2

in my php script I do this:

$q=mysql_query($_REQUEST['query']);

while($e=mysql_fetch_assoc($q))
$output[]=$e;

print(json_encode($output));

mysql_close();

and in android i would like to execute this:

nameValuePairs.add(new BasicNameValuePair("query", "SELECT name FROM RecOrg_Univ WHERE city='Rome'"));

where I wrong?

If I put the whole SELECT.... into the php script and i send only the attribute "Rome" it works, otherwise no.. :( but i need to send an entire SELECT......

Sh4iDo
  • 21
  • 1
  • Just a note: [Be aware of SQL injection](http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain) –  Aug 26 '11 at 22:39
  • 1
    That's beyond injection. That's full-on open heart surgery. – webbiedave Aug 26 '11 at 22:43

1 Answers1

1

Example of PDO prepare, to protect you from injections.

From:[andriod] nameValuePairs.add(new BasicNameValuePair("city", "Rome"));

Receiver script:

<?php
$hostname = 'localhost';
$username = 'username';
$password = 'password';

if(isset($_REQUEST['city'])){
    $city=$_REQUEST['city'];
}else{
    die('Missing Something...');
}

$dbh = new PDO("mysql:host=$hostname;dbname=YOURDB", $username, $password);

/*** The SQL SELECT statement ***/
$stmt = $dbh->prepare("SELECT name FROM RecOrg_Univ WHERE city=:city");
$stmt->bindParam(':city', $city);
/**Execute it**/
$stmt->execute();

/*** fetch the results ***/
$result = $stmt->fetchAll();

/*** loop of the results and hold in an array then echo***/
foreach($result as $row)
{
    $output[]=$row['name'];
}
echo json_encode($output);

/*** close the database connection ***/
$dbh = null;
?>
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106