I've been working with my last project from my 3 programming course, and right now I think I'm doing pretty well, basically all I gotta do is interact with Access tables, save, edit, create, etc...
That has been working out pretty well, but right now I'm stuck with my login system, I've created some methods where I encrypt the password, and then I send the password to a table called "security". The fields in the table are: username, password, email, type of account.
I can successfully insert all the respective data in it. Right now I am stuck with the validation. I need to create a system that will let me verify if the username exist (I did it successfully trying to insert the username again and if the username exists it will return an exception), but I don't know how to verify the password that is in the same line.
I was wondering if there is any instruction with which I can extract the information of each field from the username that I verified? please help me...
idk if I explain myself.. ?
ok thank your very much but do u know how can I retrieve it into a variable I have something like this "select contra from Seguridad where usuaruio = #CLAVE"
You are going to want o read a record from the table where the username field is the value of the user name to be tested. If no record found then insert the record. If a record found then do other things.
How to do this in VB.Net I don't know.
The query created in code would like something like
"SELECT * from UserTable where UserNameField = "' & varUserName & "'"
Related
I am trying to write an sql command that enters a password inside a string.
The database entry that I need changed is in the users table preferences column and it looks like this:
a:2:{s:11:"client_hash";s:16:"hashedpwdhere";i:0;b:0;} or
a:1:{s:4:"skin";s:5:"larry";s:11:"client_hash";s:16:"hashedpwdhere";}
All I need is to replace the "hashedpwdhere" with the new hashed password. That is always after s:16: no matter how many other things are in there.
Currently my SQL command looks like this:
UPDATE users SET preferences=ENCRYPT(%p,CONCAT(_utf8\'$5$\',RIGHT(MD5(RAND()),8),_utf8\'$\')) WHERE username=%u LIMIT 1
Unfortunately this erases everything in the preferences column and I have no clue how to write this to only insert it into the quotes after s:16:
Thank you for any help you can provide!
Hi I'm a newbie to the oracle apex and I'm trying to create a dynamic page that let the user (the logged one) see only "his" record I tried in the source query (P101_USERNAME is the username item on the login page)
select * from user u where u.username=v('P101_USERNAME')
And this
Select * from user u where u.username=:P101_USERNAME
But I got the no data found error I think I'm doing the things the wrong way.. So is there a way to create a page that let the user see only the record linked to his username(or primary key) and hide the other?
That username field is only relevant for the life of the login process.
Throughout the application you should refer to :APP_USER
See list of available substitution strings
https://docs.oracle.com/cd/E59726_01/doc.50/e39147/concept_sub.htm#BEIHCJBG
If you’re using APEX 5, you can now get the User from the APEX$SESSION application context. here
You also can use function APEX_APPLICATION.g_user here
I'm new to Redis, I am now learning it by trying to make a login function.
Suppose I have a table named User (id, username, password) in traditional SQL database, what's the proper way to design the Redis store for a table, so that I may achieve some sql-style-query like "select * from user where username=xxx and password=yyy"?
Is it a good way to set the key: username+password and the value: username "root" password "admin" using Hash?
Redis is not a replacement for SQL databases. They have different purposes.
In Redis you should design based on how you will access the data.
See this SO question.
Also this tutorial by Simon Willison is very interesting even though it has some years.
I suspect your query doesn't actually need to be select * from user where username=xxx and password=yyy, but instead just looking up by username and then verifying the password is correct.
Using Redis you can store the user information by the username (this is your primary/unique key) and then in your code verify the password is correct. As #tadman has stated in the comments - please don't store passwords as plain text, that's a huge security hole right there
I have only FTP and MySql access parameters. My client didn't tell me the password to access the dashboard. How could I recovery it?
(I haven't email access, so I can't use the normal recovery and I can't contact my client before next 2 day...)
Copy the password hash of one of your customer (or create a new one) from ps_customers table to the password field of employee in ps_employee table.
PS: pub#prestashop.com customer is created by default, if still exists use that password hash. (Password for this customer is 123456789).
Use any free online MD5 generator like http://www.md5hashgenerator.com
but ecode COOKIE_KEY from settings.inc.php and new Password (with no space).
'COOKIE_KEYNewPassword' example 'bWZbVe5OEq4nwbWZbVe5OEq4nwbVe5OEq4nwnJI2xj8g3nAW1GC1y5KTwMyPassword’
Now cope your new password (MyPassword) to the ps_employee table in your database instead of the old pass.
In your database go and look at the table named PS_employee
While there add a new line with appropriate info and for password use this generator
http://www.md5hashgenerator.com
BR's
(don't forget to accept when this answer helps you )
I was trying to stress test my system's login unit. My system is designed like this -
if the user enters userid - abcd and password pass then the server takes these parameters and prepares an sql command and fires it to the microsoft database-
select password from UserInformationTable where userid = 'abcd';
The returned value is compared with the given password pass and result is then sent to the client.
I successfully broken into the system using the following method -
user enters userid - <abcd1 or drop table UserInformationTable >. This worked and my complete UserInformationTable got dropped.
Is there any graceful way of handling such a hacking problem. One way is to detect 'or' substring in the userid, but I did not find this very graceful. Is there any way I can restrict the no. of queries in a statement in microsoft sql ?
Thanks and Regards,
Radz
This is the SQL injection problem illustrated by the famous "Bobby Tables" cartoon.
Here is some info on how to fix it for MS SQL. Read especially #Rook's answer.
You have two problems.
You are subject to SQL injection attack as described by other users. Solve that problem by sanitizing your input and/or using parameterized queries.
You should neither store nor transmit plain text passwords. Why? See this story on Slashdot. The solution to this problem is to use one-way encryption to create a password hash to store in the database. When the user tries to log in use the same encryption on the password he or she provides, then search your database to see if a row exists with the same userid and password hash.
Use parameters in SQL queries. They automatically prevent this. Something like this in C#:
SqlCommand comm = new SqlCommand(conn);
comm.CommandText = "SELECT * FROM foo WHERE bar = #id";
comm.CommandType = CommandType.Text;
SqlParameter param = new SqlParameter("#id", DbType.Int64);
param.Value = 3; // The actual value that replaces #id
comm.Parameters.Add(param);
// ...
This not only applies to C#, but basically all modern DB systems and languages support parameterized queries <- google it.
And second, your first query can be changed to:
SELECT userid FROM users WHERE username = 'foo' AND password = 'bar'
Then just count how many rows you got returned, if it's 0, then the user entered the wrong password.