Page 3 of 3 FirstFirst 123
Results 21 to 24 of 24

Thread: How to update mysql_result(mysql_query("SELECT COUNT(*) FROM `table`for php 7.4

  1. #21
    Join Date
    Sep 2007
    Location
    Maui
    Posts
    647
    Thanks
    287
    Thanked 15 Times in 15 Posts

    Default

    Dear keyboard: I am so grateful for your detailed responses. I am learning so much. I have never used PDO before so have to watch some videos. This is helping immensely. I have made it to the point of sending the verification email but it is 4:50am and I can't keep my eyes open so must t bed for now. I shall try for more tomorrow. Thanks again.

  2. #22
    Join Date
    Mar 2011
    Posts
    2,170
    Thanks
    60
    Thanked 120 Times in 116 Posts
    Blog Entries
    4

    Default

    No problem! Glad to hear you're learning new things
    If you run into any obstacles, don't hesitate to ask

  3. #23
    Join Date
    Sep 2007
    Location
    Maui
    Posts
    647
    Thanks
    287
    Thanked 15 Times in 15 Posts

    Default I was notified of Reflected Cross site scripting on my *.com website!

    Quote Originally Posted by keyboard View Post
    No problem! I did see your other post, but unfortunately, I have no experience with Tiny MCE so I didn't feel comfortable responding.



    What you're looking for doesn’t sound too complex. There are two simple options that I can think of:
    1. Allow users to register using their email address and a password. During the registration process, send them an email with a verification code to confirm they own the email. When they visit your site, they login using their email and password and the system then allows them to edit the entries associated with their email address.

    2. The user visits your calendar and enters their email address. The system emails them a temporary access code, and this code allows them to create/edit events with their email address.

    Option one is the more powerful option - it is a full login system, and they don't have to verify their email each time they want to edit their events.
    Option two is the simpler option - there is no persistent login system, but they must verify their email each time they want to access their events.
    Both options require sending emails. Is your webserver setup to send emails?


    Ah thanks, that helps a lot to clarify what you’re trying to achieve. I assume the events are already setup and stored in a MySQL database?


    For your scenario, I’d recommend adding a verification check on the PHP endpoint that is handling the editing of the calendar. The logic flow could be something such as:
    1. User visits your site and authenticates (either with email + password or one time code [see below])
    2. The server has now confirmed that the user owns the email address <x>. Store the validated email in the user’s session
    3. On the post-login page, query the database to select all entries where the email is <x>. Use the email stored in the session, not any input from the user. Generate the list of links and display it to the user
    4. Each calendar link points to the same PHP page with a get parameter to specify the calendar item they’re accessing. E.g. /editCalendarEvent.php?id=<y> (where <y> is the ID of the item).
    5. The user clicks one of the links and is redirected to /editCalendarEvent.php?id=<y>
    6. The script queries the database to get the details of the relevant calendar item. You check to ensure that the value of the email in the user’s session matches the email stored against calendar item <y> in the database. You will need to sanitise all input that the user can impact (to prevent injection attacks). This means santising both the id value <y>, and the user’s email address <x>. You’d check that they have access when they first navigate to the edit page (to ensure they’re viewing the editing page for their event), and again when they submit the edit (to ensure they’re submitting an edit on a calendar item they own).

    A sample query for loading a calendar event only for the user who owns it is included below. Just note I haven’t tested it so there may be errors, and it also needs more stuff added to it such as validation / error handling. You’d implement a similar process for updating the value of an existing item in the database.
    I would highly recommend using prepared PDO statements, instead of MySQLi, as it has strong benefits including ease-of-use, security, and speed.

    PHP Code:
     <?php

    /*
        Please note that this example doesn't really account for error handling
        Some of the code, such as the PDO connection may throw an error such as PDOException
        There's a lot of disagreement about how to handle errors in PHP

        It doesn't really matter if you want to put it in a try/catch statement, or if you want to configure PHP to
        handle the error gracefully, or if you want to bind an error handler.

        All you need to make sure is that you don't display error messages + debugging info to the user.
        Log the error / debugging info and give the user a generic error instead.
        Intersting post here - https://phpdelusions.net/articles/error_reporting and some more opinions here - https://stackoverflow.com/a/6455041
    */

    session_start();

    //Update this to your connection parameters. If you're security conscious, you should move these values out of source code and into a configuration file. See https://stackoverflow.com/questions/97984/how-to-secure-database-passwords-in-php
    $dbHost "localhost";
    $dbName "db";
    $dbUser "username";
    $dbPass "password";

    try {
        
    $pdo = new \PDO("mysql:host=${dbHost};dbname=${dbName};charset=utf8"$dbUser$dbPass);
        
    $pdo->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
    }
    catch(\
    PDOException $e) {
        
    //Don't print exception messages ($e) to users. See my comment at the top of the code for more info.
        
    die("Connection error");
    }

    //Customise your SQL query as required
    $stmt $pdo->prepare("SELECT * FROM calendarEvents WHERE id=:id AND email=:email");

    //Even though using prepared statements protects from SQL Injection, you still need to validate both the ID and email! Don't use without validation!
    $stmt->bindParam(':id'$_GET['id']); //The calendar ID parameter from the URL
    $stmt->bindParam(':email'$_SESSION['email']); //The user's email (from session)

    //Execute the SQL query
    $calendarItem $stmt->fetch();

    //That combination of event ID and user email doesn't exist in the database.
    //Could be a user trying to access someone else's event, or an event that doesn't exist, etc.
    if(!$calendarItem) {
        
    //Ideally you would gracefully handle this issue instead of using die
        
    die("That calendar event couldn't be found.");
    }

    //$calendarItem now contains the item you want to display.
    ?>

    Please feel free to ask more questions, or for help with specific code.
    Dear keyboard: I hope you aced your exams! Since we last chatted, I have been super busy with other demands on my time so haven't progressed with my login script. Last night I received emails from OpenBug Bounty informing me that they were able to hack my site. They even sent me my password! This is what one of the emails said...

