CODEWITHSUNDEEP
phpmysqldatabasecocoa
BitDrink
BitDrink

Reputation: 1193

Fetch MySql database from cocoa app - PHP bridging

I'm trying to download a range of rows from my MySql database, through a cocoa app that I'm developing. I use a php that receives an index from my app and sends back all the rows up to that index. My cocoa code is:

NSInteger index = 0;
NSString *urlString = [NSString stringWithFormat:@"http://localhost/test.php?index=%d&", index];

NSArray *items = [NSArray arrayWithContentsOfURL:[NSURL URLWithString: urlString]];

NSLog(@"%@", [items description]);

When the php receive the GET variable index it runs this code:

$index = $_GET['index'];
$Keys = array(...);

mysql_connect($Host, $User, $Password) or die("Unable to connect to database"); 
mysql_select_db($Database) or die("Unable to select database");


$result = mysql_query("SELECT * FROM transactions where id > $index ORDER BY id");

$plist = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
$plist .= "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n";
$plist .= "<plist version=\"1.0\">\n";
$plist .= "<array>\n";

while($row = mysql_fetch_array($result)) { 
    $plist .= "\t<dict>\n";

    foreach($Keys as $key){
        $plist .= "\t\t<key>$key</key>\n";
        $plist .= "\t\t<string>$row[$key]</string>\n";
    }

    $plist .= "\t</dict>\n";
}

$plist .= "</array>\n";
$plist .= "</plist>";

echo $plist;

unset($_GET['index']);

This all works fine if there are up to 30 rows from index and the last id of the database! If, from my cocoa code, I set index to request up to 30 rows or I set index to zero (to request all the database) ... the NSArray object contains nothing!

What am I doing wrong?

Upvotes: 2

Views: 949

Answers (2)

Dave DeLong
Dave DeLong

Reputation: 243156

This won't answer your question, but your code is wide open to a sql injection attack. The way to fix it is a very simple sprintf:

$result = mysql_query(sprintf("SELECT * FROM transactions where id > %d ORDER BY id", intval($index)));

Now, if a malicious user tries to inject text into the $index variable, then the intval + sprintf combination will just turn it into the number 0, thereby protecting your db.

Upvotes: 3

BitDrink
BitDrink

Reputation: 1193

I'm sorry! I've solved by myself! There was an encoding issue! Just changed:

utf8_encode($row[$key])

and I've solved the problem!

Upvotes: 0

Related Questions