0

I am creating an app that uploads user data to a MySQL database. The app uploads the data upon request and can be seen as a record inside of the database, but the app returns an error and doesn't let the user move on.

Here's the Android code I'm using:

private void registerUser(final String firstname, final String lastname, final String email,
                          final String password) {
    String tag_string_req = "req_register";

    pDialog.setMessage("Registering ...");
    showDialog();

    StringRequest strReq = new StringRequest(Method.POST, AppConfig.URL_REGISTER, new Response.Listener<String>() {
        @Override
        public void onResponse(String response) {
            Log.d("ME", "Register Response: " + response);
            hideDialog();

            try {
                JSONObject jObj = new JSONObject(response);
                boolean error = jObj.getBoolean("error");
                if (!error) {
                    String uid = jObj.getString("uid");


                    JSONObject user = jObj.getJSONObject("user");
                    String firstname = user.getString("firstname");
                    String lastname = user.getString("lastname");
                    String email = user.getString("email");
                    String created_at = user.getString("created_at");

                    db.addUser(firstname, lastname, email, uid, created_at);

                    Toast.makeText(getApplication(), "Welcome! Please Login", Toast.LENGTH_LONG).show();

                    Intent intent = new Intent(RegisterActivity.this, LoginActivity.class);
                    startActivity(intent);
                    finish();
                } else {
                    //**This is the error I'm receiving**//
                    String errorMsg = jObj.getString("error_msg");
                    Toast.makeText(getApplicationContext(), errorMsg + ", Error in RegisterActivity1", Toast.LENGTH_LONG).show();
                }
            } catch (JSONException e) {
                e.printStackTrace();
                Toast.makeText(getApplication(), "Couldn't connect to Database", Toast.LENGTH_LONG).show();
            }

        }
    }, new Response.ErrorListener() {

        @Override
        public void onErrorResponse(VolleyError error) {
            Log.e(TAG, "Registration Error: " + error.getMessage());
            Toast.makeText(getApplicationContext(), error.getMessage() + ", Error in RegisterActivity2", Toast.LENGTH_LONG).show();
            hideDialog();
        }
    }) {

        @Override
        protected Map<String, String> getParams() {
            Map<String, String> params = new HashMap<String, String>();
            params.put("tag", "register");
            params.put("firstname", firstname);
            params.put("lastname", lastname);
            params.put("email", email);
            params.put("password", password);

            return params;
        }

    };

    // Adding request to request queue
    MyApplication.getInstance().addToRequestQueue(strReq, tag_string_req);
}

The PHP storeuser function:

public function storeUser($firstname, $lastname, $email, $password) {
    $userid = uniqid('', true);
    $hash = $this->hashSSHA($password);
    $encrypted_password = $hash["encrypted"]; // encrypted password
    $salt = $hash["salt"]; // salt
    $result = mysql_query("INSERT INTO userinfo_basic(userid, firstname, lastname, email, password, salt, created_at) VALUES('$userid', '$firstname', '$lastname', '$email', '$encrypted_password', '$salt', NOW())");
    // check for successful store
    if ($result) {
        // get user details 
        $uid = mysql_insert_id(); // last inserted id
        $result = mysql_query("SELECT * FROM users WHERE uid = $uid");
        // return user details (true)
        return mysql_fetch_array($result);
    } else {
        return false;
    }
}

And when the storeuser function gets called

if ($tag == 'register') {
    // Request type is Register new user
    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];
    $email = $_POST['email'];
    $password = $_POST['password'];

    // check if user is already existed
    if ($db->isUserExisted($email)) {
        // user is already existed - error response
        $response["error"] = TRUE;
        $response["error_msg"] = "User already existed";
        echo json_encode($response);
    } else {
        // store user
        $user = $db->storeUser($firstname, $lastname, $email, $password);
        if ($user) {
            // user stored successfully
            $response["error"] = FALSE;
            $response["uid"] = $user["unique_id"];
            $response["user"]["name"] = $user["name"];
            $response["user"]["email"] = $user["email"];
            $response["user"]["created_at"] = $user["created_at"];
            $response["user"]["updated_at"] = $user["updated_at"];
            echo json_encode($response);
        } else {
            // user failed to store
            $response["error"] = TRUE;
            $response["error_msg"] = "Error occured in Registartion";
            echo json_encode($response);
        }
    }
}

I'm not sure what's going wrong, so all help is appreciated.

I can show more code or clarify upon request.

HTG
  • 584
  • 1
  • 8
  • 28
  • You are vulnerable to [sql injection attacks](http://bobby-tables.com). – Marc B Jun 23 '15 at 21:37
  • If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 23 '15 at 21:43
  • @MarcB I am new to PHP, but I am taking user input through an Android device, where the amount of characters is between 8 and 20 and checks for alphanumeric characters only. Will that prevent an attack? – HTG Jun 23 '15 at 22:01
  • what makes you think that someone will limit themselves to using your app to talk to your server? you're running a website. ANYONE can send whatever they want to it, utterly/completely independently of your app. – Marc B Jun 23 '15 at 22:03
  • @MarcB Well If there is anything you want to contribute, I'm more than happy to listen and fix it. – HTG Jun 23 '15 at 22:10

0 Answers0