-1

I'm new to PHP and I've encountered an issue that is driving me crazy. Perhaps someone here can let me know what I'm doing wrong.

I have a from that a user fills out. The below script is using the date entered into the mysql database to generate json data:

<?php
    include("../includes.php");
    $sq = new SQL();

    $TableName = "permissions";
    $Fields = $_POST["Fields"];
    $FieldsSTR = "`" . str_replace("*;*","`,`", $Fields) . "`";
    $Join = "AND";
    $Start = 0;
    $Limit = $_POST["Limit"];
    if($Limit == "")$Limit = 1000;
    $Where = $_POST["Where"];
    $WhereSTR = "";
    if($Where !== "")$WhereSTR = str_replace("*;*"," $Join ", $Where);

    $q = "SELECT $FieldsSTR FROM `$TableName` $WhereSTR";
    $data = $sq->sqlQuery($q);
    if(sizeof($data)>0)array_shift($data);
    header("Content-Type: application/json");
    echo "[";
    foreach($data as $k=>$line){
        echo "[";
        echo "\"" . str_replace("*;*","\",\"",$line) . "\"";
        echo "]";
        if($k < sizeof($data) - 1)echo ",";
    }
    echo "]";
    exit;
?>

The problem that I'm having is that it has stopped working. One day it's fine and the next day it's not working. I'm thinking that maybe the cause of this problem is that crazy user data has been entered into the database. In my foreach statement I tried to replace the ";" with a "
" tag, but that didn't work.

Has anyone encountered this issue before? Perhaps someone can point me in the right direction!

Thanks

Jason

Jason
  • 1
  • 1
  • 2
    Would you edit above to post the HTML form that's submitting into `$_POST`? This looks like you are building SQL directly from a form POST, which is really dangerous and easily vulnerable to tampering. I also see what appears to be manual construction of JSON with string ops. Really you should be using [`json_encode()`](http://php.net/manual/en/function.json-encode.php) which will save you all the trouble of getting the formatting and looping right. It really might be as simple as `echo json_encode($data);` to produce valid JSON from your SQL output. – Michael Berkowski May 07 '18 at 19:10
  • This isn't an answer to your question, but what you're doing looks [very insecure](https://en.wikipedia.org/wiki/SQL_injection). I'm not sure if you're wrapping PDO or MySQLi with your `SQL` object, but you may want to look into [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) to harden your code a bit. – maiorano84 May 07 '18 at 19:11
  • 4
    *"...generate json data"* -- create the desired data structure and use [`json_encode()`](http://php.net/manual/en/function.json-encode.php) to produce the JSON. – axiac May 07 '18 at 19:11
  • 1
    That's quite the SQL injection you've written there. https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Sammitch May 07 '18 at 19:23
  • "It stopped" does not help us at all. You need to do a lot more debugging. Likewise that `foreach` loop is way wrong. As others have mentioned `json_encode()` on the structure you want. – nerdlyist May 07 '18 at 19:34

1 Answers1

0

Thanks everyone for your input. I was able to stumble on an fix to my immediate problem. I changed my foreach loop to the following:

foreach($data as $k=>$line){
       $parts = explode("*;*",$line);
        $NEWLINE = array();
        for($i = 0;$i < sizeof($parts);$i++){
            $value = $parts[$i];
            $value = str_replace("\r","&lt;br&gt;",str_replace("\n","&lt;br&gt;",$value));
            $NEWLINE[] = "\"" . $value . "\"";
        }
        $FINDATA[] = "[" . implode(",",$NEWLINE) . "]";
    }

But I will now look into into using json_encode() as mentioned in the comments.

Thanks,

Jason

Jason
  • 1
  • 1