0

这是android应用程序的一部分...当我指定mysql_query而不使用.$_POST ['varname']时,我的php脚本正在工作。为了使用用户可定义的不同参数向应用程序添加搜索功能,我尝试根据调用 httpget 时从应用程序传递的值在 PHP 脚本中构建查询...... php 脚本的行看起来像这样:

$result = mysql_query("SELECT * FROM businessdata WHERE '"
    . $_POST['varQuery2']."' =  '" 
    . $_POST['varQuery1']"'") 
    or die(mysql_error());

然后方法如下:(为了完整性,这里方法在调用该方法时被赋予字符串值“GET”)

    public JSONObject makeHttpRequest(String url, String method,
        List<NameValuePair> params, String value, String value2) {

    // Making HTTP request
    try {

        // check for request method
        if(method == "POST"){
            // request method is POST
            // defaultHttpClient
            DefaultHttpClient httpClient = new DefaultHttpClient();
           params.add(new BasicNameValuePair("varQuery2", value));
           params.add(new BasicNameValuePair("varQuery1", value2)); 
           HttpPost httpPost = new HttpPost(url);
            httpPost.setEntity(new UrlEncodedFormEntity(params));

            HttpResponse httpResponse = httpClient.execute(httpPost);
            HttpEntity httpEntity = httpResponse.getEntity();
            is = httpEntity.getContent();

        }else if(method == "GET"){
            // request method is GET
            DefaultHttpClient httpClient = new DefaultHttpClient();

            params.add(new BasicNameValuePair("varQuery2", value));
            params.add(new BasicNameValuePair("varQuery1", value2)); 
            String paramString = URLEncodedUtils.format(params, "UTF-8");
            url += "?" + paramString;
            HttpGet httpGet = new HttpGet(url);

            HttpResponse httpResponse = httpClient.execute(httpGet);
            HttpEntity httpEntity = httpResponse.getEntity();
            is = httpEntity.getContent();
        }           

    } catch (UnsupportedEncodingException e) {
        e.printStackTrace();
    } catch (ClientProtocolException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    }

    try {
        BufferedReader reader = new BufferedReader(new InputStreamReader(
                is, "iso-8859-1"), 8);
        StringBuilder sb = new StringBuilder();
        String line = null;
        while ((line = reader.readLine()) != null) {
            sb.append(line + "\n");
        }
        is.close();
        json = sb.toString();
    } catch (Exception e) {
        Log.e("Buffer Error", "Error converting result " + e.toString());
    }

    // try parse the string to a JSON object
    try {
        jObj = new JSONObject(json);
    } catch (JSONException e) {
        Log.e("JSON Parser", "Error parsing data " + e.toString());
    }

    // return JSON String
    return jObj;

}
4

1 回答 1

1 
$result = mysql_query("SELECT * FROM businessdata WHERE '"
    . mysql_real_escape_string($_REQUEST['varQuery2'])."' =  '" 
    . mysql_real_escape_string($_REQUEST['varQuery1'])."'") 
    or die(mysql_error());

使用 *_real_escape_string 处理 sql 注入。

于 2012-10-22T04:54:17.783 回答