MOP - Mysql freedom is here, injection stop and bind parameter available

Guides Resources
#1

MOP_logo
MOP_logo971×165 17.3 KB

Mysql Optimizer

MOP is a php query handling and manipulation library providing easy and reliable way to manipulate query and get result in a fastest way.

Recomended Requirement

  • PHP >= 7

Features

  • Run query without limitation
  • Bind parameter
  • Mysql Injection stopped
  • Stopping hackers from getting data from restricted Tables and databases
  • Many more

Installing

You need a web server before you can use this library, Download the latest version in github and upload only the app inventor folder to your server.

most case you have to upload a zip file.

Rename the app inventor folder to any name you wish e.g mysql, then locate your path in the brower.

e.g https://yourwebsitename/rename/mysql.php

If you want to remove the php extension then rename mysql.php to index.php and your path will be

e.g https://yourwebsitename/rename/

If your browser show Bad Request Congratulations your Installation was successful.

FILES IN APP INVENTOR FOLDER

appinv3
appinv3982×304 7.36 KB

Downloading

Upgrading

When there a new version and you wish to upgrade, just reupload each file to the latest version that all and nothing will break, If there would be it will be specify in the change log.

Don’t forget if you rename any file.

Getting Started

You can check this out if you are beginner using mysql in App Inventor.

NOTE : If you want to use this library then download it above.

To add Your database name and the rest edit mopconfig.php in the src folder

appinv2
appinv2792×590 7.35 KB

appinv4
appinv4850×490 7.03 KB

The red mark is where you put all table name or database name that you may think nobody should run a query contain those names.

The blue mark is your masterkey… is only use to run query that has the restriction above

That all about the configuration.

now to run a query from the app

appinv6
appinv6891×406 48.3 KB

BINDING OF PARAMETER

appinv7
appinv7922×401 56.9 KB

You will notice the question mark in the SELECT statement , yes you will put a question mark.

you can add as many parameter as you like the script is capable.

NOTE => the param you saw above is actually param[] it has open and closing square bracket…

Now no more injection… you pass user input separately and query also each query is verify which mean no any injection can occur no matter how you try.

if you are not clear enough feel free to comment your question :slight_smile:

if you want to add more parameter then it will look like this

appinv8
appinv8973×475 75.5 KB

They must be arrange according to the question mark.

if you want to add your masterkey from admin app so you can run restricted column then it will look like this.

appinv9
appinv9967×497 77.1 KB

Now you have your freedom.

csv is return if there is any result.

Responds Code

  • Responds code is 200 for any success query.
  • Responds code is 206 if there is any error.

I know any error should be 400 but most hosting show custom error page rather than the error that occur that is the reason for using 206 and is the best for all hosting…

More

MOP_Startup_block
MOP_Startup_block868×1438 92.2 KB

13 Likes
Tutorial on how to prevent mysql injection using mysql function and php script from beginning to advance no PDO
Tutorial on how to prevent mysql injection using mysql function and php script from beginning to advance no PDO
How to stop user from manipulating response or request ( mysql function, encryption and timer)
Tutorial on how to prevent mysql injection using mysql function and php script from beginning to advance no PDO
#2

Guide

  • When inserting or updating a column with an empty string you will get an error because empty string is part of injection in some way.
    FOR EXAMPLE

INSERT INTO osql_table (ID,username,password) VALUES (’’,‘name’,‘password’);

you will notice the empty string before name… because of that you will get an error.
to avoid that you should use NULL instead or leave it blank.
this

INSERT INTO osql_table (ID,username,password) VALUES (NULL,‘name’,‘password’);

OR

INSERT INTO osql_table (username,password) VALUES (‘name’,‘password’);

the column is remove completely.

