douyun1852 2015-07-24 08:43
浏览 121
已采纳

为foreach()警告提供的参数无效

I want to insert json array data in mysql table. I have written this code.

if (mysqli_connect_errno()){
    $response["success"] = 0;
    $response["message"] = "Database Error!";   
    die(json_encode($response));
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// Check connection
if ($con->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 
echo "Connected successfully";

if(isset($_GET['doctorJson'])){

    $json = $_GET['doctorJson'];

    $array = json_decode($json, true);

    foreach($array as $item){

        $result = mysqli_query($con, "INSERT IGNORE INTO doctor_visit_track (id, doctor_name, doctor_email, date, time) VALUES 
            ('".$item['id']."', '".$item['doctorName']."', '".$item['doctorEmail']."', '".$item['date']."', '".$item['time']."')");

            }

    if($result){
        $response["message"] = "Success";
        echo json_encode($response);
    } else{
        $response["message"] = "Failure";
        echo json_encode($response);
        }
    }

mysqli_close($con);

Above code is working fine when I am using xampp. But when I have uploaded this code to server then same code is giving warning " Invalid argument supplied for foreach()" and not inserting in table. But using in xampp, code is working fine and inserting data successfully. Somebody help me..

  • 写回答

2条回答 默认 最新

  • doubo1883 2015-07-24 09:14
    关注

    Not a complete answer but an observation that your code is vulnerable to SQL injection. Try:

    $sql = <<<EOF
INSERT IGNORE INTO 
  doctor_visit_track (id, doctor_name, doctor_email, date, time) VALUES 
  ('?', '?', '?', '?"', '?')")
EOF;

$stmt = mysqli_prepare( $con, $sql);

foreach ($array as $item){
    mysqli_stmt_bind_param( $stmt, "sssss",
      $item['id'], $item['doctorName'], $item['doctorEmail'],
      $item['date'],$item['time']
      );
    $result = mysqli_stmt_execute($stmt);
    // rest of your code
};

    Incidentally, you also had $con and $conn (2 'n') as your connect variable - hope you don't have this in your code.

    I can't tell for certain but your code may be confusing the OO (object oriented) and procedural form of mysqli. Stick to one or the other (OO form ideally)

    For example in your original code, say someone sent you a malicious JSON object similar to the following:

    {
"id" : "hackerid",
"doctorName" : "I am a Hacker",
"doctorEmail": "hacker@hacker.com",
"date": "1999-12-31",
"time": "\"); drop table doctor_visit_track; -- Muhahahaha "
}

    ...you would not be happy with the result.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 wireshark抓不到vlan
  • ¥20 关于#stm32#的问题:需要指导自动酸碱滴定仪的原理图程序代码及仿真
  • ¥20 设计一款异域新娘的视频相亲软件需要哪些技术支持
  • ¥15 stata安慰剂检验作图但是真实值不出现在图上
  • ¥15 c程序不知道为什么得不到结果
  • ¥40 复杂的限制性的商函数处理
  • ¥15 程序不包含适用于入口点的静态Main方法
  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来