PHP脚本将数据从mysql提取到android

时间:2015-08-01 11:53:03

标签: php android mysql

我有这个脚本,我想编辑它,以便在检查用户是否已存在userStatuesuserPosition

后,从用户表中向我的Android应用程序发送额外信息

PS :我试图自己编辑,但我没有正确的PHP知识,以使其工作或有时间学习PHP的时刻..如此友好的帮助,如果你可以:)

<?php
$hostname_localhost ="";
$database_localhost ="";
$username_localhost ="";
$password_localhost ="";
$localhost = mysql_connect($hostname_localhost,$username_localhost,$password_localhost)
or
trigger_error(mysql_error(),E_USER_ERROR);

mysql_select_db($database_localhost, $localhost);

$username = $_POST['username'];
$password = $_POST['password'];
$query_search = "select * from user where username = '".$username."' AND password = '".$password. "'";
$query_exec = mysql_query($query_search) or die(mysql_error());
$rows = mysql_num_rows($query_exec);
//echo $rows;
 if($rows == 0) { 
 echo "No Such User Found"; 
 }
 else  {
    echo "User Found"; 
}
?>

3 个答案:

答案 0 :(得分:1)

您现在拥有的解决方案非常容易受到SQL注入攻击。这是一个很好的链接,告诉你这是什么:http://www.w3schools.com/sql/sql_injection.asp

要解决此问题,您应该使用类似PDO的内容。既然你说你没有时间研究这些东西,即使我强烈建议这样做以避免像这样的漏洞,我会用非易受攻击的版本替换你的整个代码:

<?php
$hostname_localhost ="";
$database_localhost ="";
$username_localhost ="";
$password_localhost ="";
$localhost = new PDO("mysql:host=$hostname_localhost;dbname=database_localhost", $username_localhost, $password_localhost);

$username = $_POST['username'];
$password = $_POST['password'];

$query = "select * from user where username = :username AND password = :password";
$query->bindValue(':username', $username);
$query->bindValue(':password', $password);
$query->execute;

$results = $query->fetchAll();

if(count($results) == 0)
    echo "No Such User Found";
else {
    echo "User Found";
    $data = array("userStatuses" => $results[0]["userStatuses"]
              "userPosition" => $results[0]["userPosition"]);

    echo json_encode($data)

    // OR

    echo $results[0]["userStatuses"].'<br/>'.$results[0]["userPosition"];
}
?>

答案 1 :(得分:1)

在修复@Lightwind回答之后,这里是答案

<?php
$hostname_localhost ="";
$database_localhost ="";
$username_localhost ="";
$password_localhost ="";
$options_localhost  = array (PDO::ATTR_ERRMODE=>  PDO::ERRMODE_EXCEPTION);

$localhost = new PDO("mysql:host=$hostname_localhost;dbname=$database_localhost;charset=utf8", $username_localhost, $password_localhost,$options_localhost);

$username = filter_var($_POST['username'], FILTER_SANITIZE_STRING , NULL) ;;
$password = filter_var($_POST['password'], FILTER_SANITIZE_STRING , NULL) ;

$query  =  "select * from user where username = :username AND password = :password";
$sql     =$localhost->prepare ($query);
$sql->bindparam(':username', $username,PDO::PARAM_STR);
$sql->bindparam(':password', $password,PDO::PARAM_STR);
$sql->execute();

$results = $sql->fetchObject();

if (count($results) == 0) {
    echo "No Such User Found";
} else {
    echo "User Found";
    $data = array("status" => $results->userStatus);
    echo json_encode($data);
}
?>

答案 2 :(得分:0)

在你的代码部分之后

$query_search = "select * from user where username = '".$username."' AND password = '".$password. "'";

$query_exec = mysql_query($query_search) or die(mysql_error());
$rows = mysql_num_rows($query_exec);
//echo $rows;
if($rows == 0) { 
   echo "No Such User Found"; 
 }
 else  {
    echo "User Found"; 
 }

执行以下操作

$otherDetails = array();
while ( $row = mysql_fetch_assoc($query_exec) ) {
    $otherDetails['userStatues'];
    $otherDetails['userPosition'];
}
//$otherDetails contains what you want
//you can send it down as json
echo json_encode( $otherDetails );

请注意: 您的代码中显示以下行:

$query_search = "select * from user where username = '".$username."' AND password = '".$password. "'";

是安全问题的根源。例如,SQL注入并且还表明您没有在数据库中加密密码。

使用Php PDO解决SQL注入问题,并使用一些哈希算法来解决纯文本密码问题。

干杯

相关问题
最新问题