ACRA Insert report into my server's database

Question

I successfully configured ACRA to send my caught exceptions to my server, the problem is I can't insert the report into the database:

@AcraCore(buildConfigClass = BuildConfig.class)
@AcraHttpSender(uri = "http://www.myserver.com/crashreports/addreport.php",
        httpMethod = HttpSender.Method.POST)

public class MyApplication extends Application {
    @Override
    protected void attachBaseContext(Context base) {
        super.attachBaseContext(base);

        ACRA.init(this);
    }
}

I know it sends somethings because I see an empty entry in my phpMyAdmin, but I can't get the report inside the database:

<?php
$link = mysqli_connect("localhost", "root", "pass", "db");

// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}

// Escape user inputs for security
$report = mysqli_real_escape_string($link, $_REQUEST['']);

// attempt insert query execution
$sql = "INSERT INTO VoiceRemoteCrash (report) VALUES ('$report')";

if(mysqli_query($link, $sql)){
    echo "Records added successfully.";
} else{
    echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}

// close connection
mysqli_close($link);
?>

I've searched docs, but didn't find much info, and my PHP knowledge is somewhat basic.

Syscall · Accepted Answer · 2018-02-20T20:53:51.380

1

$_REQUEST[''] will returns NULL and will throw an "undefined index" notice.

You could get your report from POST raw data using file_get_contents('php://input').

I suggest you to have a look to : How can I prevent SQL injection in PHP? and use parameterized queries.

edited Feb 20 '18 at 20:53

answered Feb 20 '18 at 20:45

Syscall

19,327
10
37
52

Should I add it this way? $report = file_get_contents('php://input'); – hiddeneyes02 Feb 20 '18 at 20:54
@hiddeneyes02 Replace `$_REQUEST['']` by `file_get_contents('php://input')`. – Syscall Feb 20 '18 at 20:55
That was it! Thank you. – hiddeneyes02 Feb 20 '18 at 20:58

score 0 · Answer 2 · answered Feb 20 '18 at 20:44

0

This line references a nonsense variable:

$report = mysqli_real_escape_string($link, $_REQUEST['']);

You want something like:

$report = mysqli_real_escape_string($link, $_REQUEST['form_variable_name']);

But you shouldn't even do that, because the real_escape_string() functions can not be relied on to prevent SQL injection. Instead, you should use prepared statements with bound parameters, via either the mysqli or PDO driver. This post has some good examples.

answered Feb 20 '18 at 20:44

Alex Howansky

50,515
8
78
98

I know that, it just I don't know the 'form_variable_name' that ACRA sends, and I looked everywhere, didn't find it – hiddeneyes02 Feb 20 '18 at 20:55
Just `var_dump($_REQUEST);` – Alex Howansky Feb 20 '18 at 20:56
The problem is that the app sends the report via http request, there is no way to var_dump – hiddeneyes02 Feb 20 '18 at 20:57

ACRA Insert report into my server's database

2 Answers2