| Author |
Topic |
|
godlydanny
Starting Member
25 Posts |
 Posted - 2010-12-08 : 07:10:32
|
| Good morning,I have a table like this:Table Name: Voters[Username]|[IP] |[VoteTime]|[VoteAmount] UserA |192.168.1.1 |12 PM | 1 UserB |192.168.1.2 |12 PM | 10 UserC |192.168.1.3 |12 PM | 5 UserD |192.168.1.4 |12 PM | 3 UserE |192.168.1.5 |12 PM | 7I want to able to search for a Username based on my $stringthan able to make adjustment to the That SELECTED row and change the values of the row.Example , I search for User B , than i want the IP.Than i want to Search for User E , than i want change the Time.Please provide me a code example for me to understand how to do this. Thank you for your kind attention,Sincerely,Danny Tse |
|
|
nigelrivett
Master Smack Fu Yak Hacker
3385 Posts |
Posted - 2010-12-08 : 07:27:39
|
| update Votersset IP = 'xxx.xxx.xxx.xxx'where Username = 'UserB'update Votersset VoteTime = '13 PM'where Username = 'UserE'==========================================Cursors are useful if you don't know sql.SSIS can be used in a similar way.Beer is not cold and it isn't fizzy. |
 |
|
|
godlydanny
Starting Member
25 Posts |
Posted - 2010-12-08 : 07:38:14
|
quote:
Originally posted by nigelrivett
update Votersset IP = 'xxx.xxx.xxx.xxx'where Username = 'UserB'update Votersset VoteTime = '13 PM'where Username = 'UserE'==========================================Cursors are useful if you don't know sql.SSIS can be used in a similar way.Beer is not cold and it isn't fizzy.
Thanks Nigel!, You the best .May i please ask 1 more question on this topic?What if I got username ONLY , and i want to search for the whole row's data of that Username.Example i want search by using UserD's name and recieve the whole rows information.thanks in advanced.Best Regards,Danny Tse |
|
|
|
nigelrivett
Master Smack Fu Yak Hacker
3385 Posts |
Posted - 2010-12-08 : 07:41:45
|
| select *from Voterswhere Username = 'UserD'(Anyone else a worried by this?)==========================================Cursors are useful if you don't know sql.SSIS can be used in a similar way.Beer is not cold and it isn't fizzy. |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2010-12-08 : 08:11:14
|
| "(Anyone else a worried by this?)"yes, but I did try to point out some pitfalls yesterday ... |
|
|
|
godlydanny
Starting Member
25 Posts |
Posted - 2010-12-08 : 08:17:28
|
| // Data Submissionif(strtolower($_SERVER['REQUEST_METHOD']) == 'post') {//---Data Config---$username = $_POST['username'];// Database connection $conn = odbc_connect($config['db_dsn'], $config['db_username'], $config['db_password']);$getdata = "SELECT * FROM [Voters] WHERE Username = '".$username."' ";$exec = odbc_exec($conn,$getdata);$data = odbc_fetch_array($exec);print $data;}I get the word "Array", How do i recieve the data inParams[0],Params[1],Params[2],Params[4]?Thanks for helping |
|
|
|
godlydanny
Starting Member
25 Posts |
Posted - 2010-12-08 : 08:19:02
|
quote:
Originally posted by Kristen
"(Anyone else a worried by this?)"yes, but I did try to point out some pitfalls yesterday ...
Thank you for your concern Kristen regarding about Yesterday's post.I tried SQL Injecting myself it did not work . |
|
|
|
nigelrivett
Master Smack Fu Yak Hacker
3385 Posts |
Posted - 2010-12-08 : 08:27:34
|
quote:
Originally posted by Kristen
"(Anyone else a worried by this?)"yes, but I did try to point out some pitfalls yesterday ...
