Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

In my app I ahve a specific form for the user to complete and I want to store these data in my online DB.

Here is my code in java:

public void send_data_to_DB(){
         String result = "";
         InputStream is = null;
         StringBuilder sb=null;
         ArrayList<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();//() before
         nameValuePairs.add(new BasicNameValuePair("table", table));
         nameValuePairs.add(new BasicNameValuePair("code", Integer.toString(code)));
         nameValuePairs.add(new BasicNameValuePair("name", name));
         nameValuePairs.add(new BasicNameValuePair("email", email));
            try{
                HttpClient httpclient = new DefaultHttpClient();
                HttpPost httppost = new HttpPost("http://myurl.php");
                HttpEntity entity = new UrlEncodedFormEntity(nameValuePairs);
                httppost.addHeader(entity.getContentType());
                httppost.setEntity(entity);
                HttpResponse response = httpclient.execute(httppost);
                //HttpEntity entity = response.getEntity();
                //is = entity.getContent();
        }catch(Exception e){
                Log.e("log_tag", "Error in http connection "+e.toString());
        }
     }

And Here is my php script:

<?php

    mysql_connect("dserver","User","Code");

    mysql_select_db("DB_Name");

$table.=$_POST['table'];
$code.=$_POST['code'];
$name.=$_POST['name'];
$email.=$_POST['email'];

  $q=mysql_query(" INSERT INTO {$table} (code,name,email) VALUES ({$code},{$name},{$email}) ")or die(mysql_error());


mysql_close();
?>

I think it must be something in my php and the way I am assigning or using the variables but I am not quite experienced in PHP. Can you help me?

share|improve this question
Your code is vulnerable to SQL injection. You really should be using prepared statements, into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of Bobby Tables. – eggyal Sep 2 '12 at 18:57
Also, as stated in the introduction to the PHP manual chapter on the mysql_* functions: This extension is not recommended for writing new code. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API. – eggyal Sep 2 '12 at 18:58

2 Answers

up vote 1 down vote accepted

On PHP side it must be .= instead of =..

EDIT:

The quotes in the SQL statement are missing:

Change to

"INSERT INTO {$table} (code,name,email) VALUES ('{$code}','{$name}','{$email}')"
share|improve this answer
i changed that and still nothing was added to my table. – ghostrider Sep 2 '12 at 18:59
actually, in your case you can jsut write = as you are not concating anything. – Ridcully Sep 2 '12 at 19:13
1  
Actual mistake are missing quotes -- see edited answer. – Ridcully Sep 2 '12 at 19:15
up vote 0 down vote 
$table=.$_POST['table'];
$code=.$_POST['code'];
$name=.$_POST['name'];
$email=.$_POST['email'];

you have extra dot after every equal sign, that probably causes syntax error.

Your other problem is sql injection vulnerability, always check /escape properly values before using in query.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.