Picking up an array of values from php request and running a mysql query
Question
I have this table which contains the following columns.
- Id
- place_id
- name
- latitude
- longitude
- offers
I have to get the offers given an array of place IDs. But the way I have implemented this, it doesn't return any results. Below is my request.
http://localhost:8001/googleplaces/getOffers.php?place_id[]=%22epc888%22&place_id[]=%22epc999%22
Below is the PHP script I wrote.
<?php
$response = array();
$pid =array();
require_once __DIR__ . '/db_connect.php';
$db = new DB_CONNECT();
if (isset($_GET["place_id"])) {
$pid = $_GET['place_id'];
$result = mysql_query("SELECT * FROM places WHERE place_id IN ($pid)");
if (!empty($result)) {
// check for empty result
if (mysql_num_rows($result) > 0) {
$result = mysql_fetch_array($result);
$place = array();
$place["place_id"] = $result["place_id"];
$place["offers"] = $result["offers"];
// success
$response["success"] = 1;
// user node
$response["place"] = array();
array_push($response["place"], $place);
// echoing JSON response
echo json_encode($response);
} else {
// no product found
$response["success"] = 0;
$response["message"] = "No offers found";
// echo no users JSON
echo json_encode($response);
}
} else {
// no product found
$response["success"] = 0;
$response["message"] = "No offers found";
// echo no users JSON
echo json_encode($response);
}
} else {
// required field is missing
$response["success"] = 0;
$response["message"] = "place_id is missing";
// echoing JSON response
echo json_encode($response);
}
?>
Though there are couple of records satisfying the above request, this is the response I get.
{"success":0,"message":"No offers found"}
What am I doing wrong here? Please advice. I am new to PHP.
2 answers
solution1
1 2016-01-05 14:09:07
This: $_GET['place_id'] is an array in your example, so you need to treat it like one in your query.
So you could do this:
$pid = implode(",", $_GET['place_id']);
Not the best way, but it should get it working. You probably want to escape and sanitize that though.
To get all results you need to iterate through them like:
// success
$response["success"] = 1;
// user node
$response["place"] = array();
while ($result = mysql_fetch_array($result)) {
$response["place"][] = array(
"place_id" => $result["place_id"],
"offers" => $result["offers"],
);
}
solution2
1 ACCPTED 2016-01-05 14:09:25
As PHP detects the URL parameter place_id[] is of array type, it will present the values as an array. However, you inject the $pid into your SQL. PHP will raise a warning about this, but will still do an implicit conversion and continue. If for instance, if the array was (1, 2, 3) , then it would be converted to the string "Array.1,2,3" , which leads to invalid SQL syntax.
The very quick solution would be to turn that array into a comma-separated string, like this:
$pid = implode(",", $_GET['place_id']);
However, and this is important: your code is vulnerable to SQL injection . If someone knows the URL to send to your PHP code, they can quite a lot of damage! You should use prepared statements (and move to mysqli or PDO !) with arguments instead.
You should also turn your results processing into a loop to treat all records, and collect them in an array. So replace the if with a while , and directly populate $response["place"] . Note that your if was overwriting the original $results result-set with the array of the first record, which makes you lose the original $result object. But you'll need it for looping over it. So I introduce the variable $row :
// check for empty result
if (mysql_num_rows($result) > 0) {
// user node
$response["place"] = array(); // array of places
while ($row = mysql_fetch_array($result)) {
$response["place"][] = array(
"place_id" => $row["place_id"],
"offers" => $row["offers"]
);
}
// success
$response["success"] = 1;
// echoing JSON response
echo json_encode($response);
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.