-1

I'm new to PHP and I've encountered an issue that is driving me crazy. Perhaps someone here can let me know what I'm doing wrong.

I have a from that a user fills out. The below script is using the date entered into the mysql database to generate json data:

<?php
    include("../includes.php");
    $sq = new SQL();

    $TableName = "permissions";
    $Fields = $_POST["Fields"];
    $FieldsSTR = "`" . str_replace("*;*","`,`", $Fields) . "`";
    $Join = "AND";
    $Start = 0;
    $Limit = $_POST["Limit"];
    if($Limit == "")$Limit = 1000;
    $Where = $_POST["Where"];
    $WhereSTR = "";
    if($Where !== "")$WhereSTR = str_replace("*;*"," $Join ", $Where);

    $q = "SELECT $FieldsSTR FROM `$TableName` $WhereSTR";
    $data = $sq->sqlQuery($q);
    if(sizeof($data)>0)array_shift($data);
    header("Content-Type: application/json");
    echo "[";
    foreach($data as $k=>$line){
        echo "[";
        echo "\"" . str_replace("*;*","\",\"",$line) . "\"";
        echo "]";
        if($k < sizeof($data) - 1)echo ",";
    }
    echo "]";
    exit;
?>

The problem that I'm having is that it has stopped working. One day it's fine and the next day it's not working. I'm thinking that maybe the cause of this problem is that crazy user data has been entered into the database. In my foreach statement I tried to replace the ";" with a "
" tag, but that didn't work.

Has anyone encountered this issue before? Perhaps someone can point me in the right direction!

Thanks

Jason

Improve this question
5
  • 2
    Would you edit above to post the HTML form that's submitting into $_POST? This looks like you are building SQL directly from a form POST, which is really dangerous and easily vulnerable to tampering. I also see what appears to be manual construction of JSON with string ops. Really you should be using json_encode() which will save you all the trouble of getting the formatting and looping right. It really might be as simple as echo json_encode($data); to produce valid JSON from your SQL output. Commented May 7, 2018 at 19:10
  • This isn't an answer to your question, but what you're doing looks very insecure. I'm not sure if you're wrapping PDO or MySQLi with your SQL object, but you may want to look into prepared statements to harden your code a bit. Commented May 7, 2018 at 19:11
  • 4
    "...generate json data" -- create the desired data structure and use json_encode() to produce the JSON. Commented May 7, 2018 at 19:11
  • 1
    That's quite the SQL injection you've written there. stackoverflow.com/questions/60174/… Commented May 7, 2018 at 19:23
  • "It stopped" does not help us at all. You need to do a lot more debugging. Likewise that foreach loop is way wrong. As others have mentioned json_encode() on the structure you want. Commented May 7, 2018 at 19:34

1 Answer 1

Reset to default
0

Thanks everyone for your input. I was able to stumble on an fix to my immediate problem. I changed my foreach loop to the following:

foreach($data as $k=>$line){
       $parts = explode("*;*",$line);
        $NEWLINE = array();
        for($i = 0;$i < sizeof($parts);$i++){
            $value = $parts[$i];
            $value = str_replace("\r","&lt;br&gt;",str_replace("\n","&lt;br&gt;",$value));
            $NEWLINE[] = "\"" . $value . "\"";
        }
        $FINDATA[] = "[" . implode(",",$NEWLINE) . "]";
    }

But I will now look into into using json_encode() as mentioned in the comments.

Thanks,

Jason

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.