Android Question SELECT MySql with variable

MarcoRome · Jan 18, 2017

Hi all i have this code:

B4X:

ExecuteRemoteQuery($"
SET @num = 1;               
Select
   id,
   id_clinic,
   name_customer,
   phone_customer,
   assign_doctor,
   emergency,
   time_booking,
   state,
   @num := If(@id = id, @num + 1, 1) As RowNum,
   @id := id As dummy
from `clinic_visit`;"$, "LeggiAppuntamenti")

But return me error:

from `clinic_visit`;nYou have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Select

also if when this code run in AdminSQL i have correct result.
Any idea or solution ?
Thank you
Marco

Erel · Jan 18, 2017

This means that the PHP MySQL command cannot handle this query.

You should switch to jRDC2.

MarcoRome · Jan 18, 2017

Erel said:
This means that the PHP MySQL command cannot handle this query.

You should switch to jRDC2.

Yes you are righ. I found another solution in PHP file is possible use:

multi_query instead mysql_query

( mysqli is request )

LINK HERE

KMatle · Jan 18, 2017

MarcoRome said:
mysqli is request

Please think about security. What if I know your webaddress (will be easy if I have you app) and send this command:

B4X:

Delete from `clinic_visit`

Did you protect it?

In combination with php I use OkHttpUtils and send parameters ONLY (not complete queries as someone else then knows how the table is named). In the php I use prepared statements. Only paramaters can be changed from the outside, not the query ittself. Even the parameters are static (e.g. and int will be checked if it's really an integer).

DonManfred · Jan 18, 2017

Sorry for being off-topic (but at least it is not really off-topic) as it shows the problem

MarcoRome · Jan 18, 2017

KMatle said:
Please think about security. What if I know your webaddress (will be easy if I have you app) and send this command:

B4X:

Delete from `clinic_visit`

Did you protect it?

In combination with php I use OkHttpUtils and send parameters ONLY (not complete queries as someone else then knows how the table is named). In the php I use prepared statements. Only paramaters can be changed from the outside, not the query ittself. Even the parameters are static (e.g. and int will be checked if it's really an integer).

Thank you for your suggestion. I implemented a little security

queries are not accepted without the name of the procedure and also the data is coded. In my example up you see only a part of code. But thank you anyway

Android Question SELECT MySql with variable

MarcoRome

Expert

Erel

B4X founder

MarcoRome

Expert

KMatle

Expert

DonManfred

Expert

MarcoRome

Expert

Similar Threads