Basically, whenever the user execute any query(for example: SELECT query), I want the user get instantly notified by email that he or she has executed this(the full query he just used) query. The reason I want this because the data can be confidential, so for the security purpose. Thank you.
I would advise against using this approach.
If the data is confidential sending the mail after it has been retrieved seems to be too late. During nights it can take hours until such a mail is read and during vacations it can take days or even weeks. Also imagine checking 100s of mails each day which mostly contain unsuspicious querys. It's a headache.
Better set your database up so that confidential data can not be retrieved by personal which is not authorized to do so.
If you really want to set up a trigger for sending E-Mails you might want to take a look at this answer: Send e-mail from a trigger
Related
We send monthly emails generated in SQL Server(2017) using sp_send_dbmail to clients containing sensitive data. Recently, there's been a breach where a client received something they shouldn't have received. The cause of this is honestly just bad code, but going forward we want to be able to screen emails more effectively. We are now avoiding the sensitive data issue by asking clients to log in to our system to look at this data instead. Whilst this would be perfectly normal procedure, certain people demand everything in an email. It's a security problem, but the client wants what they want, and the head honcho wants to give the client what they want.
We use Outlook, which has an outbox that nobody really uses anymore as far as I know. Is there a way to get SQL Server to place emails into a shared outbox account so that we can screen emails that contain sensitive data before we send them out?
For initial QA, data for emails containing alerts are generated via stored procedures and sent to QA analysts to check over. This is done by manually setting the recipients to the QA analysts for emails to all clients.
We don't expect them to cover every email as that would be insane, so we ask that they check a random selection to be confident enough that the data is accurate.
Once they are happy, we run the stored procedures again but we pass a parameter so that it cursors through a table that contains every email alert for each client and generates the tailored email for each client and is sent using sp_send_dbmail.
In other words, the email being screened by the QA analysts might not be the same as the email send to clients. This is how the breach occurred.
If we had a way to get these emails into a shared outbox, the QA work can be done on that shared outbox and then we can send the emails. Asking someone to hit send for a big bunch of emails would still be a pain, but perhaps a little less so than having another breach.
AFAIK sp_send_dbmail uses SMTP to send messages. If you want to place messages in the Drafts (or any other) folder of a particular mailbox, you will need to create messages (without sending) using Graph or EWS.
This situation might not happen much, but I would rather be safe than sorry. I'm currently trying to make a sign in/sign up system with flutter MongoDB using API call to my database. On the signup screen, I am making checks to see if the data placed into the password and username text fields already exists within the database. In other words, if an account with those credentials already exists then I ask the user to try again, but if there isn't one then I allow for the user to go to the EULA and submit page.
The problem here is that I feel like that two or more users can do the same check at the same time, and will get the same result because, while their information might match, there isn't an instance of an account with those credentials uploaded to the database for the system to tell them to stop before they go to the submit page. And if they submit the data they wrote on their phones to the database at the same time, a situation is made where we have multiple instances of the same kind of account existing in the database.
I know that keys exist and can help in making each account unique from each other, but, in this situation, I am not sure on how to handle or prevent the concurrent uploading of similar or identical data from local devices to the same server. Are calls to my server and MongoDB asynchornous? Is this something that I need to worry about at all?
TL;DR: If you use a unique index on the username field, then it will raise an error on attempting to create a duplicate, and you can forward this to the user's sign up page and let them change their name.
The long answer:
This is more of a UX problem than a DB problem.
If I understand correctly, the user enters a username & password, then reads the EULA before the account is created.
I would disagree with this - you should make the account once they submit their name, and update it with a Boolean for eulaAccepted so that if this process fails (eg. bad connection) they can come back and accept it later.
You should do two sets of unique username validation:
When they type in the name, you can check for them and let them know the name is available. This still means someone else could take it before they hit save.
Once they hit save. Put a unique index on the username field. Then if a user tries saving a duplicate (even if submitted simultaneously, they will be processed sequentially) then it will raise an error. You can forward this onto the user, prompting them to try a different name.
Answering your other questions:
Are calls to my server and MongoDB asynchronous?
Yes, as they go over the network they are naturally asynchronous. But the saves inside the Database itself are sequential and atomic. MongoDB is ACID compliant. have a read through what it means, and what changed in version 4
Is this something that I need to worry about at all?
Yes, it's good to keep an eye on this sort problems. If you don't consider it now, you will have a nasty bug on your hand later.
I have a big query project for multiple clients, they all have READER (and will ever only have READER) permission. When the client go to big query, they are able to go and click share dataset.
share dataset
The client will not able to actually share it (when they click save changes, they will be prompt with an ERROR saying that they are not allowed).
However, they can see whoever has the access to the dataset, including other clients' email address.
Is there a way to "hide" other people's email address?
I was thinking to create a google group and add those clients to the group and assign the READER permission to the group. One thing that troubles me is that individual client can actually leave the group.
