Android update MySQL table (Android profile)

Question

I am making profile update Android application. I need assistance to get JSON values, as I am getting null JSON result - can anyone spot a mistake?

Profile Update Response:

{"tag":"profile_update","error":false,"user":{"fname":null,"lname":null,"email":null,"mobile":null,"class":null,"school":null,"uid":null,"profile_pic":null,"created_at":null}}

My PHP code:

public function profileUpdate($fname, $lname, $email, $mobile, $class, $school, $uid, $profile_pic){
    $result = mysqli_query($this->con, "SELECT * FROM users WHERE unique_id = '$uid'") 
                                                    or die(mysqli_error($this->con));       
    $path = "userImages/$uid.png";
    $actual_path = "http://192.168.1.101/cedu/login/$path";
    $no_of_rows = mysqli_num_rows($result);
    if ($no_of_rows > 0) {
        $result = mysqli_fetch_array($result);
        $old_email = $result['email'];
        $old_profile_pic = $result['profile_pic'];
        $status = 0;
        $otp = rand(100000, 999999); // otp code

        if ($old_email == $email) {
            if ($old_profile_pic == $profile_pic){
                $result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `mobile` = '$mobile',`class` = '$class',`school` = '$school' 
                      WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
            } else {
                $result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `mobile` = '$mobile',`class` = '$class',`school` = '$school' , `profile_pic` = '$actual_path' 
                      WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
                file_put_contents($path, base64_decode($profile_pic));                  
            }

        } else {
            if ($old_profile_pic == $profile_pic){
                $result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `email` = '$email', `mobile` = '$mobile',`class` = '$class',`school` = '$school' , `otp` = '$otp', `verified` = '$status'  
                      WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
            } else {
                $result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `email` = '$email', `mobile` = '$mobile',`class` = '$class',`school` = '$school' , `profile_pic` = '$actual_path', `otp` = '$otp', `verified` = '$status'  
                      WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
                file_put_contents($path."user".$uid.".jpg", base64_decode($profile_pic));
            }

        }   

    } else {
        //
        return false;
    }       

}

We won't debug for you. Debug your code and see what is wrong. If you have a problem with a specific line of code then come back. — juergen d, Apr 10 '16 at 10:54
The first thing I'd do here is to use parameter binding - this looks rather susceptible to SQL injection. — halfer, Apr 10 '16 at 11:01
I've added an answer about the security issue below. I wonder, also, whether your `if ($no_of_rows > 0) {` clause should `return` something? — halfer, Apr 10 '16 at 11:22

score 0 · Answer 1 · edited May 23 '17 at 12:15

I don't know if this relates to your problem, but you might as well change your potentially vulnerable code first, since any bug tracing you do beferehand may need to be done again. Your code is likely to be susceptible to SQL injection. I will add a (non-tested) example below, and you will need to:

understand it
make similar changes across the rest of your application

Here is a statement that is likely to be vulnerable: you're injecting what looks like user input directly into a SQL string:

$result = mysqli_query(
    $this->con,
    "SELECT * FROM users WHERE unique_id = '$uid'"
) or die(mysqli_error($this->con));

So firstly let's change this to use explicit column names, and to bind:

$statement = mysqli_prepare(
     $this->con, 
    "SELECT email, profile_pic FROM users WHERE unique_id = ?"
) or die(mysqli_error($this->con));
mysqli_stmt_bind_param($statement, "i", $uid);
mysqli_stmt_execute($statement);
mysqli_stmt_bind_result($statement, $email, $profile_pic);

What's happening here?

We bind an input variable using the i type, which specifies that it is an integer
We run the query using the mysqli_stmt_execute method
We bind a list of output variables, corresponding to each item in the SELECT list

All of the MySQLi "statement" methods are documented here in the PHP manual, and all have very good examples. Do please read up on each of the methods I've used - the manual is one of the best things about PHP!

Stack Overflow also has a set of definitive answers on SQL injection - there are resources there for both PDO and MySQLi.

Once you have made these changes, I recommend stepping through your code, one line at a time, to check that the intermediate values you get are what you expect.

Android update MySQL table (Android profile)

1 Answers1