0

The problem with code below is variable sp1. When replacing sp1 into "where" clause with a city name already existing in database, everything works well. But when i send startPoli1 variable from my app, php returns nothing. Logcat shows that startPoli1 is being sent every time. Any suggestion;

<?php
$con=mysql_connect("......","......","......" );
$database = "......";
$ok = mysql_select_db($database, $con);
mysql_set_charset("UTF8",$con); 


$us1 = $_POST['username1'];
$sp1 = $_POST['startPoli1'];
$fp1 = $_POST['finalPoli1'];
$w1 = $_POST['weight1'];
$em1 = $_POST['eidosmetaf1'];
$dD1 = $_POST['depDate1'];
$dT1 = $_POST['depTime1'];


$sql = mysql_query( "  SELECT `username1`,`startPoli1`, `finalPoli1`, `eidosmetaf1`, `weight1` , `depDate1` , `depTime1`, `tilefono1` 
 FROM customer ,registration1 
 where   (customer.startPoli1 = 'sp1')  and   
 (customer.username1 = registration1.username )");

    if($sql === FALSE) 
    { 
    die(mysql_error()); 
    }
    $results = array();
    while($row = mysql_fetch_assoc($sql))
{
   $results[] = array(
        'username1' => $row['username1'],
        'startPoli1' => $row['startPoli1'],
        'finalPoli1' => $row['finalPoli1'],
        'eidosmetaf1' => $row['eidosmetaf1'],
        'weight1' => $row['weight1'],
        'depDate1' => $row['depDate1'],
        'depTime1' => $row['depTime1'],
        'tilefono1' => $row['tilefono1']
         );
         }
    echo json_encode(array('select_itin_results' =>$results));
    mysql_close($con); 
?>
Fenia Kechagia
  • 83
  • 7
  • in your code you're not even using the sent values for anything. is that on purpose or did you post the wrong code? – eis Oct 27 '14 at 13:15
  • **WARNING** You're very vulnerable to SQL Injection. You should [take some measures to secure your app](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – ʰᵈˑ Oct 27 '14 at 13:16
  • Note: You should be using prepared statements to build your sql queries and never pass user data directly into your queries without sanitizing it. – Grice Oct 27 '14 at 13:17
  • So, in other words, my friend, you have 2 options: 1. make it work with a framework; 2. Use prepared statements :) – Ares Draguna Oct 27 '14 at 13:17
  • 1
    @AresDraguna #1 option isn't guranteed. – itachi Oct 27 '14 at 13:18
  • @itachi I know... I've stopped using plain PHP from bottom up since 2010 :) – Ares Draguna Oct 27 '14 at 13:19
  • P.S: I recommend YII - best framework there is!!! (**Y**es **I**t **I**s) – Ares Draguna Oct 27 '14 at 13:29
  • @AresDraguna Just because the letters form that statement doesn't necessarily mean it's the best framework. You should choose your framework best suited for your application. – ʰᵈˑ Oct 27 '14 at 14:05
  • The best framework there is affirmation belongs to me :) in my opinion that IS the best framework... beats Zend by a mile – Ares Draguna Oct 27 '14 at 15:17

2 Answers2

3

You're not using the value of the variable $sp1

Instead, you're using the string 'sp1', the dollar symbol$ is missing in your clause:

where (customer.startPoli1 = 'sp1')

Should be changed to:

where (customer.startPoli1 = '$sp1')

But be ware of the threat that comes along with the solution:

You are vulnerable to sql-injections, which you can avoid by stop using mysql_* functions, since they're deprecated and instead you should begin to use prepared statements using PDO or mysqli_*. You can see how by checking other useful post about the matter.

Community
  • 1
  • 1
Jonast92
  • 4,964
  • 1
  • 18
  • 32
1

You forgot to add $ before the variable name. ie where (customer.startPoli1 = '$sp1') so the final query is using the string "sp1" instead of the value of the variable $sp1

After you understand that, learn about the proper way of making sql queries to avoid people messing with your database with sql injection

Community
  • 1
  • 1
Juan Cortés
  • 20,634
  • 8
  • 68
  • 91