Android Question B4A and Mysql - SQL Injection Possibility?

killiak · Apr 29, 2014

Guys, i'm strugling myself about security issues.

I have to connect to my ISP Database, there is no other way around it...i cannot put a Webapp in there and cannot use RDC, ADO or whatever. I need PHP + Mysql Connection.

What Worries me is Possible SQL Injection...2 things.
1 - That someone use a Select Outside from my app (my app will have Login system)
2 - That someone inject a Drop or Delete, or something that can mess the DB.

Solutions on 1. I create a Session Control making a Unique ID in the $_SESSION that copies to the appp when a login User&password success, saving this IS in a App Variable.

Someone consider a better aproach on this?

Solution on 2.. simple IF App(idSession) = $_SESSION then Execute...

Again...Do you think is a good aproach?

Another way that i consider is that The Application Send the fields and the table only (not the Query) and then in then PHP i concatenate String a make the correct SELECT XXXXX... like in the PHP is the SELECT XXXXX FROM XXXX format and receive fields and Table from the php://input to complete the query. So if someone try to inject something else it will no return anything because of a format error.... Is this crazy or what?

Thank you

DonManfred · Apr 30, 2014

It is not a good idea to send the complete query to php. Use only the needed parameters and create the query in php. Here you have comtrol over all given post or get parameters and can use code to escape values (injections will not work)

Erel · Apr 30, 2014

This is (shortly) discussed in the tutorial: http://www.b4x.com/android/forum/threads/connect-android-to-mysql-database-tutorial.8339/#content

As @DonManfred wrote you can hardcode the queries in the PHP script and then only send the parameters.

killiak · Apr 30, 2014

DonManfred said:
It is not a good idea to send the complete query to php. Use only the needed parameters and create the query in php. Here you have comtrol over all given post or get parameters and can use code to escape values (injections will not work)

That's what i was thinking.... Erel Sample has the query in the Code. I change that now. Thanks for the reply.

killiak · Apr 30, 2014

Erel said:
This is (shortly) discussed in the tutorial: http://www.b4x.com/android/forum/threads/connect-android-to-mysql-database-tutorial.8339/#content

As @DonManfred wrote you can hardcode the queries in the PHP script and then only send the parameters.

Do you Think using .Poststring (url, ("Keys for $_POST")) it's the best or there is something better?

Sorry... i didn't follow the 20 pages of the Tutorial thread... i have to say that i quit when i saw a lot of "404 error, why" and "500 error why" and blah blah blah....People crying because they don't have a clue about servers, Xampps, Localhost, PHP and so on... I didn't know that there was more than that (i even read about a student that wants b4a for free because android is free

)

I will read the complete 20 pages Thread and then if i cannot find it i will ask again... sorry Erel and let me tell you that is amazing how you always respond

Regards!

Android Question B4A and Mysql - SQL Injection Possibility?

killiak

Member

DonManfred

Expert

Erel

B4X founder

killiak

Member

killiak

Member

Similar Threads