@Mention

[TheMiggyDgz]

Does anyone know how to possibly do a tagging type of thing with @?

I'm having a status update thing but I want the users to also be able to tag other users. Anything?

[maxudaskin]

Have you heard of AJAX?

 

Basically, it's Javascript that calls a php file, and uses the output.

 

You would have the javascript call the ajax function when text is typed into the textbar, and when @ is found in the text.

Isolate the text directly adjacent to the @, send it to the function. PHP would then search the database for similar results, and return them. Javascript would update the screen with the suggestions.

[TheMiggyDgz]

Have you heard of AJAX?

 

Basically, it's Javascript that calls a php file, and uses the output.

 

You would have the javascript call the ajax function when text is typed into the textbar, and when @ is found in the text.

Isolate the text directly adjacent to the @, send it to the function. PHP would then search the database for similar results, and return them. Javascript would update the screen with the suggestions.

 

I had some scripts with AJAX and jQuery and another with AJAX and JavaScript but I couldn't figure out how to get the PHP to get the information from the db.

[maxudaskin]

http://papermashup.com/jquery-php-ajax-autosuggest/

http://woork.blogspot.ca/2009/02/useful-ajax-auto-suggest-scripts.html

[xyph]

Use regular expressions to match the @user tag in a string.

 

Once extracted, check if that user exists in the database. If you find a match, replace the string with a link to that user's profile.

[MMDE]

Use regular expressions to match the @user tag in a string.

 

Once extracted, check if that user exists in the database. If you find a match, replace the string with a link to that user's profile.

Might be obvious, but do remember to sanitize the input.

[xyph]

Use regular expressions to match the @user tag in a string.

 

Once extracted, check if that user exists in the database. If you find a match, replace the string with a link to that user's profile.

Might be obvious, but do remember to sanitize the input.

 

If you build your regular expression properly, you shouldn't need to. That's assuming you don't allow single/double quotes in usernames.

[Christian F.]

Xyph: Sanitizing input is not the same as escaping output, as I'm pretty sure you know already.

Though, beside that he "sanitizing" bit should be "validating" both methods should be applied to any client generated input. Without fail. So while the properly structured RegExp should validate the input, escaping it for the DB should (read: must) be done regardless.

 

That said, I'd do it a bit differently. Especially if were talking about using a JS to make the links. In that case I'd pull all of the (active & referable) usernames from the database in one go, and store them in an array.

No need to make multiple calls to the database, to verify multiple usernames. Just save them as the keys in an array, with the user ID as the value, and check if the key is set; Instant validation and access to the ID.

 

PS: Do note that exposing usernames in this manner can be quite detrimental to your users' login security, and as such I recommend using something other than the username to log in with. Such as e-mails, for example.

[xyph]

Xyph: Sanitizing input is not the same as escaping output, as I'm pretty sure you know already.

Though, beside that he "sanitizing" bit should be "validating" both methods should be applied to any client generated input. Without fail. So while the properly structured RegExp should validate the input, escaping it for the DB should (read: must) be done regardless.

 

Escaping the output was never mentioned. You are correct though, if a string is being output it's a good idea to convert necessary characters to their entities. That's not what I was talking about though.

 

I was saying there's no need to escape data that you've already validated more strictly. This is especially true for non-string values, that aren't quoted in your query - escape functions will not prevent injection, and quoting non-strings is generally bad practise.

 

Here are a couple examples where using an escape function isn't necessary (redundant) because we've already verified the data is query-safe.

 

<?php

$value_for_query = 123456;

if( !ctype_digit((string)$value_for_query) ) {
// abort, bad data
} else {
// REDUNDANT - there's nothing to escape in the string. We've already checked that
$value_for_query = $db->escape_string($value_for_query);
// Perform query
$query = "SELECT row FROM table WHERE id = $value_for_query";
echo "$query<br>";
}

$raw_data = 'Shouting out to all my nerds @phpfreaks. Safe queries for all! Here\'s an @injection"attempt';

$expr = '#(?:^|\W)@([a-z_-]+)#';
preg_match_all($expr, $raw_data, $results);

if( !empty($results[1]) ) {
$users = array();
foreach( $results[1] as $user ) {
	$users[] = $user;
}
$query = "SELECT rows FROM table WHERE username IN ('".implode("','", $users)."')";
echo $query;
}

?>

 

It's not possible to pass an injectable string through either of those methods.

 

In that case I'd pull all of the (active & referable) usernames from the database in one go, and store them in an array.

No need to make multiple calls to the database, to verify multiple usernames. Just save them as the keys in an array, with the user ID as the value, and check if the key is set; Instant validation and access to the ID.

 

PS: Do note that exposing usernames in this manner can be quite detrimental to your users' login security, and as such I recommend using something other than the username to log in with. Such as e-mails, for example.

 

Well, what happens if you have 10,000 active users? Are you going to dump the entire database every time to access a couple of rows? Sending it all to the client on every update could cause a lot of unnecessary bandwidth usage as well.

 

Also, I somewhat agree on the security issue, but it's common to use a publicly known username as part of the login credentials. Most major sites behave this way. Assuming you throttle login attempts to 1 per second from any given IP or for any given username, it's rare that a brute-force attack will be successful on your live application (where knowing the login prior to the attack would help). It could hurt users with weaker passwords (dictionary attacks and patience/botnet), but IMO, they can't really be helped nor can I feel very sorry for them when they are compromised.

 

Overall, good things to think about though.

[scootstah]

PS: Do note that exposing usernames in this manner can be quite detrimental to your users' login security, and as such I recommend using something other than the username to log in with. Such as e-mails, for example.

 

A lot of websites (especially forums) use the publicly-available usernames to login with, so this really shouldn't be a big deal.

[Christian F.]

xyph: Yeah, I know no-one specifically mentioned output escaping, but your mention of quotes lead me to believe that was what you were referring to. In any case, good to know that we've cleared it up.

 

As for the many users bit: It depends. As with just about everything when optimization is concerned it's never a straight path, nor one correct answer for all applications. I'd have to profile the site in that case, and figure out what would cause the most rapid response for the user. I suspect the full list, but who knows. (Isn't that the beauty of programming, btw?)

 

scootstah: A purely anonymous forum might not have much trouble with this, but a site containing some personal or financial data could. Thus the use of "can be", in the quote from me.