0

I have an Android app and I'm attempting to use PHP/MySQL.

I'm having a lot of trouble getting my results from PHP accessible in C#/Android.

This is my PHP so far:

$sql = "SELECT Name FROM Employees WHERE Password='$password'";
if(!$result = $mysqli->query($sql)) {
    echo "Sorry, the query was unsuccessful";
}

while($employee = $result->fetch_assoc()) {
    $jsonResult = json_encode($employee);

    $employee->close();
}

I've left out the basic connection code as I have all that up and running. Here is my C#:

private void OnLoginButtonClick()
{
    var mClient = new WebClient();
    mClient.DownloadDataAsync(new Uri("https://127.0.0.1/JMapp/Login.php?password=" + _passwordEditText.Text));
}

As you can see I really am at a very basic stage. I've installed Newtonsoft so I'm ready to deal with the Json that is coming back, however I have a few questions.

I'm well aware of SQL injection, and the way that my variable (password) is passed to the PHP concerns me. Is there a safer way of doing this?

Secondly, I am now unsure of how to get the 'Employees' that match the MySQL command in PHP back into C#. How am I able to access the object that is passed back from PHP?

CBreeze
  • 2,925
  • 4
  • 38
  • 93
  • 4
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 22 '17 at 15:28

1 Answers1

0

Leaving aside other aspects of the code in the question, I sugest some reading on sanitizing and escaping user data.

For this specific case of a password see @Jay Blanchard comments. For other input you would not trasform upon input, the idea is to sanitize it as soon as you receive it.

This is to make sure you receive what you were expecting. In the case of a String, trim() the text, match it against a regex of allowed characters. If you allow html tags or not you can match it against a white list of them. Max length.

Then you would validate it. This is that it makes sense and meets the business requirements.

At the time of storing it in the database you can avoid sqlinjection by using prepared statements. By doing this it is clear what is text to be stored and what is sql instructions.

At the time of using the data, you will escape it accoring to where it is going to be used, for example, if it is html content you escape it for html content, if it is an html attribute, or an URL parameter, you do the escaping accordingly for each case. (Wordpress has a nice suite of functions that do this)

Also don't send passwords as URL parameters. Use a form instead with method POST. Urls are seen in the Browser's address widget. And they also get copy pasted in emails, facebook, etc

Juan
  • 5,525
  • 2
  • 15
  • 26