I have a very weird problem while trying to pass and SQL query using the NSURLRequest class in objective C. I am able to send a simple query that works and returns the right content (JSON formatted).
Here is my code :
NSString *URLWithSQLQuery = [NSString stringWithString:@"http://localhost/querydatabase.php?query=INSERT+INTO+Table+(ID,Column1,Column2,Column3,Column4,Column5,Column6,Column7,Column8)+VALUES+(NULL,'a','b','','c','d','','1','2')"];
NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:URLWithSQLQuery]];
NSData *response = [NSURLConnection sendSynchronousRequest:request returningResponse:nil error:nil];
NSString *data = [[NSString alloc] initWithData:response encoding:NSUTF8StringEncoding];
NSLog(@"%@", data);
This does not insert the dummy values into the table.
The following code returns the right content :
NSString *URLWithSQLQuery = [NSString stringWithString:@"http://localhost/querydatabase.php?query=SELECT+*+FROM+Table"];
NSURLRequest *request = [NSURLRequest requestWithURL:[NSURL URLWithString:URLWithSQLQuery]];
NSData *response = [NSURLConnection sendSynchronousRequest:request returningResponse:nil error:nil];
NSString *data = [[NSString alloc] initWithData:response encoding:NSUTF8StringEncoding];
NSLog(@"%@", data);
And when I paste the url http://localhost/querydatabase.php?query=INSERT+INTO+Table+(ID,Column1,Column2,Column3,Column4,Column5,Column6,Column7,Column8)+VALUES+(NULL,’a’,’b’,”,’c’,’d’,”,’1′,’2′) into my browser, the query is executed properly. So I really don’t know where the problem comes from as it does not come from the PHP script or the URLWithSQLQuery nor does it come from my Objective C code.
Any idea would be greatly appreciated. Thanks to all for your help.
Scott
This question has been answered, but I think it’s worth pointing something out to anyone who comes across this question in future, as well as the poster of the question:
Don’t EVER send actual SQL through your URLs
This is a gigantic security flaw. Without an utterly ridiculous amount of sanitisation and validation, this code, when unleashed into the wild, will leave your server and database wide open to exploit.
I’m going to make the assumption you shove the query string into
mysql_query()or whatever, like:Anyone who finds your API doesn’t even need to hack it, because you’ve done all the hard work for them. It’s like building Fort Knox but leaving the front door open. The building can withstand an attack, but anyone who knows can just walk in.
They just need to change the URL to whatever query they like:
Your PHP code needs to take a series of separate parameters for the data you want to save, and you need to make sure they’re sane and valid before you insert them into a pre-built SQL query. This severely limits (but does not prevent all of) the opportunities available to an unscrupulous individual to do something bad with your server.
As a very basic example (in the style of what you already have):
The preferred and slightly more advanced method is to ditch
mysql_*and usemysqliorPDO(or an ORM, which handles it all for you), so you can useprepared statementsinstead.This may seem unimportant, especially since you’re running it on localhost, but what is demonstrated in the question is dangerous.