我想在mysql表中插入json数组数据。我已经写了这段代码。
if (mysqli_connect_errno()){
$response["success"] = 0;
$response["message"] = "Database Error!";
die(json_encode($response));
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// Check connection
if ($con->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
if(isset($_GET['doctorJson'])){
$json = $_GET['doctorJson'];
$array = json_decode($json, true);
foreach($array as $item){
$result = mysqli_query($con, "INSERT IGNORE INTO doctor_visit_track (id, doctor_name, doctor_email, date, time) VALUES
('".$item['id']."', '".$item['doctorName']."', '".$item['doctorEmail']."', '".$item['date']."', '".$item['time']."')");
}
if($result){
$response["message"] = "Success";
echo json_encode($response);
} else{
$response["message"] = "Failure";
echo json_encode($response);
}
}
mysqli_close($con);
不是一个完整的答案,而是观察到您的代码容易受到SQL注入的攻击。试一试:
$sql = <<<EOF
INSERT IGNORE INTO
doctor_visit_track (id, doctor_name, doctor_email, date, time) VALUES
('?', '?', '?', '?"', '?')")
EOF;
$stmt = mysqli_prepare( $con, $sql);
foreach ($array as $item){
mysqli_stmt_bind_param( $stmt, "sssss",
$item['id'], $item['doctorName'], $item['doctorEmail'],
$item['date'],$item['time']
);
$result = mysqli_stmt_execute($stmt);
// rest of your code
};
顺便说一下,你也有$con和$conn (2 'n')作为你的连接变量-希望你的代码中没有这个。
我不能确定,但你的代码可能混淆了面向对象和过程形式的mysqli。坚持其中一种(理想情况下是OO形式)
例如,在您的原始代码中,假设有人向您发送了类似于以下内容的恶意JSON对象:
{
"id" : "hackerid",
"doctorName" : "I am a Hacker",
"doctorEmail": "hacker@hacker.com",
"date": "1999-12-31",
"time": "'"); drop table doctor_visit_track; -- Muhahahaha "
}
…你不会对结果满意的。
我有一个类似的问题,原来是由于PHP魔术引号被启用,并添加转义字符json字符串。尝试禁用php.ini中的魔法引号:
magic_quotes_gpc = Off