#add expire time to verification code

4 messages · Page 1 of 1 (latest)

mystic bramble
#

how can i add expire time to this verification code .
i want to delete it after 10 min from database .

var fourcode = Math.floor(1000 + Math.random() * 9000);

app.post("/sendforgetpassword", async (req, res)=> {
    const email = req.body.email
    
    database.query('SELECT * FROM verifications WHERE email ="' + email + '"', function(err, result) {
      if (!err)  {
      console.log(result[0]);
   
      if (result.length > 0) {
          var fourcode = Math.floor(1000 + Math.random() * 9000);
  
          if(result[0].code == null ){
              var sent = sendEmail(email, fourcode);
              if (sent != '0') {
                  var data = {
                      code: fourcode
                  }
                  connection.query('UPDATE verifications SET ? WHERE email ="' + email + '"', data, function(err, result) {
                      console.log(data);
                    if(err) console.log(err); 
                  })
                  res.send('The code has been sent to your email address' )
              } 
              else {
                  res.send('Something goes to wrong. Please try again')
              }
          }
          else {
            res.send('the code is already sent to your email')
        } 
      } 
      else {
          console.log('2');
          res.send('he Email is not registered with us')
  
      }}
      else console.log(err);
  })
    })
lean stag
#

I'm not sure that's a valid approach. Personally, I'd add a validUntil column that would be 10 minutes in the future from when it was generated.3
Also, look into parametrized inputs for raw sql queries as this is susceptible to sql injection. Validate and sanitize. Always!

mystic bramble
#

What is wrong in my code for sql injection,,, what should i do to avoid sql injection

lean stag
#

The part where you're just inserting the value. Someone could send "; DROP TABLE users;. Assuming you have a users table, it would be dropped.
Depending on the library you're using something along the lines of (semi pseudocode, not sure about the implementation cause on mobile)

database.query("SELECT * FROM verificatons where email=:email");
database.query.execute({email: req.body.email});