Walorn
Reputation: 151
Insert into MySQL database with PHP API
Been following this tutorial to learn how to create an API for android. Checked my DB_Functions.php file and everything is connecting and running correctly (90% sure). To make sure the post is working correctly I am using a chrome add-on called Postman. This other question I found online was having a similar problem to mine. This is what I inputted/received.
Here is the code
<?php
/*
Function tests
require_once 'include/DB_Functions.php';
$db = new DB_Functions();
$insert = $db->storeUser("InsertTest", "[email protected]", "apple");
print_r($insert);
$user = $db->getUserByEmailAndPassword("[email protected]", "apple");
print_r($user);
$exist = $db->isUserExisted("[email protected]");
echo $exist; */
/**
* File to handle all API requests
* Accepts GET and POST
*
* Each request will be identified by TAG
* Response will be JSON data
/**
* check for POST request
*/
if (isset($_POST['tag']) && $_POST['tag'] != '') {
$tag = $_POST['tag'];
require_once 'include/DB_Functions.php';
$db = new DB_Functions();
$response = array("tag" => $tag, "error" => FALSE);
// check for tag type
if ($tag == 'login') {
// Request type is check Login
$email = $_POST['email'];
$password = $_POST['password'];
// check for user
$user = $db->getUserByEmailAndPassword($email, $password);
if ($user != false) {
// user found
$response["error"] = FALSE;
$response["uid"] = $user["unique_id"];
$response["user"]["name"] = $user["name"];
$response["user"]["email"] = $user["email"];
$response["user"]["created_at"] = $user["created_at"];
$response["user"]["updated_at"] = $user["updated_at"];
echo json_encode($response);
} else {
// user not found
// echo json with error = 1
$response["error"] = TRUE;
$response["error_msg"] = "Incorrect email or password!";
echo json_encode($response);
}
} else if ($tag == 'register') {
// Request type is Register new user
$name = $_POST['name'];
$email = $_POST['email'];
$password = $_POST['password'];
// check if user is already existed
if ($db->isUserExisted($email)) {
// user is already existed - error response
$response["error"] = TRUE;
$response["error_msg"] = "User already existed";
echo json_encode($response);
} else {
// store user
$user = $db->storeUser($name, $email, $password);
if ($user) {
// user stored successfully
$response["error"] = FALSE;
$response["uid"] = $user["unique_id"];
$response["user"]["name"] = $user["name"];
$response["user"]["email"] = $user["email"];
$response["user"]["created_at"] = $user["created_at"];
$response["user"]["updated_at"] = $user["updated_at"];
echo json_encode($response);
} else {
// user failed to store
$response["error"] = TRUE;
$response["error_msg"] = "Error occured in Registartion";
echo json_encode($response);
}
}
} else {
// user failed to store
$response["error"] = TRUE;
$response["error_msg"] = "Unknown 'tag' value. It should be either 'login' or 'register'";
echo json_encode($response);
}
} else {
$response["error"] = TRUE;
$response["error_msg"] = "Required parameter 'tag' is missing!";
echo json_encode($response);
}
?>
And the DB_Functions.php code
<?php
class DB_Functions{
private $db;
public $connection;
function __construct(){
require_once ('DB_Connect.php');
$this->db = new DB_Connect();
$this->connection = $this->db->connect();
}
function __destruct(){
}
public function storeUser($name, $email, $password){
$uuid = uniqid('', true);
$hash = $this->hashSSHA($password);
$encrypted_password = $hash["encrypted"];
$salt = $hash["salt"];
$sql = "INSERT INTO users(unique_id, name, email, encrypted_password, salt, created_at)
VALUES ('$uuid', '$name', '$email', '$encrypted_password', '$salt', NOW())";
$result = $this->connection->query($sql);
if($result){
$uid = mysqli_insert_id($this->connection);
$sql = "SELECT * FROM users WHERE uid = '" . $uid . "';";
$result = $this->connection->query($sql);
return mysqli_fetch_array($result);
}else{
return false;
}
}
public function getUserByEmailAndPassword($email, $password){
$sql = "SELECT * FROM users WHERE email = '" . $email . "';";
$result = $this->connection->query($sql);
$no_of_rows = mysqli_num_rows($result);
if($no_of_rows > 0){
$result = mysqli_fetch_array($result);
$salt = $result['salt'];
$encrypted_password = $result['encrypted_password'];
$hash = $this->checkhashSSHA($salt, $password);
if($encrypted_password == $hash){
return $result;
}
}else{
return false;
}
}
public function isUserExisted($email){
$sql = "SELECT * FROM users WHERE email = '" . $email . "';";
$result = $this->connection->query($sql);
$no_of_rows = mysqli_num_rows($result);
if($no_of_rows > 0){
return true;
}else{
return false;
}
}
public function hashSSHA($password){
$salt = sha1(rand());
$salt = substr($salt, 0, 10);
$encrypted = base64_encode(sha1($password . $salt, true) . $salt);
$hash = array("salt" => $salt, "encrypted" => $encrypted);
return $hash;
}
public function checkhashSSHA($salt, $password){
$hash = base64_encode(sha1($password . $salt, true) . $salt);
return $hash;
}
}
?>
Does anyone know why the Post isn't working?
Upvotes: 0
Views: 3319
Answers (1)
Marc B
Reputation: 360602
you're not doing a real post. It may be using the http POST verb, but you're stuffing your data into the request as headers, which is flat-out wrong. A POST request looks like
header1: value1
header2: value2
...
headerN: valueN
field1=value1&field2=value2&etc....
Since you're not sending a body with your POST, there is NO data for PHP to pick apart and load into $_POST.
And on top of that, you are wide open for sql injection attacks.
Upvotes: 1
Related Questions
- Insert into database from android using PHP
- Inserting data to a mysql database from android phone
- Unable to insert data from android to mysql using php
- Android insert data into MySQL database through PHP
- insert values to mysql using php
- Post data to mysql DB
- Inserting into mysql from android app
- Android posting data to mysql
- PHP inserting POST data received from Android into MySQL database
- adding data to online DB using php script and httppost from android