URGENT - PHP Object in URL needs decoding and inserting into MySQL DB

LWCARAB

Hello,

My coding skills are patchy and pretty much inexistent in PHP so I really need your help. I have an IOS app feeding my PHP service with 2 posts and an object, I can read the 2 posts fine but I can't decode the object. The URL looks like this:

http://www.concard.co.uk/dbwrite.php?name=Matthew+Hill&cdsId=mhill168&code%5B0%5D%5Bid%5D=1&code%5B0%5D%5Bduration%5D=(3000)&code%5B0%5D%5Btext%5D=&code%5B0%5D%5Bdirection%5D=go_reverse&code%5B0%5D%5B%24%24hashKey%5D=object%3A94

My current code looks like this but doesn't work to decode the object, it just appears as "Array" in the DB:

<?php 
header('Content-type: text/plain; charset=utf-8');


$db_conn = new PDO('mysql:host=localhost;dbname=xxx;charset=utf8','xxx','xxx');
$db_conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

/* $url =  "//$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"; */
$obj = json_decode($_GET['code'],true);
$code = $obj->direction;
echo $obj;

$message = "";
$name = htmlspecialchars($_GET['name']); 
$cdsid = htmlspecialchars($_GET['cdsId']);
$code = $_GET['code'];

$qry = $db_conn->prepare('INSERT INTO Car(`Name`,`CDSID`,`Code`,`DateTime`,`ProcessedFlag`) VALUES (:name,:cdsid,:code,now(),False)');
$qry->bindParam(':name', $name);
$qry->bindParam(':cdsid', $cdsid);
$qry->bindParam(':code', $code);
$qry->execute();

if ($qry) { $message = "success"; }
else { $message = "failed"; }

echo utf8_encode($message);
?>

The object coming across looks like this:

[ATTACH]5241[/ATTACH]

I can't at this point change the code of the iOS app and the URL it's sending but I'm assured it should work fine. Any help would be greatly appreciated, thanks.

unnamed.png

laserlight

I suggest that you start with this:

<?php

$obj = json_decode($_GET['code'], true);
print_r($obj);

I used the query string that you provided on my local development server (where display_errors is set to On), and received this warning:

 Warning: json_decode() expects parameter 1 to be string, array given in /home/eugene/web/public_html/test.php on line 4

Looking at your query string in detail, it does look like the code name/value pair is meant to be an array. It does not look like valid JSON at all. My guess is that instead of this:

$obj = json_decode($_GET['code'],true);
$code = $obj->direction;

You want:

$code = $_GET['code'][0]['direction'];

LWCARAB

Fantastic, thank you, I'm getting somewhere with your suggestion:

<?php 
header('Content-type: text/plain; charset=utf-8');


$db_conn = new PDO('mysql:host=localhost;dbname=xxx;charset=utf8','xxx','xxx');
$db_conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$obj = json_decode($_GET['code'],true);
$code = $_GET['code'][0]['direction'].$_GET['code'][0]['duration'];
echo $code;

$message = "";
$name = htmlspecialchars($_GET['name']); 
$cdsid = htmlspecialchars($_GET['cdsId']);
$code = $_GET['code'];

$qry = $db_conn->prepare('INSERT INTO Car(`Name`,`CDSID`,`Code`,`DateTime`,`ProcessedFlag`) VALUES (:name,:cdsid,:code,now(),False)');
$qry->bindParam(':name', $name);
$qry->bindParam(':cdsid', $cdsid);
$qry->bindParam(':code', $code);
$qry->execute();

if ($qry) { $message = "success"; }
else { $message = "failed"; }

echo utf8_encode($message);
?>

My next question is how would I go about looping through the array if there was more than one row, ideally I'd want to push the following to the DB is I had say 3 row?

go_reverse(3000)
go_left(500)
go_right(1000)

With the line break, mysql field is text.

laserlight

I would expect something like this:

<?php
header('Content-type: text/plain; charset=utf-8');

$message = "failed";

if (isset($_GET['name'], $_GET['cdsId'], $_GET['code']) && is_array($_GET['code'])) {
    $db_conn = new PDO('mysql:host=localhost;dbname=xxx;charset=utf8','xxx','xxx');
    $db_conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$name = htmlspecialchars($_GET['name']);
$cdsid = htmlspecialchars($_GET['cdsId']);

$statement = $db_conn->prepare('INSERT INTO Car(`Name`,`CDSID`,`Code`,`DateTime`,`ProcessedFlag`) VALUES (:name,:cdsid,:code,now(),False)');
$statement->bindParam(':name', $name);
$statement->bindParam(':cdsid', $cdsid);
$statement->bindParam(':code', $code);

foreach ($_GET['code'] as $obj) {
    if (!empty($obj['direction']) && !empty($obj['duration'])) {
        $code = $obj['direction'] . $obj['duration'];
        $statement->execute();
    }
}

$message = "success";
}

echo utf8_encode($message);

Notice that I did lots of checking: you cannot be absolutely sure that the app is sending data in the expected format, so you should check that it does. If it does not, then your "failed" error message comes in handy.

Since we know $_GET['code'] is an array in the expected format, we can just loop over its elements, which I did with a foreach loop.

EDIT:
It looks like you have repeating fields as you insert the same Name and CDSID again and again into the same table. Maybe you should do some database normalisation.

Also, consider not using htmlspecialchars on the name and CDSID. You should use them when printing them in a HTML document, but not when storing in the database, unless you have special reasons for doing so. The prepared statement would already handle the problem of SQL injection.