  • When using a procedure to INSERT , UPDATE, SELECT and any other statement…only the result of the first SELECT statement is return .
    example.
    appinv12
    appinv12698×537 7.69 KB

Only the result of the first select statement is return which is at line 5…

To run a procedure is usually

CALL procudure_name();

NOTE:: You can also bind parameter in procedure… you put question mark where is expected and pass the parameter later. you should have gotten the gist in the introduction.

multiple select is available but it will be really complex in app inventor than a website, that is the best for now.

  • When using a procedure to INSERT , UPDATE… without any SELECT statement the combination of affected row is return.

  • When using a procedure with an out parameter, you will have to select the out parameter yourself.
    EXAMPLE

    appinv10
    appinv10699×609 8.67 KB

When i execute it

appinv11
appinv11735×259 10.3 KB

You will notice two statement

CALL osql_table(@p0);

NOTE :: you can bind anything bindable

SELECT @p0 as cc;

Now to achieve same result from the app.
your first statement will be your main query. then add the next query later.

appinv13
appinv13884×491 60.6 KB

what you saw above is actually add_query it does not support binding of parameter so it should be use mostly in procedure with out parameter.

if there is parameter you wish to pass then it should look like this.

appinv14
appinv14894×486 63.5 KB

  • If you have a column that has number at the end eg column_1 and you are comparing it with a number eg where column_1 = 23.

SELECT * FROM table_name where column_1 = 23;

you will receive an error because number equal to number is part of mysql injection in some way.

to resolve that … change your column name to letters only… or remove any number at the end of your column name…

As i said you have your freedom to run anything and bind.

3 Likes
#3

Hello there

Well done, but I couldn’t do the binding process, can you help me?

Thanks
good work

#4

sure, show your query block as well as error message if there is any… i will see what i can do as well.

1 Like
#5

Hello
I did the same as what you wrote, but I didn’t learn much. Could you please explain the member registration, login, update processes and data extraction processes with a short example?

Thank you in advance

#6

Okay wait let me make video about everything… and it will clear most people’s mind.

Best regards,
Hazeezet

1 Like
#7

Video link is on top…
also binding parameter bugs as been fixed and you can re test now…

1 Like
#8

thank you …

#9

I try as much as possible to make it easy and avoid custom error page of hosting service…

The responds code of 204 that suppose to occur when there is any error i noticed it does not work so i have to change it to 206 ( partial content ) in the new update.

sorry for the frequent update and any error this may cause.

If there is any block that check for 204 responds code you have to change it 206 if you want to update.

Also there is a particular bug for now

If your query was a SELECT STATEMENT and there is no any result, maybe like finding or trying to select username that is not in your database…then instead of respond code to still be 200 responds code will change to 201.

#10

Everything has been resolved…

now you have a block to check for number of rows

mop_block_!

All responds now have a respond code of 200
If there is any error respond code is 206

so now you can be checking for number of rows before getting columns…

Now everything is good and okay without any bugs.

If your query was a insert statement you can check for number of rows as well :slight_smile:

You can update your script… but note respond code of 201 is removed.

1 Like
#11

Hello again

I have two tables, I want to pull data with common id in both of them, but I couldn’t do it, can you help?

Respects

#12

You will use inner join

SELECT first_table.name, second_table.name FROM first_table INNER JOIN second_table ON second_table.ID = first_table.ID  where first_table.name = anything;

Is actual an sql stuff… and dont forget to put your query in a proceure

#13

I did but it didn’t work

#14

what was the error and try to test your query in PHPmyAdmin before trying it in your app

#15

blocks (7)
blocks (7)948×206 16.6 KB

It doesn’t give an error but it doesn’t show the data either

#16

i am sharing the whole blog

blocks (9)
blocks (9)870×3092 343 KB

#17

You can not select using * when trying to get result from two table at once, specify your column name. and aslo try to run it in PHPMyAdmin if it works

#18

I’m going to try it right away. Love and respect from Turkey to India

#19

I did not see this block in the whole block you sent

#20

No, I’m sending

blocks (10)
blocks (10)1103×4070 471 KB