PHP error : Array to string conversion

Question

I have a PHP file named with Set of HTML codes, this code is to show several ID of location to be selected for the next process (Form is GET).

$sqloc = mysql_query("SELECT loc_id FROM location");
while ($row = mysql_fetch_array($sqloc)){

echo "<tr><td>
    <label><input type=\"checkbox\" name=\"chk_loc[]\" value=". $row['loc_id'] ." />
</td><td>" . $row['loc_id'] . "</td></tr></label>"; }

Then in other PHP file i use this code to select data based on selected ID using checkbox before.

$cbarray = array();
if (isset($_GET['submit_location'])) {
  $cbarray = $_GET['chk_loc']; }

for ($i=0; $i<count($cbarray); $i++) {
  $sqlcb = mysql_query("SELECT * FROM location WHERE loc_id = '$cbarray'");
      while($ccb= mysql_fetch_row($sqlcb)) {
                print_r($ccb); }
}

But when i run it, it appear the notice :

Array to string conversion in .... on line 62

On line 62 which is on ($sqlcb = mysql_query) part. I already use var_dump to check the array, and it print the array like this :

array(4) { [0]=> string(5) "LO001" [1]=> string(5) "LO003" [2]=> string(5) "LO004" [3]=> string(5) "LO005" }

Is there anyway to solve this problem? thank you.

so, $cbarray is array and you're trying to convert it to string (inside of sql query), what else could you expect? also note sql injection problem — Iłya Bursov, May 11 '16 at 15:27
simple workaround - you need to use not `... WHERE loc_id='$cbarray'");` but `... WHERE loc_id='".$cbarray[$i]."'");`.. and I would like to recommend to use `PDO/mysqli` instead of deprecated `myqsl_`-functions and `foreach` instead of `for`. Ofc received params need to be sanitized or use `bind`-ing variables (with PDO/mysqli). — Wizard, May 11 '16 at 15:36

score 3 · Accepted Answer · answered May 11 '16 at 15:28

3

The Checkbox in php is processed as a array. Here in the code the checkbox with id chk_loc is stored in $cbarray as a array. $sqlcb = mysql_query("SELECT * FROM location WHERE loc_id = '$cbarray'"); in this code the where clause accept a string and you are providing a array.

And use PDO to prevent sql injection PDO PHP

answered May 11 '16 at 15:28

Naresh Kumar

561
2
15

2

Plus one for PDO sugestion. MYSQL functions are deprecated and UNSAFE. – Jacek Kowalewski May 11 '16 at 15:30
1

@JacekKowalewski (y) (Y) :=) – Naresh Kumar May 11 '16 at 15:31
It *is* possible to write just as shoddy, insecure queries and send them through `PDO::query` though - in and of itself PDO doesn't stop people writing bad code. – CD001 May 11 '16 at 15:33
@tadman I'm not arguing **against** using PDO ... I'm arguing against the notion that PDO is, in and of itself, the cure (sic *"use PDO to prevent sql injection"*). Now if the statement was to *use PDO with parameterised queries* I'd have had no objection. – CD001 May 11 '16 at 15:58
@CD001 That's the correct and arguably only safe way to use PDO. Instead of objecting, which confuses people, just say that since it explains everything about your reservations. – tadman May 11 '16 at 16:00

score 2 · Answer 2 · edited May 23 '17 at 11:52

2

The problem is because of this statement,

$sqlcb = mysql_query("SELECT * FROM location WHERE loc_id = '$cbarray'");
                                                                 ^ see here

$cbarray is actually an array, not a string. You can see it's structure using var_dump($cbarray);.

So the solution is:

Use implode() function to join the array elements with a string and use it in your query, like this:

$cbarray = array();
if (isset($_GET['submit_location'])) {
    $cbarray = $_GET['chk_loc'];

    $query = "SELECT * FROM location WHERE loc_id IN ('" . implode("','", array_map('mysql_real_escape_string', $cbarray)) . "')";
    $sqlcb = mysql_query($query);
    while($ccb= mysql_fetch_row($sqlcb)) {
        print_r($ccb); 
    }
}

Sidenote: Don't use mysql_* functions, they are deprecated as of PHP 5.5 and are removed altogether in PHP 7.0. Use mysqli or pdo instead. And this is why you shouldn't use mysql_* functions.

edited May 23 '17 at 11:52

Community

1
1

answered May 11 '16 at 15:36

Rajdeep Paul

16,887
3
18
37

@tadman OP's query is susceptible to SQL injection, that's why I also put a **sidenote**, *just in case*. – Rajdeep Paul May 11 '16 at 15:56
I know you pointed that out, but you didn't even try to fix it which is what I'm talking about. It's like "Here, the gun you were pointing at your foot was jammed, but I fixed it." – tadman May 11 '16 at 15:56
That's the best tool for the job here, as crappy as it is. – tadman May 11 '16 at 16:00

PHP error : Array to string conversion

2 Answers2