Android Question B4A and Mysql - SQL Injection Possibility?

killiak

Member
Licensed User
Longtime User
Guys, i'm strugling myself about security issues.

I have to connect to my ISP Database, there is no other way around it...i cannot put a Webapp in there and cannot use RDC, ADO or whatever. I need PHP + Mysql Connection.

What Worries me is Possible SQL Injection...2 things.
1 - That someone use a Select Outside from my app (my app will have Login system)
2 - That someone inject a Drop or Delete, or something that can mess the DB.

Solutions on 1. I create a Session Control making a Unique ID in the $_SESSION that copies to the appp when a login User&password success, saving this IS in a App Variable.

Someone consider a better aproach on this?

Solution on 2.. simple IF App(idSession) = $_SESSION then Execute...

Again...Do you think is a good aproach?

Another way that i consider is that The Application Send the fields and the table only (not the Query) and then in then PHP i concatenate String a make the correct SELECT XXXXX... like in the PHP is the SELECT XXXXX FROM XXXX format and receive fields and Table from the php://input to complete the query. So if someone try to inject something else it will no return anything because of a format error.... Is this crazy or what?

Thank you
 
Sort by date Sort by votes

killiak

Member
Licensed User
Longtime User
DonManfred said:
It is not a good idea to send the complete query to php. Use only the needed parameters and create the query in php. Here you have comtrol over all given post or get parameters and can use code to escape values (injections will not work)
Click to expand...
That's what i was thinking.... Erel Sample has the query in the Code. I change that now. Thanks for the reply.
 
Upvote 0

killiak

Member
Licensed User
Longtime User
Erel said:
This is (shortly) discussed in the tutorial: http://www.b4x.com/android/forum/threads/connect-android-to-mysql-database-tutorial.8339/#content

As @DonManfred wrote you can hardcode the queries in the PHP script and then only send the parameters.
Click to expand...
Do you Think using .Poststring (url, ("Keys for $_POST")) it's the best or there is something better?

Sorry... i didn't follow the 20 pages of the Tutorial thread... i have to say that i quit when i saw a lot of "404 error, why" and "500 error why" and blah blah blah....People crying because they don't have a clue about servers, Xampps, Localhost, PHP and so on... I didn't know that there was more than that (i even read about a student that wants b4a for free because android is free )

I will read the complete 20 pages Thread and then if i cannot find it i will ask again... sorry Erel and let me tell you that is amazing how you always respond

Regards!
 
Upvote 0
You must log in or register to reply here.

Similar Threads

  • Article
Share My Creation [B4J] [MySQL] [API] Server (Key + Token) and [B4X] User Login Apps
2 3
Replies
46
Views
23K
aeric
  • Article
B4J Library [B4X] [B4XLib] SD_SQL (direct access to MySQL, MariaDB, MS SQL, FireBird)
2 3 4
Replies
64
Views
23K
Star-Dust
  • Article
Share My Creation (PHP/MySQL/API) User Login App
4 5 6
Replies
108
Views
48K
aeric
  • Locked
  • Article
B4A Library JdbcSQL - Directly connect to remote databases
2
Replies
23
Views
64K
Erel
  • Article
Share My Creation Erels [B4X] CloudKVS - synchronized key / value store - MySQL
Replies
12
Views
9K
janderkan
Menu
Log in
Register
Cookies are required to use this site. You must accept them to continue using the site. Learn more…