|
PHP - Hash Access And Refresh Tokens In The Database - Necessary?
Hi Is it necessary to hash stored access and refresh tokens that are stored in a database. Both these tokens have limited lifespan (access token - 20 minutes but refresh token is 14 days). The reason I ask is I have hashed the tokens using the password_hash function but a user can have multiple active sessions if they want (so there is a sessions table with user id (not username), access token, token expiry date/time, refresh token and refresh token expiry date/time. So in order to refresh the access token I have to do a look up to see which session it relates to, what I have found is that I must retrieve all rows where the refresh token hasn't expired and then run password_verify against the tokens stored with the tokens provided to check each session to see if they match. What I have found is that it takes a while to run the password_verify function (by design I think) for each row (could be many if the users has been silly and logged in lots of time) which would cause an unacceptable delay when calling an API with an access token that needs refreshing (my tests resulted in times upwards of 30 seconds for a user who has around 10 active sessions). If both tokens were not hashed the same action to refresh a token for a user who has 10 active sessions takes less than a second which is much more acceptable. Edited December 15, 2018 by mds1256Similar TutorialsHi all, Thanks for reading. I'm running a script using jQuery that auto-refreshes a <div> on the index page from an external PHP script to get all the rows in a database and display them on the index page. The script works great - here it is as follows: Code: [Select] <script type="text/javascript"> $(document).ready(function() { $("#responsecontainer").fadeOut("fast").load("getrows.php").fadeIn("slow"); var refreshId = setInterval(function() { $("#responsecontainer").fadeOut("fast").load('getrows.php').fadeIn("slow"); }, 5000); $.ajaxSetup({ cache: false }); }); </script> The getrows.php script I'm working with looks like this: Code: [Select] <?php $rowsQuery = mysql_query("SELECT * FROM Happenings WHERE HappeningDate='$today'"); if (mysql_num_rows($rowsQuery) == 0) { $happeningsToday = "There are no happenings today."; } else { $allHappeningsToday = 1; while ($getHappeningsToday = mysql_fetch_array($rowsQuery)) { $happeningName = stripslashes($getHappeningsToday['HappeningName']); $happeningDate = $getHappeningsToday['HappeningDate']; $happeningDescription = $getHappeningsToday['HappeningDescription']; if ($allHappeningsToday == 1) { $happeningsToday .= " <div class=\"box\"> <p>".$happeningName." | ".$happeningDate." | ".$happeningDescription." </div>"; $allHappeningsToday = 2; } else { $happeningsToday .= " <div class=\"box\"> <p>".$happeningName." | ".$happeningDate." | ".$happeningDescription." </div>"; $allHappeningsToday = 1; } } } echo $happeningsToday; ?> This script works great as well. Currently, the auto-refresh jQuery script as you can see if getting and fading in/out all of the rows. Off of the above getrows.php script, is there a way after I could get only the newly created rows since the last refresh and only fade those in and out while leaving the others already loaded by the auto-refresh script to not fade in/out? Any ideas, thoughts or suggestions would be unbelievably helpful. Thank you very much. Hi all. I'm working on a PHP application that will serve several clients. After a discussion on another thread about compliance, I've decided that using tables with a client specific prefix would be the safest way to go. However, I'm having a lot of trouble wrapping my head around what the database connection script would look like. I have a generic one that connects with host, user, pwd, and db as arguments but I'm not sure how to modify it to incorporate the table prefix requirement. Thoughts on how I can incorporate the aforementioned requirement and enhance the script in general? function connect_mysql($host,$user,$pass,$database){ $conn=mysql_connect($host,$user,$pass)or die('Cannot create link'); mysql_select_db($database)or die('Cannot select database'); }; Hi all, I am working on PHP to create a email client using imap. I have got a problem with using imap because it will get very slow so I want to find a way to make it to go faster. I have been researching that I have seen alot of people are using mysql database to store their emails and get access to their emails pretty quick than using imap. And I have also seen that roundcube are using mysql database to store contacts, emails...etc. I am not really sure what to do but I need your advice and I need your opinion. I have got questions for you. Do you think if I am better off to use imap or use mysql database to get access to my emails pretty quicker? If you think I am better off to use mysql database, then I want to know how I could store my emails in mysql and do I need to delete the emails in imap after I store the emails in mysql? Please let me know your opinion so I will decide what to do next. Thank you. Edited September 15, 2019 by mark107We have setup a member login page in CS5 using a myphpadmin database. We want to give members access to particular areas of our site depending on what username and password they enter. ie member 1 only requires access to specific documents/webpages - member 2 requires access to other documents/webpages. Not sure how to do this. Hi friends, a quick print_r() shows the following array while connecting to my database. How to get