dqpu4988 2017-01-13 16:34
浏览 32

从JS发送日期数组到php页面

I have a JS array "edit_date" containing multiple dates. I want to send the array to a php page to be stored in database. Instead of using JSON and jquery i have used my codes like this:

var xhttp = new XMLHttpRequest();
    xhttp.onreadystatechange = function() {
        if (this.readyState == 4 && this.status == 200) {
          document.getElementById("a").innerHTML= this.responseText; 
       }
    };
    xhttp.open("GET", "page_name.php?a=" + edit_date , true);
    xhttp.send();

so data goes to php like strings. so I split the string into array in php like:

$data = $_REQUEST['a'];
$data2= $_REQUEST['b'];
$student_id= $_REQUEST['c'];
$array=(explode(",",$data));

and coverted all the array elements to date format and inserted it in database like:

foreach($array as $e)
{
 $date= date("d-m-Y", strtotime($e));
 $sql= "INSERT into student_connects_teacher_date (teacher_id,student_id,dates) values ('$data2','$student_id','$e')";
  if(!mysqli_query($con,$sql))
      {
            die("error". mysqli_connect_error());
      }
}

It worked fine till now. But I want to know is it a good approach to have? I used this since using json and jquery didn't worked for me. Will this approach give any problem in future if I need to use the data? If it isn't a good approach, than what's the reason?

  • 写回答

1条回答 默认 最新

  • dongmeixian9665 2017-01-13 17:00
    关注

    You'll need to check if the date in $e is a valid date before converting it to a timestamp. I don't know the format of your input, but there are multiple ways of doing this. For example with PHP's DateTime class:

    if (DateTime::createFromFormat('Y-m-d H:i:s', $e) === false) {
    // invalid date, so skip
    continue;
}

    Also, you really need to use prepared & parameterized statements for your queries, because right now you're vulnerable for SQL injection. You should never include variables in your queries like this.

    You control the value of the date value and format (after validation), but you'll might also need something like htmlspecialchars() method to clean stuff up in regard to XSS.

    Possible solution for not being vulnerable for SQL injection:

    $stmt = mysqli_prepare($con, "INSERT into student_connects_teacher_date (teacher_id,student_id,dates) values (?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sis', $data2, $student_id, $e);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);

    Also, creating and closing the statement can be done outside of the foreach loop.

    Sidenote: if you just want to explode the string, you don't need the extra parenthesis.

    $array=(explode(",",$data));

    Can be just:

    $array = explode(",", $data);

    Wrapping expressions or basically anything in parenthesis might return different results as PHP handles it differently.

    评论

报告相同问题?

悬赏问题

  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图