Sending and processing an associative array from jquery to php

Question

I have a filter for some devices in a webpage, made of checkbox. Whenever one of the checkbox is clicked, i call a function which add to an object the value of the checkboxes checked. I want to send this object to a php file, via ajax, and use it to perform some MySQL query, then return the results from the php and display them on the page. The problem is, i'm missing something, since i kept getting a parseerror in my js.

Here's my code: device-filter.js

$(document).ready(function(){
$(".ez-checkbox").click(function() {
    console.log("ok");
    var re = {Brand: "", Cost: "", OS: ""};
    $("#Brand :checkbox:checked").each(function(){
        re.Brand += $(this).val()+" & ";
    });
    $("#Cost :checkbox:checked").each(function(){
        re.Cost += $(this).val()+" & ";
    });
    $("#OS :checkbox:checked").each(function(){
        re.OS += $(this).val()+" & ";
    });
    if(re.lenght==0){

    }
    else{
        $.ajax({
            method: "POST",
            dataType: "json", //type of data
            crossDomain: true,
            data: re,
            url:"./php/filtered-device-query.php",
            success: function(response) {
            //display the filtered devices  
            },
            error: function(request,error)
            {
                console.log(request+":"+error);
            }
        });
    }
});
});

filtere-device-query.php

<?php
//connection to db
$mysqli = new mysqli("localhost", "root", "", "my_db");

if (mysqli_connect_errno()) { //verify connection
echo "Error to connect to DBMS: ".mysqli_connect_error(); //notify error
exit(); //do nothing else 
}
else {
//echo "Successful connection"; // connection ok
    $devices =json_decode($_POST['re']);
    echo var_dump($devices)."<br>"; 
    $myArray = array();//create an array
    $brand = rtrim($devices["Brand"], " &");
    $cost = rtrim($devices["Cost"], " &");
    $os = rtrim($devices["OS"], " &");

    $query = " SELECT * FROM `devices` WHERE `Brand` = '$brand' AND 'Cost' = '$cost' AND 'OS' = '$os' ";
    $result = $mysqli->query($query);
    //if there are data available
    if($result->num_rows >0)
    {
        while($row = $result->fetch_array(MYSQL_ASSOC)) {
            $myArray[] = $row;
        }
        echo json_encode($myArray);
    }

    //free result
    $result->close();

    //close connection
    $mysqli->close();
}
?>

Thanks in advance for any help!

I'm not a JS guru (far from it), but I can tell when something is mispelled, and this being `lenght`. That should read as `length` for your `if(re.lenght==0)`. Edit: Along with what @Saty said about your column names. Checking for errors on that, would have helped you here. — Funk Forty Niner, Jun 07 '16 at 13:45
Wrap of quotes from column name instead use backtick at `'Cost' = '$cost' AND 'OS' = '$os'` — Saty, Jun 07 '16 at 13:46
[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Jun 07 '16 at 13:54
possible duplicate of parse error and when to use single/double quotes. ;-) — Funk Forty Niner, Jun 07 '16 at 13:57

score 0 · Answer 1 · edited May 23 '17 at 12:22

0

You have some typos, first in the jQuery:

if(re.lenght==0){

should be:

if(re.length==0){// note the correct spelling of length

Then in your PHP you're using quotes on column names in the query. Those should be removed or better yet, back ticked:

$query = " SELECT * FROM `devices` WHERE `Brand` = '$brand' AND `Cost` = '$cost' AND `OS` = '$os' ";

More importantly...

An object, as you've described it, has no length. It will come back as undefined. In order to find the length you have to count the keys:

if(Object.keys(re).length == 0){...

The object re, as you've declared it, already has 3 keys, a length of 3. Checking for length of 0 is a waste of time.

Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe!

edited May 23 '17 at 12:22

Community

1
1

answered Jun 07 '16 at 14:02

Jay Blanchard

34,243
16
77
119

I know, but those are unrelated problems. re.lenght is also wrong, and i have to delete it. And i know that the php is vulnerable, but first things first, i want my code to work, then to work properly. Still, thanks to pointing it out. – eager_to_learn Jun 07 '16 at 14:17
2

Unrelated problems? these are things keeping your code from working at all. – Jay Blanchard Jun 07 '16 at 14:20

Sending and processing an associative array from jquery to php

1 Answers1