1

I have an Applescript that takes some user input and checks it against my database.

APPLESCRIPT

set domain to "mysite.com"
set keyURL to domain & "/product.php?email=" & email & "&productKey=" & 
productKey & ""
set curlURL to (do shell script "curl " & keyURL)
open location keyURL
display dialog curlURL

PHP

$query = "SELECT * FROM table where email = '".$email."' AND `key` = '".$productKey."' ";

$result = $mysqli->query($query);


if (mysqli_num_rows($result) > 0) {

    while($row = mysqli_fetch_assoc($result)) {

            $email = $row["email"];
            $key  = $row["key"];
}

    echo "true";

}else {

echo "false";
}

My server takes the data and checks it against my database and shows me a true or false. Whether or not it comes back with true or false my curURL is always false. The database check will return true on my site but my Applescript dialog will always be false. Does anyone know why this is the case?

Nick
  • 1,036
  • 2
  • 14
  • 27
  • Your code is vulnerable to SQL injection attacks. You should use [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](http://php.net/manual/en/pdo.prepared-statements.php) prepared statements as described in [this post](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 13 '17 at 20:15
  • I am not concerned with that at the moment. I will handle security after. This is just for testing purposes. I need to figure out the bigger issue here first but thank you for your input. – Nick Apr 13 '17 at 20:16
  • in your query, is `table` the actual name of your table ? if so, please have a look at this [SO discussion](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysqlm) and [MySQL keywords / Reserved words](https://dev.mysql.com/doc/refman/5.5/en/keywords.html). You should also add `error_reporting(E_ALL); ini_set('display_errors', 1);` on top of your PHP page. – OldPadawan Apr 13 '17 at 20:21
  • 2
    _"I will handle security after."_ This is a bad way to develop software. – Alex Howansky Apr 13 '17 at 20:24
  • as stated by AlexHowansky, you'll have to re-write all of your *wrong* code after that, twice the amount of work... – OldPadawan Apr 13 '17 at 20:28
  • ....obviously the name "table" isnt the real name. Just for demonstration purposes for this post. I already have security in place I am much more concerned with the question about cURL and why the response is always false even though on my server it echos out true. – Nick Apr 13 '17 at 22:16

0 Answers0