Is there any better solution?
Thanks
Groups should works fine.
If you have g-suite - so google groups controlled by organization - you potentially can have audit on changes in group - so you can catch moment client leave the group. https://developers.google.com/admin-sdk/directory/v1/guides/manage-group-members
I have a website and I would like to implement a paid subscription service. Its a simple service with only 2 types of plans. For now, ill just use Paypal. But im a little lost before start, mainly with the data model.
My main question for now is, what information do I need to keep for each subscription? Do I need to implement a shopping cart for this (dont think so)? Im not asking for a detailed explanation, just a few lights or resources to find a way to start. Thanks.
Depends on what technology you're using. Basic payments work a bit like this
-> You send them to paypal with a plan (you define the plan on paypal)
they know which amount to charge
you can pass custom parameters which they will pass back
Customer fills in application
<- paypal tells you that your predefined plan got purchased
in this same request, they send a lot of info about the payment including a GUID and your params
-> you ask paypal "hey, some one just told me this plan GUID got purchased, can you confirm"
<- paypal service returns 'yes'
-> you take the customer's ID from the params that you attached when you sent them to the paypal service and update them to "paid" in the database, or whatever
That's it in a nutshell...
Look at any subscription card mailer from any magazine and you can get an idea of what kind of data you will have to record. Start and end date for the subscription would be a good thing to keep, and what kind of plan the user is subscribed to. Once you have the end date, you just need to run a query to get the records of the users that have access. Something like
Select * from users where subscription_end_date is >= today
I'm sure there will be a lot of other columns that will go into your final product, but that will be up to you to decide what data you want to keep. What are the different states that a subscription can be in? Can someone be subscribed to both services at the same time?
PayPal does a decent job if you want to charge the same amount every month. However, if you anticipate your users making changes to their subscription plans (upgrades/downgrades) or needing to provide credits to their account for customer support purposes, PayPal would require that you cancel the subscription...and then have the customer re-subscribe.
[Full disclosure - I am a co-founder of Recurly.com]
Recurly handles the upgrades and downgrades, and provides automated customer emails to be sent out to your customers (on your behalf) for every event confirmation, and invoice that occurs. You also have a full account management dashboard and reporting so that you don't need to build this yourself.
Best of all, if you ever decide to leave PayPal, and move your business to a standalone payment gateway, Recurly stores all of your credit cards in a PCI compliant vault so you don't need to ask you customers to come back and re-subscribe. (PayPal will not return your customer credit card information). You simply configure your new gateway in Recurly, and payments will be processed without any interruption to your business.
Here is a blog post we wrote on the topic:
http://blog.recurly.com/2010/08/top-ten-reasons-to-use-recurly-vs-paypal-for-recurring-billing/
-Best of luck.
-Dan
I'd like to set up a coldfusion page that will pull the status updates from my own facebook account and twitter accounts and put them in a SQL database along with their timestamps. Whenever I run this page it should only grab information after the most recent time stamp it already has within the database.
I'm hoping this won't be too bad because all I'm interested in is just status updates and their time stamps. Eventually I'd like to pull other things like images and such, but for a first test just status updates is fine. Does anyone have sample code and/or pointers that could assist me in this endeavor?
I'd like it if any information relates to the current version of the apis (twitter with oAuth and facebook open graph) if they are necessary. Some solutions I've seen involve the creation of a twitter application and facebook application to interact with the APIs; is that necessary if all I want to do is access a subset of my own account information? Thanks in advance!
I would read the max(insertDate) from the database and if the API allows you, only request updates since that date. Then insert those updates. The next time you run you'll just need to get the max() of the last bunch of updates before calling for the next bunch.
You could run it every 5 minutes using a ColdFusion scheduled task.
How you communicate with the API is usually using <cfhttp />. One thing I always do is log every request and response, either in a text file, or in a database. That's can be invaluable when troubleshooting.
Hope that helps.
Use the cffeed tag to pull RSS feeds from Twitter and Facebook. Retain the date of the last feed scan somewhere (application variable or database) and loop over the feed entries. Any entry older than last scan is ignored, everything else gets committed. Make sure to wrap cffeed in a try/catch, as it will throw errors if the service is down (ahem, twitter) As mentioned in other answers, set it up as a scheduled task.
<cffeed action="read" properties="feedMetadata" query="feedQuery"
source="http://search.twitter.com/search.atom?q=+from:mytwitteraccount" />
Different approach than what you're suggesting, but it worked for us. We had two live events, where we asked people to post to a bespoke Facebook fan page, or to Twitter with a hashtag we endorsed for the event in realtime. Then we just fetched and parsed the RSS feeds of the FB page, and the Twitter search results, extracting what was new, on a short interval... I think it was approximately every three minutes. CFFEED was a little error-prone and wonky, just doing a CFHTTP get of the RSS feeds, and then processing the CFHTTP.filecontent struct item as XML worked fine
.LAG