0

I dont think I have anything deprecated in my code, when I run the PHP script I get the success, but nothing appears in the database. Heres the PHP Code.

<?php include "../inc/dbinfo.inc"; ?>
<?php

$connect = new mysqli("DB_SERVER","DB_USERNAME","DB_PASSWORD","DB_DATABASE");

if(!$connect){
die('error');
}
else
{
echo "success";
}

$username = isset($_POST['username']) ? $_POST['username'] : '';  
$password = isset($_POST['password']) ? $_POST['password'] : '';
$givenname = isset($_POST['givenname']) ? $_POST['givenname'] : '';
$email = isset($_POST['email']) ? $_POST['email'] : '';
$phonenumber = isset($_POST['phonenumber']) ? $_POST['phonenumber'] : '';


$sql = "INSERT INTO test(username,password,givenname,email,phonenumber) VALUES ('$username', '$password', '$givenname', '$email', '$phonenumber')";

mysqli_close($connect);
?>

Heres the Android Code.

 private void insertToDatabase(){
    class SendPostReqAsyncTask extends AsyncTask<String, Void,String >
        @Override
        protected String doInBackground(String... params) {
            String paramUsername = params[0];
            String paramPassword = params[1];
            String paramGivenname = params[2];
            String paramEmail = params[3];
            String paramPhonenumber = params[4];




            List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();
            nameValuePairs.add(new BasicNameValuePair("username", username.getText().toString()));
            nameValuePairs.add(new BasicNameValuePair("password", password.getText().toString()));
            nameValuePairs.add(new BasicNameValuePair("givenname", givenName.getText().toString()));
            nameValuePairs.add(new BasicNameValuePair("email", email.getText().toString()));
            nameValuePairs.add(new BasicNameValuePair("phonenumber", phone.getText().toString()));


            try {
                HttpClient httpClient = new DefaultHttpClient();
                HttpPost httpPost = new HttpPost(Constantss.DB_DNS);
                httpPost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
                HttpResponse response = httpClient.execute(httpPost);
                HttpEntity entity = response.getEntity();
            } catch (UnsupportedEncodingException e) {
                e.printStackTrace();
            } catch (ClientProtocolException e) {
                e.printStackTrace();
            } catch (IOException e) {
                e.printStackTrace();
            }
            return "success";
        }



        @Override
        protected void onPostExecute(String result){
            super.onPostExecute(result);
            Toast.makeText(getApplicationContext(),result,Toast.LENGTH_LONG).show();
        }

    }


    SendPostReqAsyncTask sendPostReqAsyncTask = new SendPostReqAsyncTask();
  //  sendPostReqAsyncTask.execute(uname,pword, gname, lmail,pnumb);
}

I get the success from the Android Code to, but nothing appears in the database table. Does anyone know the problem? Thanks!

adoba yua
  • 41
  • 7
  • 4
    you never execute the query – Funk Forty Niner Aug 02 '16 at 17:33
  • How do I execute the query? Thank you. – adoba yua Aug 02 '16 at 17:35
  • 1
    `mysqli_query($connect, $sql);` and check for errors on it also. http://php.net/manual/en/mysqli.error.php – Funk Forty Niner Aug 02 '16 at 17:36
  • 3
    Cue "Bobby Tables" comment in 3...2... – Juan Tomas Aug 02 '16 at 17:36
  • 1
    Seems like someone's trying to lay in on my action *lol* – Funk Forty Niner Aug 02 '16 at 17:38
  • @JeesKDenny I wasn't talking about you. – Funk Forty Niner Aug 02 '16 at 17:39
  • @Fred -ii- You beat me by 16 seconds. I yeild. :) – Sarcastron Aug 02 '16 at 17:41
  • @Sarcastron all for the common good ;-) – Funk Forty Niner Aug 02 '16 at 17:43
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) ;-) @JuanTomas – Jay Blanchard Aug 02 '16 at 17:48
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Aug 02 '16 at 17:48
  • 1
    You need to get in the habit of [accepting answers](http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) which help you to solve your issues. You'll earn points and others will be encouraged to help you. – Jay Blanchard Aug 02 '16 at 18:11

2 Answers2

5

You didn't execute the query.

So use:

mysqli_query($connect, $sql); and check for errors on it also.

References:

Since another answer was given and I have pointed that out in comments first, just so we set the record straight.

You're also open to an sql injection. Use a prepared statement:

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • I still got success but no entry to the database, It also gave me a HTTP error, unable to resolve Hostname, No address associated with hostname – adoba yua Aug 02 '16 at 19:13
  • @adobayua You've a problem elsewhere then and is server-related. You need to find out why that is and make sure everything checks out, credentials etc. – Funk Forty Niner Aug 02 '16 at 19:14
  • I Fixed the hostname issue. But it still doesn't post This is the new php $username = $_POST['username']; $password = $_POST['password']; $givenname = $_POST['givenname']; $email = $_POST['email']; $phonenumber = $_POST['phonenumber']; $sql = "INSERT INTO test(username,password,givenname,email,phonenumber) VALUES ('$username', '$password', '$givenname', '$email', '$phonenumber')"; mysqli_query($connect, $sql); if (mysqli_query($connect,$sql)) { echo "Values have been inserted successfully"; } else { echo "failure"; } mysqli_close($connect); ?> – adoba yua Aug 03 '16 at 00:17
  • @adobayua check for errors on the query and make sure you did successfully connect to the right database and using the right table. If it's an Android issue, I won't be able to help you with this. Plus, make sure you are indeed accessing this from a host; if local then the syntax is `http://localhost/file.xxx` and not `file:///file.xxx` if that is what you are doing. Use error reporting also to see if something comes of it http://php.net/manual/en/function.error-reporting.php and set to catch and display all errors. – Funk Forty Niner Aug 03 '16 at 00:20
  • @adobayua as per your edited comment: `else { echo "failure"; }` does not help you here. Use `echo "Error: " . mysqli_error($connect);` in order to see the real (possible) error. – Funk Forty Niner Aug 03 '16 at 00:21
  • It worked, I had to do a weird query create table function, but querying it did the magic. Thanks! – adoba yua Aug 06 '16 at 03:14
1

You don't execute the query in your code. Also I would strongly suggest to sanitize the user input.

This asks for SQL injection. Consult: How can I prevent SQL injection in PHP?

Run the query:

$res = mysqli_query($connect, $sql);
Community
  • 1
  • 1
sietse85
  • 1,488
  • 1
  • 10
  • 26