1

I'm passing a string of parameter to my php code, but I don't know exactly what the parameters are. Let's say I pass in a string that contains 

?&cName_1=fbe&cName_2=ege&cBirthday_1=r3rg&cBirthday_2=fev

I not only need to know what each parameter is but I also need the names and the birthdays to line up for my query.

I was trying the following code but that only works with one parameter at a time

$email = $_GET['email'];

foreach($_GET as $key => $value){
    $query = "INSERT INTO directory(cName, cBirthday, username) VALUES('$value', '$pBirthday', '$email')";

    $result = mysqli_query($con, $query);
}
Phil
  • 157,677
  • 23
  • 242
  • 245
it_guy
  • 13
  • 3
  • Not sure what are you trying to do. Are you saying you will have parameters in your get request as Name_1, Name_2 ... Name_10 & Birthday_1, Birthday_2 ... Birthday_10 and you need to extract their values and pass them to a sql query with Name & Birthday of _1, _2 and so on till _10? – Ketan Malhotra Jul 26 '18 at 23:00
  • Yes that's exactly what I'm trying to do!! – it_guy Jul 26 '18 at 23:04
  • 1
    You are open to SQL injection attacks. Check [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) – Spoody Jul 26 '18 at 23:25
  • This would be much easier if you passed a JSON construct (preferably via POST). Is that a possibility? – Phil Jul 27 '18 at 00:14

2 Answers2

0

You can do some handy manipulation of PHP's request-based super globals (ie $_GET and $_POST) by using square brackets to denote array indices / keys.

For example, a query string like

?email=me@example.com&c[0][name]=fbe&c[0][birthday]=r3rg&c[1][name]=ege&c[1][birthday]=fev

results in the following $_GET structure

Array
(
    [email] => me@example.com
    [c] => Array
        (
            [0] => Array
                (
                    [name] => fbe
                    [birthday] => r3rg
                )

            [1] => Array
                (
                    [name] => ege
                    [birthday] => fev
                )

        )

)

To add further parameters, you just append

&c[n][name]=value&c[n][birthday]=value

where n is the next index.

This would be much easier to work with in your code, especially with a prepared statement

// Make MySQLi report errors as exceptions
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

$email = $_GET['email'];
$stmt = $con->prepare(
        'INSERT INTO directory (cName, cBirthday, username) VALUES (?, ?, ?)');
$stmt->bind_param('sss', $cName, $cBirthday, $email);
foreach ($_GET['c'] as $c) {
    $cName = $c['name'];
    $cBirthday = $c['birthday'];
    $stmt->execute();
}
Phil
  • 157,677
  • 23
  • 242
  • 245
-1

To get the values from the string you can do this :

<?php

    $string = "?&cName_1=fbe&cName_2=ege&cBirthday_1=r3rg&cBirthday_2=fev";
    $get = explode('&', $string ); // explode with and

    foreach ( $get as $key => $value) {
        $valn[ substr( $value, 0 , strpos( $value, '=' ) ) ] =  substr( $value, strpos( $value, '=' ) + 1 ) ;
    }
    // access your query param

    $cName_1 = $valn['cName_1'];
    $cName_2 = $valn['cName_2'];
    $cBirthday_1 = $valn['cBirthday_1'];
    $cBirthday_2 = $valn['cBirthday_2'];

?>
Ahmad Salameh
  • 121
  • 2
  • 13