them as individual items and display on the website ? Array ( [0] => Array ( [id] => 52 [document_name] => xyz [document_ext] => gif [download_file_name] => ktm_impact.gif [upload_dt] => 2010-08-11 ) ) After I've successfully inputted something in my script and then click refresh in Chrome with "Right Click -> Reload", the same thing that I've inputted before gets re-inserted AGAIN into the database, thus resulting in multiple versions of the same thing in the MySQL database. How can I prevent that? p.s. Chrome is warning with a pop up of repeated action, and when I then click continue the repeated insertion of the data occurs, and I'd like to prevent the repeated insertion. Hi everyone! I'm getting the error "Access denied for user ''@'localhost' to database 'crystalair'" (crystalair is the name of my database) whenever I submit my form which inserts a new row to the database table "order". The same happens when I try to retrieve data from the table using select query. However, I can successfully perform operations (select, insert) in my other pages which involves another database table "user". If this is a connection error, how can I successfully perform operations with another table? Also, my connection query does not return an error. I have also checked to make sure my user has been granted "All Privileges" in the phpmyadmin. I've run out of ideas. Can you please help? Thanks a lot. hi all i am having a big problem that i have been trying to find out what is going on for weeks. i have a echo script that echos data that is in my database, and if i have to refresh the page it will add blank data in my database and the top echo info is blank as well. how can i fix this, and i was wanting to know how do i echo out my info in a textarea. i added a jepg to show you what i mean. here is my code echoforms.php <?php error_reporting(0); require_once('demo.php'); /*Open the connection to our database use the info from the config file.*/ $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); $sql = "SELECT company_name, contact_name, address, street_number, postcode, contact_number, contact_email, budget, description FROM 3dartactforms"; $results = mysql_query($sql); if (!$results) { die('Invalid query: ' . mysql_error()); } while($result = mysql_fetch_array( $results )){ echo '<div style="border: 1px solid #e4e4e4; padding: 15px; margin-bottom: 10px;">'; echo date("d/m/y"); echo '<p>Company Name: ' . $_POST['company_name'] . '</p>'; echo '<p>Contact Name: ' . $_POST['contact_name'] . '</p>'; echo '<p>Address: ' . $_POST['address'] . '</p>'; echo '<p>Street Number: ' . $_POST['street_number'] . '</p>'; echo '<p>Postcode: ' . $_POST['postcode'] . '</p>'; echo '<p>Contact Number: ' . $_POST['contact_number'] . '</p>'; echo '<p>Contact Email: ' . $_POST['contact_email'] . '</p>'; echo '<p>Budget: ' . $_POST['budget'] . '</p>'; echo '<p>Description: ' . $_POST['description'] . '</p>'; echo '</div>'; } ?> I have noticed that many websites and php software generate a random token and put it in a hidden form field to be sent to the php page that gets the form. I was just wondering, if anyone knows how this makes a php script more secure? And is it worth it to put this in my application? I have read up a few tutorials on this, but it doesn't specifically say why this is more secure than not having it. The only reason I could find is that it helps making sure you don't make duplicate form submissions, however, I have always gone around this through by redirecting the user to a page saying the form was submitted successfully. Cheers for your help. Im creating a token system where if a user uploads notes they get tokens and can download other peoples notes. My problem is I am not sure where to store the information for who has bought the note for future download. Should I store the information in the database under the table that looks after the notes, in its own table, or in a file that has arrays of the Note names and the users who are allowed to download it. I figured the best way would to have it in the db table that looks after the users but im not sure how I would get about making it so that every time the user bought another note I didnt have to add a new field. I am using JWT for an API authentication and like them. Previously, I would query both some GUID and the user's ID (which wasn't their PK but a unique key per GUID), but now I just include both the account and user's DB PK in the token. Also, including something regarding the user's permissions, however, I still haven't bought into this approach as I don't know how to deal with changing permissions and still having some JWT with different permissions floating around. I suppose I could save the JWT's timestamp in the DB, but that seems to eliminate the benefit of token expirations... Sorry, back to the question at hand. I now have a need to provide emails with a reduced subset of endpoints to either view some resource or update some status. I don't want to make the user first go to some website and then include the JWT in the header, but instead just a single click action. Problem is now I have their JWT which is effectively their password in some email which isn't ideal, and their is no way to ensure that the specific user was the individual that viewed the resource or performed some action. Then I thought maybe I would make some common low access JWT and use the exact same GET routes as I would do so normally and create some new GET routes to emulate main application POST/PUT/PATCH routes. Before going down that