我正在从我正在开发的SQL应用程序中发布字符串数据到SQL数据库。 (MAMP) - 本地服务器
我能够回应'从PHP到Android应用程序的所有POST数据,所以我相信java是稳固的。
php" echo $ username;"我在我的android模拟器上得到了andrewnguyen22。 它适用于我所有的php变量,所以我知道android POST工作正常。
当我硬编码$ POST信息并刷新php页面时,代码工作正常... 但是继续让我感到困惑的事情......
使用android应用程序时,sql数据库不会更新,而是回显用户名。这意味着没有行受到php的影响。任何人都可以看到我的错误吗?
下面我发布了我的PHP和Java。
PHP代码:
import android.app.AlertDialog;
import android.content.Context;
import android.os.AsyncTask;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
/**
* Created by andrewnguyen on 10/23/16.
*/
public class EditProfileBackgroundTask extends AsyncTask {
Context ctx;
AlertDialog alertDialog;
public EditProfileBackgroundTask(Context ctx) {
this.ctx = ctx;
}
@Override
protected void onPreExecute() {
alertDialog = new AlertDialog.Builder(ctx).create();
super.onPreExecute();
}
@Override
protected String doInBackground(String... params) {
String profile_url = "http://10.0.2.2:8888/profile.php";
String method = params[0];
if(method.equals("profile")){
Global global = new Global();
String fullName = params[1];
String age = params[2];
String bio = params[3];
String gender = params[4];
String location = params[5];
String year = params[6];
String username = params[7];
try {
URL url = new URL(profile_url);
HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
httpURLConnection.setRequestMethod("POST");
httpURLConnection.setDoOutput(true);
httpURLConnection.setDoInput(true);
OutputStream OS = httpURLConnection.getOutputStream();
BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(OS, "UTF-8"));
String data = URLEncoder.encode("username", "UTF-8") + "=" +URLEncoder.encode(username, "UTF-8") +"&"+
URLEncoder.encode("fullName", "UTF-8") + "=" +URLEncoder.encode(fullName, "UTF-8") +"&"+
URLEncoder.encode("age", "UTF-8") + "=" +URLEncoder.encode(age, "UTF-8") +"&"+
URLEncoder.encode("bio", "UTF-8") + "=" +URLEncoder.encode(bio, "UTF-8") +"&"+
URLEncoder.encode("gender", "UTF-8") + "=" +URLEncoder.encode(gender, "UTF-8") +"&"+
URLEncoder.encode("year", "UTF-8") + "=" +URLEncoder.encode(year, "UTF-8") +"&"+
URLEncoder.encode("location", "UTF-8") + "=" +URLEncoder.encode(location, "UTF-8");
bufferedWriter.write(data);
bufferedWriter.flush();
bufferedWriter.close();
OS.close();
InputStream IS = httpURLConnection.getInputStream();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(IS, "iso-8859-1"));
String response = "";
String line = "";
while ((line = bufferedReader.readLine())!=null){
response+=line;
}
bufferedReader.close();
IS.close();
httpURLConnection.disconnect();
return response;
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
return "Create Profile Failure";
}
@Override
protected void onProgressUpdate(Void... values) {
super.onProgressUpdate(values);
}
@Override
protected void onPostExecute(String result) {
if (result .equals("0")) {
super.onPostExecute(result);
alertDialog.setMessage("YAY");
alertDialog.show();
}
else if (result .equals("1")) {
alertDialog.setMessage("NO");
alertDialog.show();
}
else{
alertDialog.setMessage(result);
alertDialog.show();//THIS IS WHERE I CAN SEE THE RESULT andrewnguyen22(as seen in php echo $username)
}
}
}
Android应用代码
{{1}}
它在我的Android模拟器上正确显示我的用户名...(通过警告对话框,如果在后期执行时也是如此)
答案 0 :(得分:1)
由于您没有转义数据,因此任何已发布字段中的简单'都会破坏您的连锁SQL语句。如果值以\结尾,则同样如此。可能还有更多场景......
注意:由于您已经表示不关心此脚本的安全性,因此我不会宣传使用预准备语句的重要性。但是,如果其他人稍后阅读此内容,则使用预备语句。
使用mysqli_real_escape_string()来逃避输入,以确保一个简单的角色不会弄乱你的陈述。
$username = mysqli_real_escape_string($conn, $_POST["username"]);
$fullName = mysqli_real_escape_string($conn, $_POST["fullName"]);
$age = mysqli_real_escape_string($conn, $_POST["age"]);
$bio = mysqli_real_escape_string($conn, $_POST["bio"]);
// ...do the same for the rest...