0

I'm attempting to select users from a database (displaying them in a tableview) using a value that is retrieved from a variable.

Here is the code that accomplishes it:

NSString *post = [[NSString alloc]  initWithFormat:@"location=%@", _detailText];
NSLog(@"detailtextCount=%@", _detailText);

NSURL * url = [NSURL URLWithString:getDataURL];
NSData *postData = [post dataUsingEncoding:NSASCIIStringEncoding allowLossyConversion:YES];
NSString *postLength = [NSString stringWithFormat:@"%lu", (unsigned long) [postData length]];
NSMutableURLRequest *request = [[NSMutableURLRequest alloc] init];
[request setURL:url];
[request setHTTPMethod:@"POST"];
[request setValue:postLength forHTTPHeaderField:@"Content-Length"];
[request setValue:@"application/json" forHTTPHeaderField:@"Accept"];
[request setValue:@"application/x-www-form-urlencoded" forHTTPHeaderField:@"Content-Type"];
[request setHTTPBody:postData];

NSError *error =  [[NSError alloc] init];
NSHTTPURLResponse *response=nil;
NSData *urlData=[NSURLConnection sendSynchronousRequest: request returningResponse:&response error:&error];

if ([response statusCode] >=200 && [response statusCode]<300) {

}

NSData * data = [NSData dataWithContentsOfURL:url];

_jsonArray = [NSJSONSerialization JSONObjectWithData:data options:kNilOptions error:nil];

_usersArray = [[NSMutableArray alloc] init];

for (int i=0; i < _jsonArray.count; i++) {

    NSString * uName = [[_jsonArray objectAtIndex:i] objectForKey:@"Username"];

    [_usersArray addObject:[[Locations alloc] initWithUserName:uName]];

    NSLog(@"useresArray=%@", uName);

    [self.tableViews reloadData];

    }

My PHP script after connecting to db:

   $location = $_POST['location'];

   $query = "SELECT * FROM user WHERE location= '$location'";
   $resultset = mysql_query($query,$connection);

   $records = array();

   while($r = mysql_fetch_assoc($resultset))
     {
             $records[] = $r;
     }

    echo json_encode($records);
}

My NSLog for _detailText returns the correct value, thought my tableView is left empty. When i copy the contents of _detailText and place them in my PHP script in place of $location it will correctly populate my tableView, so somewhere the variable $location is getting lost.

rmaddy
  • 314,917
  • 42
  • 532
  • 579
tysco
  • 25
  • 5
  • Are you sure this format for post is right "location=%@" ? – 3stud1ant3 Aug 26 '17 at 14:10
  • 1
    Whats `mysql_squery`? You're also open to SQL injection. – Lawrence Cherone Aug 26 '17 at 14:13
  • @3stud1ant3, not 100%.. though I believe so, i've had success updating user info in the past (taking current username and sending it to PHP in the same fashion). – tysco Aug 26 '17 at 14:13
  • @LawrenceCherone typo, fixed. Also not too aware about sql injections, i changed information in my questions to not reflect my actual table names, assuming that will cover myself from sql injections? – tysco Aug 26 '17 at 14:14
  • 1
    To protected against SQL injection, you should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Aug 26 '17 at 15:51
  • 1
    Also, don't use the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). – Alex Howansky Aug 26 '17 at 15:52
  • Thanks Alex I'll look into these! – tysco Aug 26 '17 at 15:52

0 Answers0