0

The problem with code below is variable sp1. When replacing sp1 into "where" clause with a city name already existing in database, everything works well. But when i send startPoli1 variable from my app, php returns nothing. Logcat shows that startPoli1 is being sent every time. Any suggestion;

<?php
$con=mysql_connect("......","......","......" );
$database = "......";
$ok = mysql_select_db($database, $con);
mysql_set_charset("UTF8",$con); 


$us1 = $_POST['username1'];
$sp1 = $_POST['startPoli1'];
$fp1 = $_POST['finalPoli1'];
$w1 = $_POST['weight1'];
$em1 = $_POST['eidosmetaf1'];
$dD1 = $_POST['depDate1'];
$dT1 = $_POST['depTime1'];


$sql = mysql_query( "  SELECT `username1`,`startPoli1`, `finalPoli1`, `eidosmetaf1`, `weight1` , `depDate1` , `depTime1`, `tilefono1` 
 FROM customer ,registration1 
 where   (customer.startPoli1 = 'sp1')  and   
 (customer.username1 = registration1.username )");

    if($sql === FALSE) 
    { 
    die(mysql_error()); 
    }
    $results = array();
    while($row = mysql_fetch_assoc($sql))
{
   $results[] = array(
        'username1' => $row['username1'],
        'startPoli1' => $row['startPoli1'],
        'finalPoli1' => $row['finalPoli1'],
        'eidosmetaf1' => $row['eidosmetaf1'],
        'weight1' => $row['weight1'],
        'depDate1' => $row['depDate1'],
        'depTime1' => $row['depTime1'],
        'tilefono1' => $row['tilefono1']
         );
         }
    echo json_encode(array('select_itin_results' =>$results));
    mysql_close($con); 
?>
Improve this question
9
  • in your code you're not even using the sent values for anything. is that on purpose or did you post the wrong code? Commented Oct 27, 2014 at 13:15
  • WARNING You're very vulnerable to SQL Injection. You should take some measures to secure your app Commented Oct 27, 2014 at 13:16
  • Note: You should be using prepared statements to build your sql queries and never pass user data directly into your queries without sanitizing it. Commented Oct 27, 2014 at 13:17
  • So, in other words, my friend, you have 2 options: 1. make it work with a framework; 2. Use prepared statements :) Commented Oct 27, 2014 at 13:17
  • 1
    @AresDraguna #1 option isn't guranteed. Commented Oct 27, 2014 at 13:18

2 Answers 2

Reset to default
3

You're not using the value of the variable $sp1

Instead, you're using the string 'sp1', the dollar symbol$ is missing in your clause:

where (customer.startPoli1 = 'sp1')

Should be changed to:

where (customer.startPoli1 = '$sp1')

But be ware of the threat that comes along with the solution:

You are vulnerable to sql-injections, which you can avoid by stop using mysql_* functions, since they're deprecated and instead you should begin to use prepared statements using PDO or mysqli_*. You can see how by checking other useful post about the matter.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You forgot to add $ before the variable name. ie where (customer.startPoli1 = '$sp1') so the final query is using the string "sp1" instead of the value of the variable $sp1

After you understand that, learn about the proper way of making sql queries to avoid people messing with your database with sql injection

Improve this answer

4 Comments

An then you have a great SQL injection ready code using deprecated mysql_ functions... ;)
First make it work, then make it secure, he clearly is starting to code
old habits are hard to get rid off. better to start off with good ones.
I see your point, linked to "how to avoid sql injection in php"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.