1

I'm trying to program a Login-System for Android (in Eclipse) and have to get the data from an external MySQL-DB.

Source I took the code for it: Connecting to MySQL Database

The Website I'm trying to fetch the data from is here.(I know there are some safety issues, blabla, this is not my problem right now^^)

The Problem I have, is when I try to run the Application, The Error "No Password found". This Error is catched within this Code:

ArrayList<String> passwort = new ArrayList<String>();
ArrayList<String> benutzer = new ArrayList<String>();
try{
  jArray = new JSONArray(result);
  JSONObject json_data=null;
  for(int i=0;i<jArray.length();i++){
         json_data = jArray.getJSONObject(i);
         passwort.add(json_data.getString("pw"));
         benutzer.add(json_data.getString("benutzer"));

     }
  Intent intent = new Intent(this, MainActivity.class);
  intent.putExtra("arrayBenutzerExtra", benutzer);
  intent.putExtra("arrayPasswortExtra", passwort);
  startActivity(intent);

    }
    catch(JSONException e1){
      Toast.makeText(getBaseContext(), "No Password found" ,Toast.LENGTH_LONG).show();
    } catch (ParseException e1) {
        e1.printStackTrace();
}

As addition, here is the code where I connect with the website, but it doesn't seem to be the problem, though I don't get an error message about that!

try{
 HttpClient httpclient = new DefaultHttpClient();
 HttpPost httppost = new HttpPost("http://winklermarkus.at/appconnection.php");
 httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
 HttpResponse response = httpclient.execute(httppost);
 HttpEntity entity = response.getEntity();
 is = entity.getContent();
   }catch(Exception e){
     Log.e("log_tag", "Error in http connection"+e.toString());
   }

The Code of the .php file is here: 

$sql_pw = "SELECT ". "Passwort ". "FROM ". "benutzerdaten ";
    $result_pw = mysql_query ($sql_pw); 
    $data_pw = mysql_fetch_array ($result_pw);
    $pw = $data_pw["Passwort"];

    $sql_benutzer = "SELECT ". "Email ". "FROM ". "benutzerdaten ";
    $result_benutzer = mysql_query ($sql_benutzer); 
    $data_benutzer = mysql_fetch_array ($result_benutzer);
    $benutzer = $data_benutzer["Email"];

print(json_encode($pw));
print(json_encode($benutzer));

mysql_close();
?>

as Perception mentioned, I don't get valid JSON output, could this possibly be in relation with me, trying to transmit 2 strings at once?

AndroidLearner
  • 4,500
  • 4
  • 31
  • 62
Werdli
  • 235
  • 1
  • 4
  • 11
  • Can you paste the json response you are trying to parse? – Waqas Dec 10 '12 at 12:23
  • you found JSON String after HttpPost. please check it. may be problem is here? – Md Abdul Gafur Dec 10 '12 at 12:27
  • ***Always*** check the status code of your HTTP request before processing the response data. More on topic, the service you linked in your question does ***not*** return valid JSON. – Perception Dec 10 '12 at 12:29
  • @Perception Oh, OK, this could be the real problem, i will add the php Code to my Question! – Werdli Dec 10 '12 at 12:35
  • I doubt that the php result is a valid JSON array – Udo Klimaschewski Dec 10 '12 at 12:47
  • @Waqas I am writing the responses into lists and then try to compare it with the submitted Password and Username(E-Mail). The Code for that is like this: Intent intent_passwort = getIntent(); List pw = intent_passwort.getStringArrayListExtra("arrayPasswortExtra"); – Werdli Dec 10 '12 at 12:53
  • Your PHP code is not doing what you think it's doing. I cannot recommend a fix to it as you've created a ***massive*** security hole. Instead of sending all the passwords and all the emails to the client (in an unassociated fashion no less), send the clients hashed password and email ***to*** the service (over SSL), then on the service side query if you have the combination of email/pass in the database. If you do return login success, otherwise return login failed. – Perception Dec 10 '12 at 12:59
  • @Perception Well the massive security hole doesn't matter, though we are at the start of the programming :) But thanks for that 180° direction change of my concept! I will change this in the next hour and I'm kinda sure it will be the solution to this! Big thanks to you! – Werdli Dec 10 '12 at 13:07
  • No prob, good luck with the project. – Perception Dec 10 '12 at 13:24
  • @Perception I'm trying to find something useful, how to send data from the application to the php script, and to work with the data gotten in the php script but can't find anything useful(maybe I'm just too dumb to use google correctly). Have you maybe got any tutorial or source-code URL? This would be super awesome! Also I would like to rep you, but can't find an option to do this(I'm new here, as you can easily see^^). Any way to do this? – Werdli Dec 10 '12 at 13:33
  • @Werdli - I've posted my comment as an answer. You can rep that way, thanks. [Here](http://php.net/manual/en/reserved.variables.post.php) is documentation on how to use POST'ed variables in PHP. And [here](http://stackoverflow.com/questions/8120220/how-to-use-parameters-with-httppost) is an SO post describing how to include form parameters in an HTTP Post. If you have problems incorporating those please post them as separate questions. – Perception Dec 10 '12 at 15:04

1 Answers1

2

Your PHP code is not doing what you think it's doing. I cannot recommend a fix to it as you've created a significant security hole.

As an alternative strategy, instead of sending all the passwords and all the emails to the client (in an unassociated fashion no less), send the clients hashed password and email to the service (over SSL). Then on the service side query if you have the combination of email/pass in the database. If you do return login success, otherwise return login failed.

Perception
  • 79,279
  • 19
  • 185
  • 195