wrong and some expert advised that its router which is passing these data and according to shop name they are serving.
I have php apache+ nginx server
can anyone tell how we can make this work. don't want to go with Nodejs as it won't allow to pass php code.
just for test i want to call above links and print this.
hi i am shop xyz
or hi i am shop abc
on respective calls.
can anyone share some details guidelines how to make router. any link any guide any advise will solv the purpose.
I have never dealth with such javascript ant it is damm easy in php extension but want to learn in javascript.

How to get the values of session using js

I want to know if the user has logged in or not and then display different elements of the navigation based on the username (login by email and password Not username). However, I have no idea how to deal with session. If php and html is separated in two documents, how can I store the required values using session in php document and then get them using javascript in html document? Or should I use cookies instead?
There are a several approaches to do this.
1) You can make a PHP file which will format your $_SESSION data, and all the other data you want as a JSON string (json_encode function in PHP lang). Then use echo to return it. Then use an AJAX request to get this file from javascript or JQuery, and you will receive the data you want. That's a bad approach for this purpose, from my point of view, because after loading the page you send another request to receive a static data, which will not change on the page like email or username.
2) Better approach: PHP is preprocessor hypertext. You can make an php file and write html tags in it, with php output(example: <div><?=$_SESSION['email']?></div>). Search for more info in google ("php inside html").
3) Much better. In modern web programming world its a mistake to use php inside html because you should think not only about how to make something work, you should think how you will maintain it after 3, 6, 12 months later, too. If you use just php inside html in a big project, then, with time, you realize that your code is hard to read and looks ugly. There are plugins that can make your view more readable and maintainable (Twig, Blade, Volt and others). I recommend you use one of them.
The session is a server side thing, you cannot access it using javascript. You can write an Http handler (that will share the sessionid if any) and return the value from there using AJAX

How do I populate form fields on a page from a database based on the page url?

Hello first I’d like to say, please excuse my ignorance to this all, as I’m very new to this all. I just started and still trying to understand this.
So far I have a database set up and I’m trying to retrieve values from a database to fill in a form on a page when it loads. The record or row/values that need to be retrieved from a database depend on the page’s URL.
I’m ok with html and css but still trying to learn more about jquery, JavaScript, sql, php and so on and so forth. I realize I have a ways to go and honestly some of the guides and tutorials online are kind of confusing because everyone has a different way of coding. So I’m a bit confused.
I’ve included a simple chart to breakdown what I’m trying to do.
If someone could point me in the right direction I’d be really grateful! Thanks.
If I understand you well, you want to setup a form and populate some fields of this form with a query forms a database, the primary key of the record being relative to the url.
The first step is to build the url, you can pass some parameters to an url by adding a ? at the end of the url followed by the parameter name, the = sign and the parameter value. If you have more than one parameter, you should separate each parameter with the sign &.
So your url could be something like this :
www.examplesite.com/page&.html?key=key_A1
Then, you'll have to choose if you want to build the page on the server side with a language like php, in which case you retrieve the parameter, query the database, build the html form and send it to the client.
You can also go client side with plain javascript or jquery, in which case you will still have to do some server side programming to query the database but will use an ajax call to get the data and will populate the fields in Javascript or JQuery.
You can do this using Javscript(using Ajax)
U need the key to search for get the results from database
Using ajax call get the data, You might have to write code to get the details from database using any server side prog language
Using javascript to fill the form input with the received data.
Google for jquery ajax examples, and how to populate input using javascript.
There are many frameworks out there that have DataBinding built-in that do the same job a lot easier. My favourite would be Angular Js, you can try Ember and lot more out there, choose the one you feel comfortable with.

Can I encrypt content so it doesn't appear in view-source, then show on pageload?

I've got a site where users extend their product trial with a registration code. They click a link (with a key in the URL) from an email, get to this site and a lightbox appears with their registration code. I'm currently displaying the registration code with HTML and hiding it with CSS. Once I check to make sure the URL has the correct key with javascript, I display the registration code. However, this means anyone can just view source on the page and copy the registration code. Is there a way to encrypt the code so it doesn't appear in view source, and then decrypt it if the URL has the correct key? It's one code per product, not per user, so I don't have to do any server side authentication.
If the computer knows it, the user knows it.
You can play obfuscation games, all of which amount to making your Javascript hard to read. But a sufficiently determined user will find it anyway, and once they do, they can easily share it with their friends.
One code per user is the only way to fix this reliably.
I check to make sure the URL has the correct key with javascript
Don't check the key client-side, validate the key on the server.
This is the only way to ensure only valid users get the registration code.
Pseudo PHP example:
if( validateKey($_GET['key']) ) {
echo 'The Registration Code';
} else {
echo 'Error';
}
Client Side Code is inherently insecure. Consider anything you send to a client machine public to the world, and don't trust anything that comes from the client until you cleanse it. A sufficiently determined user will de-obfuscate your code, regardless how much effort you put into the initial obfuscation routine.
Another tip to help you instead to show the registration code in the site you can send back an email to the user with the registration code.
And as Nemo suggest, the right way is one code for user
Hope it help
As mentioned before the client side will not cover your security needs.
Better would be to have the page send a Ajax request to the server containing the key, you can then respond with the registration code.
Even better would be to directly validate the key on the first request, then decide to return an error page or the page with the registration info.
As others have replied, doing this validation server-side is both easier and more secure.
You can have an AJAX request posting the URL key to a php page, that in turn would reply with the correct registration code.
That being said, there is always the possibility of using a client-side use encryption library (like AES), but from what i understand i don't think it would be a good approach to solving your problem.
Again, doing it on the server-side is both extremely easy and as secure as you need.
Encrypt your registration code (plus some magic cookie) with the key in the server before embedding it in your HTML. In your JavaScript, validate the key (which comes in the URL) by decrypting the registration code. If the magic cookie matches, then you get a valid key and you can display the registration code to the user.
View Source will only reveal the encrypted registration code. Without the key, the snooper has no way to extract the registration code.
This means that you'll have a unique key per registration code, which should be the case for your registration system. The key you send to the user in an email, embedded into a link which they click as you said.

how to do something like google-analytics

I need to make something like google-analytics, I mean that it has to be very simple to install and enables a comunication between 2 websites.
Let me explain the idea.
I'm developping an application (with ZF) where my clients will be online shops, OSCommerce only at the begining. Those shops need to get some info from my app's database, send me some info and propose to their clients to use my app's service.
What does the code needs to do:
if there is a certain $_GET param in the URL (that indicates that the user is coming from my site) -> starts a session in the shop and send me some info for my stats (IP, browser info, etc...)
if this user buys something during this sesion -> send me some info about the sale (total, id, ...)
during the checkout process (checkout-payment.php in OSC) give the possibility to the user (the shop's client who is also a member of my application) to insert his email+password from his my-application's account in order to get a discount in the order he's placing.
I know how to program all this, editing the shop's files, but my problem is that I have no idea about how to make it in the google-analytics way (give a small javascript to my customers to install in their store) and neither what to look for in google in order to find the information I need.
So, can anyone helps me to get in the right path?
Thanks in advance
Since you'll be needing to go cross-domain with this utility, you'll want to write your javascript piece for inclusion using JSONP. Your JSONP "call" could simply be made to some PHP script on your server by tacking on information obtained from window.location (like the query string, for example).
Maybe all you need is to give your customer an URL pointing to your js library? And than your library can work or better provide them with API to your service to get customer data etc.?
And yes - JSONP can help you with inter-domain comunication...

Categories

Resources