我猜这已经在某个地方得到了解答,但是我找不到解决方法,我正在撕裂我的头发。我有一个存储在MySQL中的JSON数组,如下所示:
[{"ip":"8.8.8.8","name":"Bob"},{"ip":"","name":""},{"ip":"","name":""},{"ip":"","name":""}]
我想替换特定对象的“ip”和“name”。所以我将$slot_num
设置为0,并尝试更改值和UPDATE
数据库。下面的SELECT子句应该没问题,因为它在其他地方多次使用过。
//Recieves POST info such as ip=1.1.1.1&group=204&slot=3&name=help
$ip = $_POST['ip'];
$group_id = $_POST['group'];
$slot_num = $_POST['slot'] -1; //PHP receives slot num increased by 1. IE- $slot_num 1 would be array[0]
$name = $_POST['name'];
if($result = $mysqli->query("SELECT * FROM `open_groups` WHERE `group_id` = $group_id")) {
$row = mysqli_fetch_array($result);
$slot_ar = json_decode($row['players'], true);
//Check if array has correct number slots
if($slot_num => count($slot_ar) || !is_int($slot_num)){
die('Injection attempt');
}
$slot_ar[$slot_num]['ip'] = $ip;
$slot_ar[$slot_num]['name'] = $name;
$players = json_encode($slot_ar);
$players = $mysqli->real_escape_string($players);
if(!$mysqli->query("UPDATE `open_group` SET players = '$players' WHERE group_id = $group_id")) {
echo $mysqli->error;
exit;
}
if(!$mysqli->query("INSERT INTO `occupied`(`ip`, `group`) VALUES ('$ip', '$group_id')")) {
echo $mysqli->error;
exit;
}
echo "Success";
}
else echo $mysqli->error;
我是否错误地访问了数组?
$ip = $_POST['ip'];
$group_id = $_POST['group'];
$slot_num = $_POST['slot']; //PHP receives slot num increased by 1. IE- $slot_num 1 would be array[0]
$name = $_POST['name'];
if($result = $mysqli->query("SELECT * FROM `open_groups` WHERE `group_id` = $group_id")) {
$row = mysqli_fetch_array($result);
$slot_ar = json_decode($row['players'], true);
//Check if array has correct number slots
if($slot_num-1 >= count($slot_ar) || !is_numeric($slot_num)){
echo "Injection attempt";
exit;
}
$slot_ar[$slot_num-1]['ip'] = "$ip";
$slot_ar[$slot_num-1]['name'] = "$name";
$players = json_encode($slot_ar);
$players = $mysqli->real_escape_string($players);
if(!$mysqli->query("UPDATE `open_groups` SET players = '$players' WHERE `group_id` = $group_id")) {
echo "Update error";
exit;
}
if(!$mysqli->query("INSERT INTO `occupied`(`ip`, `group`) VALUES ('$ip', '$group_id')")) {
echo "Occupied error";
exit;
}
echo "Success";
}
else echo "Fail";
答案 0 :(得分:2)
你需要转义$ player因为json数组充满了引号所以当你使用查询将它插入数据库时,mysql会在执行和理解它时遇到麻烦。
在转义它之后也尝试将变量放在单引号内。试试这个:
$players = $mysqli->real_escape_string($players);
$mysqli->query("UPDATE `open_group` SET players = '$players' WHERE group_id = '$group_id' ");
答案 1 :(得分:2)
正如AlexanderO'Mara所指出的那样,你真的应该使用bind_param()
而不是mysqli_escape_string()
,这在某些情况下已被证明是不可靠的。我使用PDO语句,所以这是未经测试的。
来源:mysqli real escape string, should I use it?
$slot_num = $_POST['num'];
$name = $_POST['name'];
// Initial select
$sql = "SELECT * FROM `open_groups` WHERE `group_id` = ?";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('d', $group_id);
$stmt->execute();
if ($stmt->errno) {
die("Error : " . $stmt->error);
}
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
$slot_ar = json_decode($row['players'], true); //Get JSON array
// Make sure $slot_num isn't bigger than desired
if($slot_num > count($slot_ar) || !is_int($slot_num)){
die('Injection attempt');
}
// Store new variables in the array
$slot_ar[$slot_num]['ip'] = "$ip";
$slot_ar[$slot_num]['name'] = "$name";
// encode the new $players
$players = json_encode($slot_ar);
// new SQL query
$sql = "UPDATE `open_group` SET players = ? WHERE group_id = ?";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('sd', $players, $group_id);
$stmt->execute();
if ($stmt->errno) {
die("Error : " . $stmt->error);
}
}