0

In my app I ahve a specific form for the user to complete and I want to store these data in my online DB.

Here is my code in java:

public void send_data_to_DB(){
         String result = "";
         InputStream is = null;
         StringBuilder sb=null;
         ArrayList<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();//() before
         nameValuePairs.add(new BasicNameValuePair("table", table));
         nameValuePairs.add(new BasicNameValuePair("code", Integer.toString(code)));
         nameValuePairs.add(new BasicNameValuePair("name", name));
         nameValuePairs.add(new BasicNameValuePair("email", email));
            try{
                HttpClient httpclient = new DefaultHttpClient();
                HttpPost httppost = new HttpPost("http://myurl.php");
                HttpEntity entity = new UrlEncodedFormEntity(nameValuePairs);
                httppost.addHeader(entity.getContentType());
                httppost.setEntity(entity);
                HttpResponse response = httpclient.execute(httppost);
                //HttpEntity entity = response.getEntity();
                //is = entity.getContent();
        }catch(Exception e){
                Log.e("log_tag", "Error in http connection "+e.toString());
        }
     }

And Here is my php script:

<?php

    mysql_connect("dserver","User","Code");

    mysql_select_db("DB_Name");

$table.=$_POST['table'];
$code.=$_POST['code'];
$name.=$_POST['name'];
$email.=$_POST['email'];

  $q=mysql_query(" INSERT INTO {$table} (code,name,email) VALUES ({$code},{$name},{$email}) ")or die(mysql_error());


mysql_close();
?>

I think it must be something in my php and the way I am assigning or using the variables but I am not quite experienced in PHP. Can you help me?

Improve this question
2
  • Your code is vulnerable to SQL injection. You really should be using prepared statements, into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of Bobby Tables. Commented Sep 2, 2012 at 18:57
  • Also, as stated in the introduction to the PHP manual chapter on the mysql_* functions: This extension is not recommended for writing new code. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API. Commented Sep 2, 2012 at 18:58

2 Answers 2

Reset to default
1

On PHP side it must be .= instead of =..

EDIT:

The quotes in the SQL statement are missing:

Change to

"INSERT INTO {$table} (code,name,email) VALUES ('{$code}','{$name}','{$email}')"
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

i changed that and still nothing was added to my table.
actually, in your case you can jsut write = as you are not concating anything.
0 
$table=.$_POST['table'];
$code=.$_POST['code'];
$name=.$_POST['name'];
$email=.$_POST['email'];

you have extra dot after every equal sign, that probably causes syntax error.

Your other problem is sql injection vulnerability, always check /escape properly values before using in query.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.