path, I would like to investigate other solutions. Often single use tokens are used to reset passwords and other actions which should only performed once and this is not my need but maybe close. I am thinking of creating a token that includes the actual resource path with URL parameters along with the HTTP method. Since everything is in the token, I wouldn't need a typical REST path to identify the resource but would have a single endpoint to retrieve them. I searched for related information and didn't find anything which makes me concerned I am going down a rabbit hole. Any thoughts on how to implement this? Thanks i want to make virtual money (credits, tokens) whatever you want to call it but make no mistake this is not for profit at this point but i like the concept of visitors having something to do with other members of site for example to kill bordom and create a reason to play games, compete in competetions, it will have to conversion to real money at this point but i wish to do this script using php and mysql and have very basic coding skills in these areas anyone please help me make this script... reply and let me know if you like this idea please help me as this is achievable as fb has it and more sites are moving toward these same ideas, even tho fb is real money it is more to do with fun at this point until we do this stage another stage canot proceed it. "BACK" or REFRESH: Preventing database interaction / code execution how to prevent database interaction / code execution when user presses back or refresh button? can i detect? can i disable back/refresh? Guys, Having a major headache here. I need to send an enquiry using jquery and php. The user can only send an enquiry if they are logged in - so it's a one click process. On the click (which is an <a> tag) the user's data is retrieved from the database and sent to the company they are enquiring about. When the link is clicked, a jquery popup is shown to notify the user that the enquiry has been sent. This all works. However, currently the enquiry is sent when the page loads and this is what I'm having trouble with. Code: [Select] <a href="#e" onclick="openinfobox('Enquiry Sent', 1)" class="enq"></a>What I want to do is say if the URL contains #e, then send the enquiry, otherwise do nothing. I understand that the # portion of the url cannot be referenced by PHP. How on earth can I run php process to say only run this php process if there is a # in the url? Are there any PHP hashes that are extremely secure and that CANNOT be reverse-engineered?
Is a hash array the same thing as an associative array? My PHP books make no reference to this, yet I have seen the term referred to. Thanks. I have a section on my website where the url points to www.example.com/some_page#some_element #some_element is used by javascript to load the element in question into the parent element. However i need pagination done on this loaded element. How should i go about it? would it work? obv i cant use www.example.com/some_page#some_element/page/2. Any tips or advice? I'm getting the dreaded " Invalid parameter number: number of bound variables does not match number of tokens" error and I've looked at this for days. Here is what my table looks like:
| id | int(4) | NO | PRI | NULL | auto_increment | | user_id | int(4) | NO | | NULL | | | recipient | varchar(30) | NO | | NULL | | | subject | varchar(25) | YES | | NULL | | | cc_email | varchar(30) | YES | | NULL | | | reply | varchar(20) | YES | | NULL | | | location | varchar(50) | YES | | NULL | | | stationery | varchar(40) | YES | | NULL | | | ink_color | varchar(12) | YES | | NULL | | | fontchosen | varchar(30) | YES | | NULL | | | message | varchar(500) | NO | | NULL | | | attachment | varchar(40) | YES | | NULL | | | messageDate | datetime | YES | | NULL |Here are my params:
$params = array(
':user_id' => $userid,
':recipient' => $this->message_vars['recipient'],
':subject' => $this->message_vars['subject'],
':cc_email' => $this->message_vars['cc_email'],
':reply' => $this->message_vars['reply'],
':location' => $this->message_vars['location'],
':stationery' => $this->message_vars['stationery'],
':ink_color' => $this->message_vars['ink_color'],
':fontchosen' => $this->message_vars['fontchosen'],
':message' => $messageInput,
':attachment' => $this->message_vars['attachment'],
':messageDate' => $date );
Here is my sql:
$sql = "INSERT INTO messages (user_id,recipient, subject, cc_email, reply, location,stationery, ink_color, fontchosen, message,attachment) VALUES( $userid, :recipient, :subject, :cc_email, :reply, :location, :stationery, :ink_color, :fontchosen, $messageInput, :attachment, $date);";
And lastly, here is how I am calling it:
$dbh = parent::$dbh;
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING);
if (empty($dbh)) return false;
$stmt = $dbh->prepare($sql);
$stmt->execute($params) or die(print_r($stmt->errorInfo(), true));
if (!$stmt) { print_r($dbh->errorInfo()); }
I know my userid is valid and and the date is set above (I've echo'd these out to make sure). Since the id is auto_increment, I do not put that in my sql (though I've tried that too), nor in my params (tried that too). What am I missing? I feel certain it is something small, but I have spent days checking commas, semi-colons and spelling. Can anyone see what I'm doing wrong?
Hi SMF forum use semi-colom in url for example http://www.phpfreaks.com/forums/profile/?area=showposts;u=71740 after showposts there is semi-colon. Sometimes use hash(#) how can i do this with superglobal $_GET??? |
|||||||