douyun1852 2015-07-24 08:43
浏览 121
已采纳

为foreach()警告提供的参数无效

I want to insert json array data in mysql table. I have written this code.

if (mysqli_connect_errno()){
    $response["success"] = 0;
    $response["message"] = "Database Error!";   
    die(json_encode($response));
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// Check connection
if ($con->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 
echo "Connected successfully";

if(isset($_GET['doctorJson'])){

    $json = $_GET['doctorJson'];

    $array = json_decode($json, true);

    foreach($array as $item){

        $result = mysqli_query($con, "INSERT IGNORE INTO doctor_visit_track (id, doctor_name, doctor_email, date, time) VALUES 
            ('".$item['id']."', '".$item['doctorName']."', '".$item['doctorEmail']."', '".$item['date']."', '".$item['time']."')");

            }

    if($result){
        $response["message"] = "Success";
        echo json_encode($response);
    } else{
        $response["message"] = "Failure";
        echo json_encode($response);
        }
    }

mysqli_close($con);

Above code is working fine when I am using xampp. But when I have uploaded this code to server then same code is giving warning " Invalid argument supplied for foreach()" and not inserting in table. But using in xampp, code is working fine and inserting data successfully. Somebody help me..

  • 写回答

2条回答 默认 最新

  • doubo1883 2015-07-24 09:14
    关注

    Not a complete answer but an observation that your code is vulnerable to SQL injection. Try:

    $sql = <<<EOF
INSERT IGNORE INTO 
  doctor_visit_track (id, doctor_name, doctor_email, date, time) VALUES 
  ('?', '?', '?', '?"', '?')")
EOF;

$stmt = mysqli_prepare( $con, $sql);

foreach ($array as $item){
    mysqli_stmt_bind_param( $stmt, "sssss",
      $item['id'], $item['doctorName'], $item['doctorEmail'],
      $item['date'],$item['time']
      );
    $result = mysqli_stmt_execute($stmt);
    // rest of your code
};

    Incidentally, you also had $con and $conn (2 'n') as your connect variable - hope you don't have this in your code.

    I can't tell for certain but your code may be confusing the OO (object oriented) and procedural form of mysqli. Stick to one or the other (OO form ideally)

    For example in your original code, say someone sent you a malicious JSON object similar to the following:

    {
"id" : "hackerid",
"doctorName" : "I am a Hacker",
"doctorEmail": "hacker@hacker.com",
"date": "1999-12-31",
"time": "\"); drop table doctor_visit_track; -- Muhahahaha "
}

    ...you would not be happy with the result.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 乌班图ip地址配置及远程SSH
  • ¥15 怎么让点阵屏显示静态爱心,用keiluVision5写出让点阵屏显示静态爱心的代码,越快越好
  • ¥15 PSPICE制作一个加法器
  • ¥15 javaweb项目无法正常跳转
  • ¥15 VMBox虚拟机无法访问
  • ¥15 skd显示找不到头文件
  • ¥15 机器视觉中图片中长度与真实长度的关系
  • ¥15 fastreport table 怎么只让每页的最下面和最顶部有横线
  • ¥15 java 的protected权限 ,问题在注释里
  • ¥15 这个是哪里有问题啊?