0

This is part of a android app... I have the php script working when I specify the mysql_query without using .$_POST['varname']. To add search ability to the app using different parameters that are user definable I am trying to build the query in the PHP script from values that are passed from the app when the httpget is called... The Line of the php script looks likes this:

$result = mysql_query("SELECT * FROM businessdata WHERE '"
    . $_POST['varQuery2']."' =  '" 
    . $_POST['varQuery1']"'") 
    or die(mysql_error());

And then the method is as follows: (For Completeness here method is assigned the string value "GET" when this method is called)

    public JSONObject makeHttpRequest(String url, String method,
        List<NameValuePair> params, String value, String value2) {

    // Making HTTP request
    try {

        // check for request method
        if(method == "POST"){
            // request method is POST
            // defaultHttpClient
            DefaultHttpClient httpClient = new DefaultHttpClient();
           params.add(new BasicNameValuePair("varQuery2", value));
           params.add(new BasicNameValuePair("varQuery1", value2)); 
           HttpPost httpPost = new HttpPost(url);
            httpPost.setEntity(new UrlEncodedFormEntity(params));

            HttpResponse httpResponse = httpClient.execute(httpPost);
            HttpEntity httpEntity = httpResponse.getEntity();
            is = httpEntity.getContent();

        }else if(method == "GET"){
            // request method is GET
            DefaultHttpClient httpClient = new DefaultHttpClient();

            params.add(new BasicNameValuePair("varQuery2", value));
            params.add(new BasicNameValuePair("varQuery1", value2)); 
            String paramString = URLEncodedUtils.format(params, "UTF-8");
            url += "?" + paramString;
            HttpGet httpGet = new HttpGet(url);

            HttpResponse httpResponse = httpClient.execute(httpGet);
            HttpEntity httpEntity = httpResponse.getEntity();
            is = httpEntity.getContent();
        }           

    } catch (UnsupportedEncodingException e) {
        e.printStackTrace();
    } catch (ClientProtocolException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    }

    try {
        BufferedReader reader = new BufferedReader(new InputStreamReader(
                is, "iso-8859-1"), 8);
        StringBuilder sb = new StringBuilder();
        String line = null;
        while ((line = reader.readLine()) != null) {
            sb.append(line + "\n");
        }
        is.close();
        json = sb.toString();
    } catch (Exception e) {
        Log.e("Buffer Error", "Error converting result " + e.toString());
    }

    // try parse the string to a JSON object
    try {
        jObj = new JSONObject(json);
    } catch (JSONException e) {
        Log.e("JSON Parser", "Error parsing data " + e.toString());
    }

    // return JSON String
    return jObj;

}
Improve this question
5
  • Shouldn't the line String paramString = URLEncodedUtils.format(params, "UTF-8"); come after you have added parameters? Commented Oct 22, 2012 at 4:19
  • Dunno but sounds logical... Let me see what happens..I will update the post with current code after I try it... Commented Oct 22, 2012 at 4:21
  • Your PHP Code and question refers to HTTPPost but you are performing HTTPGet in HTTPClient. There seems to be a disconnect in code. Commented Oct 22, 2012 at 4:29
  • The posted code was changed to reflect this... But its failing with "stopped unexpectedly" ... I have tried to use a breakpoint to look at the data in the variables but eclipse doesn't pay attention to any breakpoints I have set no matter where I put them. Commented Oct 22, 2012 at 4:30
  • Full code of the method is shown above Commented Oct 22, 2012 at 4:31

1 Answer 1

Reset to default
1 
$result = mysql_query("SELECT * FROM businessdata WHERE '"
    . mysql_real_escape_string($_REQUEST['varQuery2'])."' =  '" 
    . mysql_real_escape_string($_REQUEST['varQuery1'])."'") 
    or die(mysql_error());

use *_real_escape_string for dealing with sql injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.