错误“索引80处查询中的非法字符”

时间:2013-10-25 16:29:02

标签: java android json http-get

我正在创建一个应用程序,它将一个SQL语句发送到PHP,该PHP搜索数据库并返回托管的JSON。

目前在我的应用程序中我传递了这个声明,SentenciaFinal也有这个值:

SELECT Nombre FROM Tierra WHERE Nivel <=1 AND CDE <=1000 AND VDE <=1000 AND Coste <=1000 AND Ataque <=1000 AND Defensa<=1000

错误如下:

10-25 16:12:36.201: E/ServicioRest(1240): Error!
10-25 16:12:36.201: E/ServicioRest(1240): java.lang.IllegalArgumentException: Illegal    character in query at index 80:   http://proyectosccv.zz.mu/AppAndroid/phps/ConsultaHabilidad.php?sentencia=SELECT Nombre FROM Tierra WHERE Nivel <=1 AND CDE <=1000 AND VDE <=1000 AND Coste <=1000 AND Ataque <=1000 AND Defensa<=1000
10-25 16:12:36.201: E/ServicioRest(1240):   at java.net.URI.create(URI.java:727)
10-25 16:12:36.201: E/ServicioRest(1240):   at org.apache.http.client.methods.HttpGet.<init>(HttpGet.java:75)
10-25 16:12:36.201: E/ServicioRest(1240):   at browser.habilidades.Busqueda.colocarList(Busqueda.java:63)
10-25 16:12:36.201: E/ServicioRest(1240):   at browser.habilidades.Busqueda.onCreate(Busqueda.java:40)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.Activity.performCreate(Activity.java:5104)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1080)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2144)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2230)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.ActivityThread.access$600(ActivityThread.java:141)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1234)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.os.Handler.dispatchMessage(Handler.java:99)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.os.Looper.loop(Looper.java:137)
10-25 16:12:36.201: E/ServicioRest(1240):   at android.app.ActivityThread.main(ActivityThread.java:5041)
10-25 16:12:36.201: E/ServicioRest(1240):   at java.lang.reflect.Method.invokeNative(Native Method)
10-25 16:12:36.201: E/ServicioRest(1240):   at java.lang.reflect.Method.invoke(Method.java:511)
10-25 16:12:36.201: E/ServicioRest(1240):   at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:793)
10-25 16:12:36.201: E/ServicioRest(1240):   at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:560)
10-25 16:12:36.201: E/ServicioRest(1240):   at dalvik.system.NativeStart.main(Native Method)

我运行的代码是:

private void colocarList(String SentenciaFinal) {
 try {


 HttpGet peticion = new HttpGet(
                           "http://proyectosccv.zz.mu/AppAndroid/phps/ConsultaHabilidad.php?sentencia="+SentenciaFinal);

            peticion.setHeader("content-type", "application/json");

            HttpClient httpClient = new DefaultHttpClient();
            HttpResponse resp = httpClient.execute(peticion);
            String respStr = EntityUtils.toString(resp.getEntity());

            JSONArray resparray = new JSONArray(respStr);

            int n = resparray.length();

            NombreHabilidades = new String[n];

            for (int i = 0; i < resparray.length(); i++) {
                    JSONObject respJSON = resparray.getJSONObject(i);

                    String nombre = respJSON.getString("Nombre");
                    NombreHabilidades[i] = nombre;
            }

            // Rellenamos la lista con los resultados
            ArrayAdapter<String> adaptador = new ArrayAdapter<String>(this,
                            android.R.layout.simple_list_item_1, NombreHabilidades);
            list.setAdapter(adaptador);


    } catch (Exception ex) {
            Log.e("ServicioRest", "Error!", ex);
    }

}

我知道如何使用json和我的应用程序,我已经提供了互联网连接许可。

我认为在判断中发生了一些错误,但不确定。

非常感谢! = D

2 个答案:

答案 0 :(得分:0)

转换为URI 

URI uri = new URI(
    "http", 
    "proyectosccv.zz.mu", 
    "/AppAndroid/phps/ConsultaHabilidad.php?sentencia=SELECT Nombre FROM Tierra WHERE Nivel <=1 AND CDE <=1000 AND VDE <=1000 AND Coste <=1000 AND Ataque <=1000 AND Defensa<=1000",
    null);
HttpGet peticion = new HttpGet(uri );

答案 1 :(得分:0)

虽然这里的答案可能涉及调用PHP脚本的技术方面,但我将在此解决安全问题。你有一个类别的链接:

http://domain.com/dir/phpfile.php?sql=SELECT Foo, Bar FROM...

这是一个很大的安全漏洞。想象一下用户加载:

http://domain.com/dir/phpfile.php?sql=DROP TABLE FooTable;

这会破坏你的SQL表,就像有人在这篇文章发表时所做的那样。{/ p>

我会完全重新考虑这一点。您必须接受参数并在过滤后将其添加到SQL查询中:

http://domaim.com/dir/phpfile.php?getitem=FooItem

会变成:

SELECT SomeCol from SomeTable WHERE SomeOtherCol='FooItem'

这可以通过将请求与SELECT SomeCol FROM SomeTable WHERE SomeOtherCol='连接到最后的'请求字符串作为最简单情况下的分隔符来完成。

然而,对于一方称之为“Sql Injection”的东西仍然存在黑客行为,其中一方要求:

http://domaim.com/dir/phpfile.php?getitem=FooItem'; DROP TABLE FooTable; --

仍会放弃表格。要解决此问题,请使用mysqli::real_escape_string作为

$filteredString = $db->realEscapeString($unsanitizedString);

然后您将连接过滤后的字符串。

相关问题
最新问题