I'm guessing this has already been answered somewhere, but I can't find the solution I'm tearing my hair out. I have a JSON array stored in MySQL like this:
[{"ip":"8.8.8.8","name":"Bob"},{"ip":"","name":""},{"ip":"","name":""},{"ip":"","name":""}]
I want to replace the "ip" and "name" of a specific object. So I set $slot_num
to something like 0 and try to alter the values and UPDATE
the database. The SELECT clause below should be fine because it's used several times elsewhere.
//Recieves POST info such as ip=1.1.1.1&group=204&slot=3&name=help
$ip = $_POST['ip'];
$group_id = $_POST['group'];
$slot_num = $_POST['slot'] -1; //PHP receives slot num increased by 1. IE- $slot_num 1 would be array[0]
$name = $_POST['name'];
if($result = $mysqli->query("SELECT * FROM `open_groups` WHERE `group_id` = $group_id")) {
$row = mysqli_fetch_array($result);
$slot_ar = json_decode($row['players'], true);
//Check if array has correct number slots
if($slot_num => count($slot_ar) || !is_int($slot_num)){
die('Injection attempt');
}
$slot_ar[$slot_num]['ip'] = $ip;
$slot_ar[$slot_num]['name'] = $name;
$players = json_encode($slot_ar);
$players = $mysqli->real_escape_string($players);
if(!$mysqli->query("UPDATE `open_group` SET players = '$players' WHERE group_id = $group_id")) {
echo $mysqli->error;
exit;
}
if(!$mysqli->query("INSERT INTO `occupied`(`ip`, `group`) VALUES ('$ip', '$group_id')")) {
echo $mysqli->error;
exit;
}
echo "Success";
}
else echo $mysqli->error;
Am I accessing the array incorrectly or something?
$ip = $_POST['ip'];
$group_id = $_POST['group'];
$slot_num = $_POST['slot']; //PHP receives slot num increased by 1. IE- $slot_num 1 would be array[0]
$name = $_POST['name'];
if($result = $mysqli->query("SELECT * FROM `open_groups` WHERE `group_id` = $group_id")) {
$row = mysqli_fetch_array($result);
$slot_ar = json_decode($row['players'], true);
//Check if array has correct number slots
if($slot_num-1 >= count($slot_ar) || !is_numeric($slot_num)){
echo "Injection attempt";
exit;
}
$slot_ar[$slot_num-1]['ip'] = "$ip";
$slot_ar[$slot_num-1]['name'] = "$name";
$players = json_encode($slot_ar);
$players = $mysqli->real_escape_string($players);
if(!$mysqli->query("UPDATE `open_groups` SET players = '$players' WHERE `group_id` = $group_id")) {
echo "Update error";
exit;
}
if(!$mysqli->query("INSERT INTO `occupied`(`ip`, `group`) VALUES ('$ip', '$group_id')")) {
echo "Occupied error";
exit;
}
echo "Success";
}
else echo "Fail";
you need to escape $players because json array is full of quotations so when you are inserting it into database using a query, mysql would have trouble in executing and understanding it.
also try to place variables inside single quotes after escaping it. Try this:
$players = $mysqli->real_escape_string($players);
$mysqli->query("UPDATE `open_group` SET players = '$players' WHERE group_id = '$group_id' ");
As AlexanderO'Mara pointed out, you really should go with bind_param()
over mysqli_escape_string()
which has been proven unreliable on some occasions. I use PDO statement so this is untested.
Source : mysqli real escape string, should I use it?
$slot_num = $_POST['num'];
$name = $_POST['name'];
// Initial select
$sql = "SELECT * FROM `open_groups` WHERE `group_id` = ?";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('d', $group_id);
$stmt->execute();
if ($stmt->errno) {
die("Error : " . $stmt->error);
}
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
$slot_ar = json_decode($row['players'], true); //Get JSON array
// Make sure $slot_num isn't bigger than desired
if($slot_num > count($slot_ar) || !is_int($slot_num)){
die('Injection attempt');
}
// Store new variables in the array
$slot_ar[$slot_num]['ip'] = "$ip";
$slot_ar[$slot_num]['name'] = "$name";
// encode the new $players
$players = json_encode($slot_ar);
// new SQL query
$sql = "UPDATE `open_group` SET players = ? WHERE group_id = ?";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('sd', $players, $group_id);
$stmt->execute();
if ($stmt->errno) {
die("Error : " . $stmt->error);
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.