0

I'm currently working on a program that I plan on creating for multiple platforms using Xamarin. I'm currently working on a windows version of the app, and for safety reasons, I'm working on creating a PHP script that the application connects to. I have two PHP files that work together. One is login.php, the other is connect.php. connect.php contains the database information and looks as follows:

<?php
$host = "SERVERADDRESS";
$user = "USERNAME";
$pass = "PASSWORD";
$database = "login_info";

mysql_connect($host, $user, $pass);
mysql_select_db($database);
?>

And login.php looks as follows:

<?php

include("connect.php");

$isSuccessful = false;

$username = mysql_escape_string($_GET['username']);
$password = mysql_escape_string($_GET['password']);

$squery = mysql_query("SELECT * FROM users WHERE username='$username'");
$query = mysql_fetch_array($squery);
$rowcount = mysql_num_rows($squery);

if($rowcount == 1)
{
    if($password != $query['password'])
    {
        echo 0;
    }
    else
    {
        echo 1;
        $isSuccessful = true;
    }
}
else
{
    echo 2;
}

if($isSuccessful)
{
    $returnString = $query['username'] . " " . $query['password'] . " " . $query['firstname'] . " " . $query['lastname'];
    echo $returnString;
}

?>

In the C# program, I use the following line to upload and pull information:

report = new WebClient().DownloadString("http://WEBADDRESS/login.php?username=" + tbUser.Text + "&password=" + tbPass.Text);

As I have it setup right now, everything works like it should. The problem that I'm running into, is that for other operations of the program, I need to connect to different databases, other than 'login_info'.

Is there a way where I can give connect.php a string for the database variable, and supply login.php with the username and password provided by the user?

Ben Buurstra
  • 194
  • 8
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jan 18 '16 at 22:50
  • Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jan 18 '16 at 22:50
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 18 '16 at 22:51
  • I hope this isn't production code... – Luke Joshua Park Jan 18 '16 at 22:53
  • Yeah, just add a query string variable e.g. `?dbname=whatever` then use `$dbName = isset($_GET['dbname']) ? $_GET['dbname'] : 'default_db';`. Please make sure you implement decent security measures here!!! – scrowler Jan 18 '16 at 22:53
  • Hahahahaha, no, it's not production code. I'm just trying to get my feet wet with connecting C# to PHP, which then connects to MySQL. Never done anything like it before. I was just trying to get it working. Wasn't concerned about security at this point – Ben Buurstra Jan 18 '16 at 22:54
  • Well, as a start, use the `PDO` library instead of `mysql_*` functions, it should seem more logical to your as a c# developer anyway. Second, connection to multiple databases isnt that common, normally you have a single database with lots of tables. If you really do need to connect to multiple dbs, and you must let the user decide, then at the very least have a whitelist and make sure the users selection is within it, else very bad things can happen – Steve Jan 18 '16 at 23:01
  • The reason I'm connecting to multiple databases is because I need each user to have tables that hold different information. The way it's set up right now, when a new user is created, their first, last, username, and password are placed in the 'users' table in the 'login_info' database. It also creates a new database specific for that user. In that database, there's a data table, and a settings table. The data table holds the information about the spending habits of the user (the app is a spending tracker). The settings table holds settings the user can configured, like spending categories. – Ben Buurstra Jan 18 '16 at 23:10
  • 1
    yeah i would certainly still have a single database in that scenario, the data and settings tables just have a foreign key link to the user table. That way you can perform queries on one database, to do, for example, select all users that spend more than x over y period of time. Multiple databases would make these kind of (probably essential) queries a huge pain in the ... – Steve Jan 18 '16 at 23:26

0 Answers0