adding data to online DB using php script and httppost from android

Question

In my app I ahve a specific form for the user to complete and I want to store these data in my online DB.

Here is my code in java:

public void send_data_to_DB(){
         String result = "";
         InputStream is = null;
         StringBuilder sb=null;
         ArrayList<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();//() before
         nameValuePairs.add(new BasicNameValuePair("table", table));
         nameValuePairs.add(new BasicNameValuePair("code", Integer.toString(code)));
         nameValuePairs.add(new BasicNameValuePair("name", name));
         nameValuePairs.add(new BasicNameValuePair("email", email));
            try{
                HttpClient httpclient = new DefaultHttpClient();
                HttpPost httppost = new HttpPost("http://myurl.php");
                HttpEntity entity = new UrlEncodedFormEntity(nameValuePairs);
                httppost.addHeader(entity.getContentType());
                httppost.setEntity(entity);
                HttpResponse response = httpclient.execute(httppost);
                //HttpEntity entity = response.getEntity();
                //is = entity.getContent();
        }catch(Exception e){
                Log.e("log_tag", "Error in http connection "+e.toString());
        }
     }

And Here is my php script:

<?php

    mysql_connect("dserver","User","Code");

    mysql_select_db("DB_Name");

$table.=$_POST['table'];
$code.=$_POST['code'];
$name.=$_POST['name'];
$email.=$_POST['email'];

  $q=mysql_query(" INSERT INTO {$table} (code,name,email) VALUES ({$code},{$name},{$email}) ")or die(mysql_error());


mysql_close();
?>

I think it must be something in my php and the way I am assigning or using the variables but I am not quite experienced in PHP. Can you help me?

**Your code is vulnerable to SQL injection.** You *really* should be using [prepared statements](http://stackoverflow.com/a/60496/623041), into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of [Bobby Tables](http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain). — eggyal, Sep 02 '12 at 18:57
Also, as stated in [the introduction](http://www.php.net/manual/en/intro.mysql.php) to the PHP manual chapter on the `mysql_*` functions: *This extension is not recommended for writing new code. Instead, either the [mysqli](http://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](http://www.php.net/manual/en/ref.pdo-mysql.php) extension should be used. See also the [MySQL API Overview](http://www.php.net/manual/en/mysqlinfo.api.choosing.php) for further help while choosing a MySQL API.* — eggyal, Sep 02 '12 at 18:58

Ridcully · Accepted Answer · 2012-09-02T19:14:47.327

1

On PHP side it must be .= instead of =..

EDIT:

The quotes in the SQL statement are missing:

Change to

"INSERT INTO {$table} (code,name,email) VALUES ('{$code}','{$name}','{$email}')"

edited Sep 02 '12 at 19:14

answered Sep 02 '12 at 18:51

Ridcully

23,362
7
71
86

i changed that and still nothing was added to my table. – ghostrider Sep 02 '12 at 18:59
actually, in your case you can jsut write `=` as you are not concating anything. – Ridcully Sep 02 '12 at 19:13

score 0 · Answer 2 · answered Sep 02 '12 at 18:44

$table=.$_POST['table'];
$code=.$_POST['code'];
$name=.$_POST['name'];
$email=.$_POST['email'];

you have extra dot after every equal sign, that probably causes syntax error.

Your other problem is sql injection vulnerability, always check /escape properly values before using in query.

adding data to online DB using php script and httppost from android

2 Answers2