2

in my php script I do this:

$q=mysql_query($_REQUEST['query']);

while($e=mysql_fetch_assoc($q))
$output[]=$e;

print(json_encode($output));

mysql_close();

and in android i would like to execute this:

nameValuePairs.add(new BasicNameValuePair("query", "SELECT name FROM RecOrg_Univ WHERE city='Rome'"));

where I wrong?

If I put the whole SELECT.... into the php script and i send only the attribute "Rome" it works, otherwise no.. :( but i need to send an entire SELECT......

Improve this question
2
  • Just a note: Be aware of SQL injection Commented Aug 26, 2011 at 22:39
  • 1
    That's beyond injection. That's full-on open heart surgery. Commented Aug 26, 2011 at 22:43

1 Answer 1

Reset to default
1

Example of PDO prepare, to protect you from injections.

From:[andriod] nameValuePairs.add(new BasicNameValuePair("city", "Rome"));

Receiver script:

<?php
$hostname = 'localhost';
$username = 'username';
$password = 'password';

if(isset($_REQUEST['city'])){
    $city=$_REQUEST['city'];
}else{
    die('Missing Something...');
}

$dbh = new PDO("mysql:host=$hostname;dbname=YOURDB", $username, $password);

/*** The SQL SELECT statement ***/
$stmt = $dbh->prepare("SELECT name FROM RecOrg_Univ WHERE city=:city");
$stmt->bindParam(':city', $city);
/**Execute it**/
$stmt->execute();

/*** fetch the results ***/
$result = $stmt->fetchAll();

/*** loop of the results and hold in an array then echo***/
foreach($result as $row)
{
    $output[]=$row['name'];
}
echo json_encode($output);

/*** close the database connection ***/
$dbh = null;
?>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.