0

I am currently having an error on line 20 and 24. It says that there is undefined index. When i see http://yoururl.com/viewwall.php/itemID=123456, it was prompted with errors on line 20 to 24 but able to display userid, timeofposting and message. Is there anyway to solve this? 

<?php
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');
header("Content-Type: application/json; charset=UTF-8");

include("global.php");

$conn = new mysqli(server, dbuser, dbpw, db);

$itemID = $_GET['itemID'];

$query = "select userid, timeofposting, message from mywall where itemID = '" . $itemID . "' order by timeofposting DESC";

$result = $conn->query($query);

$outp = "[";
while($rs = $result->fetch_array(MYSQLI_ASSOC)) {
if ($outp != "[") {$outp .= ",";}
$outp .= '{"wallpostid":"'  . $rs["wallpostid"] . '",'; //error
$outp .= '"userid":"' . $rs["userid"] . '",';
$outp .= '"timeofposting":"' . $rs["timeofposting"] . '",';
$outp .= '"message":"' . $rs["message"] . '",';
$outp .= '"itemID":"'   . $rs["itemID"]        . '"}'; //error
}
$outp .="]";

$conn->close();

echo($outp);
?>
queenie
  • 29
  • 1
  • 8
  • well, you don't have them two in your select.... – Jeff Feb 14 '18 at 03:53
  • `select wallpostid, itemID, userid, timeofposting, message from mywall...` might be worth a try (if the fields exist) – Jeff Feb 14 '18 at 03:54
  • __and__ better create a php array/object and json_encode that afterwards, What you do will lead to errors somewhen... – Jeff Feb 14 '18 at 03:55
  • @Jeff it is working now. after adding that in. Thanks! and will do. – queenie Feb 14 '18 at 05:25

1 Answers1

0

Very first thing, you are trusting input from user.

That should be filtered out.

The $_GET['itemID'] is taken from url and provided to SQL query as it is.

This is vulnerable.

use mysqli_real_escape_string()

Again, you did not add a check whether it is provided or not.

You are returning JSON and constructing JSON on the fly with PHP syntax.

Just create array and use json_encode() function.

So, finally following is the correcetd code:

<?php
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token');
header("Content-Type: application/json; charset=UTF-8");

include("global.php");

$conn = new mysqli(server, dbuser, dbpw, db);

$itemID = isset($_GET['itemID']) ? mysqli_real_escape_string($_GET['itemID']) : NULL;

if (! empty($itemID)) {
    $query = "SELECT userid, timeofposting, message 
        FROM mywall 
        WHERE itemID = '" . $itemID . "' ORDER BY timeofposting DESC";
    $result = $conn->query($query);
    $arr = array();
    while($rs = $result->fetch_array(MYSQLI_ASSOC)) {
        $arr['wallpostid'] = $rs["wallpostid"];
        $arr['userid'] = $rs["userid"];
        $arr['timeofposting'] = $rs["timeofposting"];
        $arr['message'] = $rs["message"];
        $arr['itemID'] = $rs["itemID"];
    }
    echo json_encode($arr);
}
$conn->close();

echo($outp);
?>
Pupil
  • 23,834
  • 6
  • 44
  • 66