0

I'm working on an android app that is communicating w/ a server and writing info to a db. I have the app connecting to the db, but there must be something wrong w/ my query b/c I keep getting the error message I'm echoing. The table I'm trying to post to has 6 columns, one of which is the key.

I don't think there's anything wrong with the Android side, but here is how I'm sending the info:

                URL url = new URL(URL_);
                HttpURLConnection httpURLConnection = (HttpURLConnection)url.openConnection();
                httpURLConnection.setRequestMethod("POST");
                httpURLConnection.setDoOutput(true);
                httpURLConnection.setDoInput(true);


                OutputStream outputStream = httpURLConnection.getOutputStream();
                BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(outputStream, UTF));
                String data =
                        URLEncoder.encode(USER_ID, UTF) + "=" + URLEncoder.encode(_id, UTF) + "&" +
                        URLEncoder.encode(PRIMARY_INFO, UTF) + "=" + URLEncoder.encode(primary, UTF) + "&" +
                        URLEncoder.encode(SECONDARY, UTF) + "=" + URLEncoder.encode(secondary, UTF) + "&" +
                        URLEncoder.encode(THIRD, UTF) + "=" + URLEncoder.encode(third, UTF) + "&" +
                        URLEncoder.encode(TIMESTAMP, UTF) + "=" + URLEncoder.encode(time_stamp, UTF);

                bufferedWriter.write(data);
                bufferedWriter.flush();
                bufferedWriter.close();

                outputStream.close();
                InputStream inputStream = httpURLConnection.getInputStream();
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream,"iso-8859-1"));
                String response = "";
                String line = "";
                while ((line = bufferedReader.readLine())!=null)
                {
                    response+= line;
                }
                bufferedReader.close();
                inputStream.close();
                httpURLConnection.disconnect();
                return response;

And here is the PHP script I'm using:

<?php

//add user info

//require log in file
require "init.php";

//values to be added
$key = $_POST["0"];
$user_id = $_POST["user_id"];
$primary = $_POST["primary"];
$secondary = $_POST["secondary"];
$third = $_POST["third"];
$time_stamp = $_POST["timestamp"];

//sql insert statement
$sql = "insert into triage_lvl values ('$key', '$user_id', '$primary', '$secondary', '$third', '$time_stamp');";

//insert information, echo on success or failure
if(mysqli_query($con, $sql)){
    echo "user information added to database";
} else {
    echo "Error adding user information";
}

?>
Diego
  • 117
  • 10
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Oct 25 '16 at 18:34
  • 1
    It's very worrying that questions with PHP and Android usually have the *worst* SQL code in them. Is this from a tutorial of some sort? I'm curious where these examples originate. – tadman Oct 25 '16 at 18:37
  • I suspect that you are posting the values which contains the primary key/ID that already exists in the records. – Nandan Bhat Oct 25 '16 at 18:42
  • Its error because on the android code doesn't have params with key `"0"` & is the `key` is ID, I think you must be remove `$key = $_POST["0"];` from php code & changes your query. – Sodiq Oct 25 '16 at 19:04

0 Answers0