-4

I have already setup the blocks in App Inventor to submit data, because previously I did and it worked, however when retrieving data it worked too, except when I realized I have fetched all the data in the table and passed it into TinyDB, then from TinyDB, I compare the texts string that matches the user input.

Yes that allowed me to create a login page, but i was comparing data through App Inventor and not from MySQL. So what I did was I tried sending the strings from App Inventor into the php file, then supposedly it will query which will send out user id, username and password, where the username and password will be matched with the $_GET request from App Inventor(user).

Then the final result would be, the queried data would be then sent to App Inventor either as a row of string, and then I can use TinyDB to store the user id, so that on the next page, i can call the id, then query the user data according to my apps needs.

Here's the code

//Details in asterisk to hide.
<?php
define('DB_SERVER', '******');
define('DB_USERNAME', '*******');
define('DB_PASSWORD', '*******');
define('DB_DATABASE', '*******');
$db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);






$query = "SELECT user_id, username, user_password FROM User_Login WHERE                                                        username='$username' AND user_password='$password'",
$username = mysqli_real_escape_string($db,$_GET['username']),
$password = mysqli_real_escape_string($db,$_GET['password']);

// Perform Query
$result = mysqli_query($db,$query);

// Check result
// This shows the actual query sent to MySQL, and the error. Useful for     debugging.
if (!$result) {
$message  = 'Invalid query: ' . mysqli_error($db) . "\n";
$message .= 'Whole query: ' . $query;
die($message);
}

// Use result
// Attempting to print $result won't allow access to information in the   resource
// One of the mysql result functions must be used

while ($row = mysqli_fetch_assoc($result)) {
echo $row['$username'];
echo $row['username'];
echo $row['user_password'];
}

// Free the resources associated with the result set
// This is done automatically at the end of the script
mysqli_free_result($result);
?>
ceyhan49 Productions
  • 1
  • 2
  • 3
    That code's a disaster. You're mixing sql with php, which is NOT possible. you cannot run php code "inside" a string, much less generate valid sql code. And the sql is totally broken too – Marc B Jun 03 '16 at 18:08
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 03 '16 at 18:10
  • 1
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 03 '16 at 18:10
  • I'm actually new to php. I don't mind sql injections as this is my final year project, just need to get it working.. so any ideas how to change the code so it can display what i need? thanks :D – ceyhan49 Productions Jun 03 '16 at 18:39
  • Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' 'user_password' = (),' at line 1 Whole query: SELECT user_id, username, user_password FROM User_Login WHERE 'username' = , 'user_password' = (), – ceyhan49 Productions Jun 03 '16 at 18:41
  • the above happens where, $query = ("SELECT user_id, username, user_password FROM User_Login WHERE 'username' = $_GET[username], 'user_password' = ($_GET[password]),"); – ceyhan49 Productions Jun 03 '16 at 18:42
  • First think about the correct SELECT statement and then get it running [using this solution](https://puravidaapps.com/mysql.php). After that you can think about [Little Bobby Tables](https://xkcd.com/327/)... Btw. also [take the tour](http://stackoverflow.com/tour) and read [How to ask a good question](http://stackoverflow.com/help/how-to-ask)... – Taifun Jun 03 '16 at 19:34
  • Possible duplicate of [When to use single quotes, double quotes, and backticks?](http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks) – Mike Jun 03 '16 at 20:09

1 Answers1

0

here is one of my database php search files. you welcome to take any of it and use what you want. I went in and added some comments to help with some clarity. Everyone is welcome to make it better. I use it as a template when ever i need to make a search.php 

<?php

    mysql_connect("localhost", "root", "12450") or die("Error connecting to database: ".mysql_error());
    /*
        localhost - it's location of the mysql server, usually localhost
        root - your username
        third is your password

        if connection fails it will stop loading the page and display an error
    */

    mysql_select_db("myDatabase") or die(mysql_error());
    /* tutorial_search is the name of database we've created */

     ?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Search Results</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>

<body>

<div data-role="page" id="SearchResultsPage" data-theme="b" data-add-back-btn="true">
    <div data-role="header">
        <h1>Search Results</h1>
    </div>

<?php

    $query = $_GET['query']; 
    // gets value sent over search form

    $min_length = 3;
    // you can set minimum length of the query if you want

    if(strlen($query) >= $min_length){ // if query length is more or equal minimum length then

        $query = htmlspecialchars($query); 
        // changes characters used in html to their equivalents, for example: < to &gt;

        $query = mysql_real_escape_string($query);
        // makes sure nobody uses SQL injection

        $raw_results = mysql_query("SELECT * FROM emplist
            WHERE (`lfname` LIKE '%".$query."%') OR (`id` LIKE '%".$query."%')") or die(mysql_error());

        // * means that it selects all fields, you can also write: `id`, `title`, `text`
        // articles is the name of our table

        // '%$query%' is what we're looking for, % means anything, for example if $query is Hello
        // it will match "hello", "Hello man", "gogohello", if you want exact match use `title`='$query'
        // or if you want to match just full word so "gogohello" is out use '% $query %' ...OR ... '$query %' ... OR ... '% $query'

        if(mysql_num_rows($raw_results) > 0){ // if one or more rows are returned do following

            while($results = mysql_fetch_array($raw_results)){
            // $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop

                echo "<h4><p>".$results['lfname']."</h4>"." ".$results['phonenum']." <br> MCI #".$results['id']." <br> ".$results['state']." ".$results['zip']."</p>";
                // posts results gotten from database
            }

        }
        else{ // if there is no matching rows do following
            echo "No results found";
        }

    }
    else{ // if query length is less than minimum
        echo "ERROR Minimum length is ".$min_length;
    }

?>

</body>

<div data-role="content"></div> 
        <input type="button" name="bIndex" value="Back" onclick="location.href='Index.php'">
<div data-role="footer" data-theme="b">
        <h4>____?____?____?___?____ &copy; 2016</h4>
</div>


</html>
WChampion
  • 75
  • 1
  • 9