I am using StringEscapeUtils.escapeSql method of apaches lang library in my android app. I send http post requests to server to execute my SQL queries. While I am inserting the values there is no problem; I can insert the strings in escaped format.
But I can't retrieve the data from the database back to my android app. The strings that don't need to be escaped in the first place, I can retrieve with no problem. What should I do to retrieve the strings from database that I escaped before?
Here is part of my code:
PHP
case "authenticateUser":
if ($userId = authenticateUser($db, $username, $password))
{
$sql = "select u.Id, u.username, (NOW()-u.authenticationTime) as authenticateTimeDifference, u.IP,
f.providerId, f.requestId, f.status, u.port
from friends f
left join users u on
u.Id = if ( f.providerId = ".$userId.", f.requestId, f.providerId )
where (f.providerId = ".$userId." and f.status=".USER_APPROVED.") or
f.requestId = ".$userId." ";
$sqlmessage = "SELECT m.id, m.fromuid, m.touid, m.sentdt, m.read, m.readdt, m.messagetext, u.username from messages m
"
. "left join users u on u.Id = m.fromuid WHERE `touid` = ".$userId." AND `read` = 0 LIMIT 0, 30 ";
if ($result = $db->query($sql))
{
$out .= "<data>";
$out .= "<user userKey='".$userId."' />";
while ($row = $db->fetchObject($result))
{
$status = "offline";
if (((int)$row->status) == USER_UNAPPROVED)
{
$status = "unApproved";
}
else if (((int)$row->authenticateTimeDifference) < TIME_INTERVAL_FOR_USER_STATUS)
{
$status = "online";
}
$out .= "<friend username = '".$row->username."' status='".$status."' IP='".$row->IP."' userKey = '".$row->Id."' port='".$row->port."'/>";
}
if ($resultmessage = $db->query($sqlmessage))
{
while ($rowmessage = $db->fetchObject($resultmessage))
{
$out .= "<message from='".$rowmessage->username."' sendt='".$rowmessage->sentdt."' text='".$rowmessage->messagetext."' />";
$sqlendmsg = "UPDATE `messages` SET `read` = 1, `readdt` = '".DATE("Y-m-d H:i")."' WHERE `messages`.`id` = ".$rowmessage->id.";";
$db->query($sqlendmsg);
}
}
$out .= "</data>";
}
else
{
$out = FAILED;
}
}
else
{
// exit application if not authenticated user
$out = FAILED;
}
break;
case "sendMessage":
if ($userId = authenticateUser($db, $username, $password))
{
if (isset($_REQUEST['to']))
{
$tousername = $_REQUEST['to'];
$message = $_REQUEST['message'];
$sqlto = "select Id from users where username = '".$tousername."' limit 1";
if ($resultto = $db->query($sqlto))
{
while ($rowto = $db->fetchObject($resultto))
{
$uto = $rowto->Id;
}
$sql22 = "INSERT INTO `messages` (`fromuid`, `touid`, `sentdt`, `messagetext`) VALUES ('".$userId."', '".$uto."', '".DATE("Y-m-d H:i")."', '".$message."');";
error_log("$sql22", 3 , "error_log");
if ($db->query($sql22))
{
$out = SUCCESSFUL;
}
else {
$out = FAILED;
}
$resultto = NULL;
}
$sqlto = NULL;
}
}
else
{
$out = FAILED;
}
break;
Java
public String sendMessage(String username, String tousername, String message) throws UnsupportedEncodingException
{
String params = "username="+ URLEncoder.encode(this.username,"UTF-8") +
"&password="+ URLEncoder.encode(this.password,"UTF-8") +
"&to=" + URLEncoder.encode(tousername,"UTF-8") +
"&message="+ URLEncoder.encode(message,"UTF-8") +
"&action=" + URLEncoder.encode("sendMessage","UTF-8")+
"&";
Log.i("PARAMS", params);
return socketOperator.sendHttpRequest(params);
}