    This is Reflected cross site scripting on https://calendarmaui.com startdate= endpoint. That lead to execute javascript code on behalf of victims browsers.

    Endpoint : “startdate=”
    Xss url:
    https://calendarmaui.com/php/week.ph...XSS/)%3Eweb%22


    Steps to reproduce:
    1 : Add xss payload at startdate= endpoint
    2 : Open in browser or send this to victim
    3 : While open url, Xss will trigger out

    https://calendarmaui.com/php/week.ph...XSS/)%3Eweb%22

    Fix:
    Sanitize the input values, and make forbidden all special characters.
    This is beyond my skills. I tried to follow your PDO statements recommendation and watched videos but I don't really understand it. Now that there is a crisis, I don't have the luxury of trying to get up to speed. This guy accessed the entire event database with all the tables, the entire website. I backed up the database just in case but I am very nervous because I don't know how to protect it. Please help. Mahalo!

    Below is an example of my code that is vulnerable [ I was displaying the error messages but took that out]... my code is similar for the other pages.
    Code:
    if(isset($_GET['startdate']) && $_GET['startdate'] != ''){
    	$getdate = $_GET['startdate'];
    	$daydate = strtoupper(date('l, F d, Y', strtotime($_GET['startdate'])));
    } else {
    	$getdate = $today;
    }
    $dow = date('D',strtotime($_GET['startdate']));
    $dno = date('j',strtotime($_GET['startdate']));
    $dom = date('d',strtotime($_GET['startdate']));
    $wkofmon = (floor(($dno - 1)/7)) + 1;  // gives the week of the month
    $dyr = date('z',strtotime($_GET['startdate']));
    //echo $dow . "<br>"; echo $dom . "<br>"; echo $dno . "<br>"; echo $wkofmon. "<br>"; echo $dyr. "<br>"; exit; 
    					 
    $sql = "SELECT DISTINCT event_id, ev_title, startdate, starttime, endtime
    				FROM  event
    				WHERE approved = 1 AND (`startdate` = '".$getdate."' 
    				OR (".$dow." = 1 AND `oge` = 2) 
            OR (recur = 1 AND startdate <= '".$getdate."' AND `enddate` >= '".$getdate."' )
    				OR (recur = 2 AND ".$dow." = 1 AND startdate <= '".$getdate."' AND `enddate` >= '".$getdate."' )
    				OR (recur = 3 AND ".$dow." = 1 AND wk".$wkofmon." = 1 AND startdate <= '".$getdate."' AND (`enddate` >= '".$getdate."' OR `enddate` = '0000-00-00'))
    				OR (recur = 5 AND date_format(startdate,'%j') = '".$dyr."')
    				)                       
    				ORDER BY `starttime`, `ev_title` ";					 
    						 
    $result = mysqli_query($connection,$sql) or die("Couldn't execute query. <br> mysqli error: ".mysqli_error($connection));
    ?>
      <!--div id="maincol"-->
        <div class="h1">&nbsp;MAUI EVENTS for <?php echo $daydate; ?></div>
        <p><?php while($event = mysqli_fetch_assoc($result)){ ?>
        <div class="time-title">
          <div class="time">
          <?php if($event['starttime'] != "00:00:00") { echo date('h:i A', strtotime($event['starttime'])); } else { echo " &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ";} 
          if($event['endtime'] != "00:00:00") { echo " - ".date('h:i A', strtotime($event['endtime'])); } else { echo " &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "; } ?></div>
          <div class="title"><a href="/php/event-detail.php?event_id=<?php echo $event['event_id'];?>"><?=$event['ev_title'];?></a></div>
        </div><!--end time-title-->
        <?php } ?></p>
      <!--/div><!--end maincol-->
    Last edited by keyboard; 07-03-2021 at 02:13 PM.

  4. #24
    Join Date
    Mar 2011
    Posts
    2,170
    Thanks
    60
    Thanked 120 Times in 116 Posts
    Blog Entries
    4

    Default

    Hi Kuau,
    I'll respond to the new thread you posted shortly, as it addresses the same topic.

Similar Threads

  1. Replies: 7
    Last Post: 02-07-2013, 03:25 PM
  2. Replies: 6
    Last Post: 04-06-2009, 11:27 AM
  3. I want to sort the table "sql:select results query" to appear in sequence of the arra
    By leonidassavvides in forum MySQL and other databases
    Replies: 0
    Last Post: 12-26-2008, 11:09 PM
  4. "select * " vs "select col1, col2 "
    By james438 in forum MySQL and other databases
    Replies: 5
    Last Post: 04-03-2007, 08:40 AM
  5. Select From Table Where Fieldvalue != ""
    By centenial in forum MySQL and other databases
    Replies: 1
    Last Post: 07-03-2006, 06:31 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •