0

I am passing JSONObject as input into php script based on that the select query need to execute and fetch the values from database. But the values are not not fetching from database even the values are present in database.

<?php
$username = "xxx"; 
$password = "xxxx";   
$host = "localhost";
$database="xxxxx";

$server = mysql_connect($host, $username, $password);
$connection = mysql_select_db($database, $server);

//$jsonString = file_get_contents('php://input');
$jsonString ='{"ilist":{"ib1":"6","ib2":"5"},"rlist":{},"generelist":{"genere1":"Adventure","genere2":"Animation","genere3":"Comedy","genere4":"Horror","genere5":"Fantasy","genere6":"Mystery"},"yearlist":{}}';
$obj = json_decode($jsonString,true);


$ib=array();
$rn=array();
$genere=array();
$year=array();

foreach ($obj['ilist'] as $key => $value) 
    {
        //echo "<br>------" . $key . " => " . $value;
        $ib[$key] = $value;

    }
foreach ($obj['rlist'] as $key => $value) 
    {
        //echo "<br>------" . $key . " => " . $value;
        $rn[$key] = $value;

    }

foreach ($obj['yearlist'] as $key => $value) 
    {
        //echo "<br>------" . $key . " => " . $value;
        $year[$key] = $value;

    }

$val1=implode(',', $ib);
$val2=implode(',', $rn);
$val4=implode(',', $year);

array_walk($obj['generelist'],function(&$item1, $key){$item1="$item1=1";});
$stringgen = implode(' OR ', $obj['generelist']);

$myquery = "SELECT * FROM Movies WHERE 'it' IN ('$val1') OR `Re` IN ('$val2')  OR '". mysql_real_escape_string($stringgen)  ."'  OR `Year` IN ('$val4')";

$query = mysql_query($myquery);

if ( ! $query ) {
    echo mysql_error();
    die;
}    


for ($x = 0; $x < mysql_num_rows($query); $x++) {
    $data[] = mysql_fetch_assoc($query);
}

echo json_encode($data);     

mysql_close($server); ?>

But it returns the null value even the values present in the database. Even when i open the php file in the IE from phpmyadmin it throws the null value. what is wrong with the script.

user29051986
  • 97
  • 9
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Sep 22 '15 at 11:58
  • 1
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Sep 22 '15 at 11:59
  • Are you getting any errors? Have you checked the error log? – Jay Blanchard Sep 22 '15 at 11:59
  • @JayBlanchard - no error but it returns null. – user29051986 Sep 22 '15 at 12:01
  • I should also note that using `echo mysql_error();` for anything but debugging purposes is also a security risk – Machavity Sep 22 '15 at 12:02
  • Use backtick instead quotes in query `SELECT * FROM Movies WHERE 'it'` – Saty Sep 22 '15 at 12:02
  • yes changed. but it not working when values received from android $jsonString = file_get_contents('php://input'); – user29051986 Sep 22 '15 at 12:31

0 Answers0