1

我正在尝试为 Android (在 Eclipse 中)编写登录系统,并且必须从外部 MySQL-DB 获取数据。

来源我拿了它的代码:连接到 MySQL 数据库

我试图从中获取数据的网站在这里。(我知道有一些安全问题,blabla,这不是我现在的问题^^)

我遇到的问题是,当我尝试运行应用程序时,出现“未找到密码”错误。此错误在此代码中捕获:

ArrayList<String> passwort = new ArrayList<String>();
ArrayList<String> benutzer = new ArrayList<String>();
try{
  jArray = new JSONArray(result);
  JSONObject json_data=null;
  for(int i=0;i<jArray.length();i++){
         json_data = jArray.getJSONObject(i);
         passwort.add(json_data.getString("pw"));
         benutzer.add(json_data.getString("benutzer"));

     }
  Intent intent = new Intent(this, MainActivity.class);
  intent.putExtra("arrayBenutzerExtra", benutzer);
  intent.putExtra("arrayPasswortExtra", passwort);
  startActivity(intent);

    }
    catch(JSONException e1){
      Toast.makeText(getBaseContext(), "No Password found" ,Toast.LENGTH_LONG).show();
    } catch (ParseException e1) {
        e1.printStackTrace();
}

另外,这是我与网站连接的代码,但这似乎不是问题,尽管我没有收到有关此的错误消息!

try{
 HttpClient httpclient = new DefaultHttpClient();
 HttpPost httppost = new HttpPost("http://winklermarkus.at/appconnection.php");
 httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
 HttpResponse response = httpclient.execute(httppost);
 HttpEntity entity = response.getEntity();
 is = entity.getContent();
   }catch(Exception e){
     Log.e("log_tag", "Error in http connection"+e.toString());
   }

.php 文件的代码在这里: 

$sql_pw = "SELECT ". "Passwort ". "FROM ". "benutzerdaten ";
    $result_pw = mysql_query ($sql_pw); 
    $data_pw = mysql_fetch_array ($result_pw);
    $pw = $data_pw["Passwort"];

    $sql_benutzer = "SELECT ". "Email ". "FROM ". "benutzerdaten ";
    $result_benutzer = mysql_query ($sql_benutzer); 
    $data_benutzer = mysql_fetch_array ($result_benutzer);
    $benutzer = $data_benutzer["Email"];

print(json_encode($pw));
print(json_encode($benutzer));

mysql_close();
?>

as Perception mentioned, I don't get valid JSON output, could this possibly be in relation with me, trying to transmit 2 strings at once?

4

1 回答 1

2

Your PHP code is not doing what you think it's doing. I cannot recommend a fix to it as you've created a significant security hole.

As an alternative strategy, instead of sending all the passwords and all the emails to the client (in an unassociated fashion no less), send the clients hashed password and email to the service (over SSL). Then on the service side query if you have the combination of email/pass in the database. If you do return login success, otherwise return login failed.

于 2012-12-10T14:59:27.150 回答