php - 使用 POST 方法使用 PHP 在 Android 上通过异步任务更新 SQL 数据库

Question

我正在将我正在开发的 Android 应用程序中的字符串数据发布到 SQL 数据库。 (MAMP)-本地服务器

我能够“回显”从 PHP 到 Android 应用程序的所有 POST 数据，因此我相当有信心 Java 是可靠的。

php 中的示例“echo $username;”我在我的 Android 模拟器上得到了 andrewnguyen22。 它适用于我的所有 php 变量，所以我知道 android POST 工作正常。

当我硬编码 $POST 信息并刷新 php 页面时，代码工作正常...... 但这是让我困惑的事情......

使用 Android 应用程序时，sql 数据库不会更新，而是回显用户名。这意味着没有行受到 php.ini 的影响。任何人都可以看到我的错误吗？

下面我发布了我的 PHP 和 Java。

PHP 代码:

require "conn.php";
$username = $_POST["username"];
$fullName = $_POST["fullName"];
$age =$_POST["age"];
$bio =$_POST["bio"];
$year =$_POST["year"];
$gender =$_POST["gender"];
$location =$_POST["location"];
$sql = "UPDATE user_info SET fullName ='$fullName', bio='$bio',age='$age', gender='$gender', location='$location', year='$year' WHERE username = '$username' ";
$do = mysqli_query($conn, $sql);
if(mysqli_affected_rows($conn) >0){
echo 0;
}
else{
   echo $username;
}  

Android 应用代码

import android.app.AlertDialog;
import android.content.Context;
import android.os.AsyncTask;

import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;

/**
* Created by andrewnguyen on 10/23/16.
*/

public class EditProfileBackgroundTask extends AsyncTask {
Context ctx;
AlertDialog alertDialog;
public EditProfileBackgroundTask(Context ctx) {
    this.ctx = ctx;
}
@Override
protected void onPreExecute() {
    alertDialog = new AlertDialog.Builder(ctx).create();

    super.onPreExecute();
}

@Override
protected String doInBackground(String... params) {
    String profile_url = "http://10.0.2.2:8888/profile.php";
    String method = params[0];
    if(method.equals("profile")){
        Global global = new Global();
        String fullName = params[1];
        String age = params[2];
        String bio = params[3];
        String gender = params[4];
        String location = params[5];
        String year = params[6];
        String username = params[7];

        try {
            URL url = new URL(profile_url);
            HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
            httpURLConnection.setRequestMethod("POST");
            httpURLConnection.setDoOutput(true);
            httpURLConnection.setDoInput(true);
            OutputStream OS = httpURLConnection.getOutputStream();
            BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(OS, "UTF-8"));
            String data = URLEncoder.encode("username", "UTF-8") + "=" +URLEncoder.encode(username, "UTF-8") +"&"+
                    URLEncoder.encode("fullName", "UTF-8") + "=" +URLEncoder.encode(fullName, "UTF-8") +"&"+
                    URLEncoder.encode("age", "UTF-8") + "=" +URLEncoder.encode(age, "UTF-8") +"&"+
                    URLEncoder.encode("bio", "UTF-8") + "=" +URLEncoder.encode(bio, "UTF-8") +"&"+
                    URLEncoder.encode("gender", "UTF-8") + "=" +URLEncoder.encode(gender, "UTF-8") +"&"+
                    URLEncoder.encode("year", "UTF-8") + "=" +URLEncoder.encode(year, "UTF-8") +"&"+
                    URLEncoder.encode("location", "UTF-8") + "=" +URLEncoder.encode(location, "UTF-8");

            bufferedWriter.write(data);
            bufferedWriter.flush();
            bufferedWriter.close();
            OS.close();
            InputStream IS = httpURLConnection.getInputStream();
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(IS, "iso-8859-1"));
            String response = "";
            String line = "";
            while ((line = bufferedReader.readLine())!=null){
                response+=line;
            }

            bufferedReader.close();
            IS.close();
            httpURLConnection.disconnect();
            return response;
        } catch (MalformedURLException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        }

    }

    return "Create Profile Failure";
}


@Override
protected void onProgressUpdate(Void... values) {
    super.onProgressUpdate(values);
}

@Override
protected void onPostExecute(String result) {
    if (result .equals("0")) {
        super.onPostExecute(result);

        alertDialog.setMessage("YAY");
        alertDialog.show();
    }
    else if (result .equals("1")) {
        alertDialog.setMessage("NO");
        alertDialog.show();

    }
    else{
        alertDialog.setMessage(result);
        alertDialog.show();//THIS IS WHERE I CAN SEE THE RESULT andrewnguyen22(as seen in php echo $username)
    }
  }
}

它在我的 Android 模拟器上正确显示我的用户名...(如果在执行后则通过警报对话框)

Screenshot of result on emulator

Answer 1

由于您没有转义数据，任何已发布字段中的简单 ' 都会弄乱您的串联 SQL 语句。如果值以 \ 结尾，情况也是如此。可能还有更多场景...

NOTE: Since you already stated that you don't care about security for this script, I'm not gonna preach about the importance of using Prepared Statements. But if anyone else reads this later, use Prepared Statements instead.

使用mysqli_real_escape_string()转义输入，以确保简单的字符不会弄乱您的语句。

$username = mysqli_real_escape_string($conn, $_POST["username"]);
$fullName = mysqli_real_escape_string($conn, $_POST["fullName"]);
$age = mysqli_real_escape_string($conn, $_POST["age"]);
$bio = mysqli_real_escape_string($conn, $_POST["bio"]);
// ...do the same for the rest...