Oh - it's that one.You're getting a resultset - in this case it happens to be a single row.You need to access (get/read) the first row of the resultset and set your variables to the column values.Given what you have there you may have created an aray and maybe can access using the index. (0/1, n) for first row, column n.There must be lots of examples around in whatever client you are using.==========================================Cursors are useful if you don't know sql.SSIS can be used in a similar way.Beer is not cold and it isn't fizzy. |
|
|
|
godlydanny
Starting Member
25 Posts |
Posted - 2010-12-08 : 08:36:09
|
| First I would like to apologize If i irritated anyone or made anyone disliked me last night.Second Nigel , could you please show a code example of what you mean?How should I code that script above?Thank you Nigel for your support.Regards,Danny |
|
|
|
nigelrivett
Master Smack Fu Yak Hacker
3385 Posts |
Posted - 2010-12-08 : 08:45:27
|
| Don't worry about it - database people enjoy getting annoyed - goes with the job and recovery time tends to be short (beer reboot if necessary).No - don't know what you are coding in and doesn't look like anything I've dealt with (or want to).Virtually everything has examples of accessing a resultset if you search. I would be surprised if it's not included with your documentation.==========================================Cursors are useful if you don't know sql.SSIS can be used in a similar way.Beer is not cold and it isn't fizzy. |
|
|
|
godlydanny
Starting Member
25 Posts |
Posted - 2010-12-08 : 08:50:26
|
| Alright Nigel,I guess ill search around the forums and find examples hopefully.I am trying to learn how to script in faster paste . Last night took me 14 hours to script that registration script. =(More searching and reading and sleepless hours.Over all thanks for all your help.Have a great afternoon |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2010-12-08 : 08:59:56
|
| "I tried SQL Injecting myself it did not work ."You need to be coding in a style that does not allow SQL Injection. Your test may not have worked for all sorts of reasons - perhaps because the form fields were not wide enough to allow entry of long enough injection string - that is something which is easily circumvented.Have you changed your password routine to properly implement SALT?I mention these things to save you having a major problem later on. If you are not interested in them say so, and I'll stop trying to change the way you are doing things now and you can encounter those problems later on instead."I would like to apologize If i irritated anyone or made anyone disliked me last night."I don't know if people were annoyed yesterday or not. People tend to get annoyed when they find that they have answered a question and then discover a duplicate post that already has answers - you have wasted their time which they could have given to somebody else.If you did annoy them they probably won't even be reading your threads now, so you will have lost the benefit of their learned advice. |
|
|
|
godlydanny
Starting Member
25 Posts |
Posted - 2010-12-08 : 09:07:51
|
quote:
Originally posted by Kristen
"I tried SQL Injecting myself it did not work ."You need to be coding in a style that does not allow SQL Injection. Your test may not have worked for all sorts of reasons - perhaps because the form fields were not wide enough to allow entry of long enough injection string - that is something which is easily circumvented.Have you changed your password routine to properly implement SALT?I mention these things to save you having a major problem later on. If you are not interested in them say so, and I'll stop trying to change the way you are doing things now and you can encounter those problems later on instead."I would like to apologize If i irritated anyone or made anyone disliked me last night."I don't know if people were annoyed yesterday or not. People tend to get annoyed when they find that they have answered a question and then discover a duplicate post that already has answers - you have wasted their time which they could have given to somebody else.If you did annoy them they probably won't even be reading your threads now, so you will have lost the benefit of their learned advice.
Hi,Maybe my simple sql injection didnt work due to because it does not allow any " @/*--=' ....etc." only characters and numbers.and regarding about the password thing , yes it was a success . my password converts in to Username.Password than it Md5 it .. than add 0x infront to make it to a binary .. and my linux java odbc able to read it perfectly to able to connect in game. |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2010-12-08 : 10:26:15
|
| In other words you're using an unsalted hash. Almost as bad as storing the password in plain text. Please go and read some introductory texts on encryption and hashes.There are SQL Injection attacks that don't need any of those characters. Parameterise your queries! It's not hard!--Gail ShawSQL Server MVP |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2010-12-08 : 10:29:46
|
| I will try one last time.You are using a style of programming in PHP that allows SQL Injection. There is a standard way, in PHP, of wrapping user data to prevent this (that much I know, but I don't know the exact syntax). Just look it up and then use it all the time where you process User Data"Maybe my simple sql injection didnt work due to because it does not allow any " @/*--=' ....etc." only characters and numbers."I thought you had $XXX fields for Name, Email address etc? They, or some other field you add in the future, is going to need to allow more than just alpha-numerics."regarding about the password thing , yes it was a success . my password converts in to Username.Password than it Md5 it .. than add 0x infront to make it to a binary .."That isn't what you had before (which was:"$Salt = $password;$Salt = md5($Salt);$Salt = "0x".$Salt;"if you have changed that so that the $Salt is now set to be Username and Password concatenated that's fine. Note that if a username is changed then the password will no longer be valid (probably not a problem, just mentioning it) |
|
|
|
godlydanny
Starting Member
25 Posts |
Posted - 2010-12-08 : 10:31:48
|
| Alright thank you both of your advise , you both have a nice day . |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2010-12-08 : 10:34:18
|
| "In other words you're using an unsalted hash"Gail - is the Username + Password OK as the SALT? I was assuming it would be? |
|
|
|
|
Good Morning SQL EXPERTS , Please help