-1

I have a web service that queries a database for a region and then returns the results in JSON format. It works but it is not displaying things like "400 bad request" when a bad request is made. The page just displays;

[]

Why is this? I thought apache had built in HTTP error code handling. What I want the script to do is when a bad request is made or a 404 error is occured, to return the specific code.

Here is my php script;

<?php

$a = $_GET["region"];
$conn = new PDO ("mysql:host=localhost;dbname=***;", "***", 
"***");

$results = $conn->query("SELECT * FROM pointsofinterest WHERE region='$a'");
$resultsAsAssocArray = $results->fetchAll(PDO::FETCH_ASSOC);

echo json_encode($resultsAsAssocArray);

?>
Phil
  • 157,677
  • 23
  • 242
  • 245
AdamElsbury
  • 35
  • 7
  • 2
    Where is your code to determine the request is _"bad"_? PHP can automatically respond with 500 in case of an error but for anything else, you need to explicitly tell it how to respond. See http://php.net/manual/function.http-response-code.php – Phil Jan 09 '19 at 01:20
  • Also, you should ideally be using a prepared statement and binding the `region` parameter. See http://php.net/manual/pdo.prepared-statements.php – Phil Jan 09 '19 at 01:21
  • 1
    Your code is **wide open** to SQL injection attacks. Use prepared/parameterized queries with PDO or similar to avoid this issue. – Brad Jan 09 '19 at 01:22
  • @Phil sorry I failed to mention the web service gets a variable from a button on a HTML page. I have intentionally given the URL on the button a query string that does not exist in the database – AdamElsbury Jan 09 '19 at 01:30
  • I don't know what you mean, sorry. – Phil Jan 09 '19 at 01:30

2 Answers2

1

As far as I can understand from your code, a bad request is not being made.

You're echoing $resultsAsAssocArray which simply just contains your SELECT result. Which in this case happens to be empty, is my guess.

Try running the same SQL query from your command line or via PHPMyAdmin and see if you get any results returned.

EDIT: If you wish to return a 404 error code when no result is returned then you should make use of the http_response_code() function.

An example is illustrated here: https://stackoverflow.com/a/41593478/1308765

Linus Juhlin
  • 1,175
  • 10
  • 31
  • I don't think the empty array is unexpected but I think OP expects Apache to automatically respond with 404 – Phil Jan 09 '19 at 01:23
  • That might be the case. I edited my answer with further information. – Linus Juhlin Jan 09 '19 at 01:27
  • Im sorry I'm really inexperienced with PHP, the web service above takes in a query string from a HTML form - I know it is 100% a bad request because I am manually assigning the query string to the end of a URL and still nothing happens – AdamElsbury Jan 09 '19 at 01:28
  • 1
    I'm not sure what you mean by that. – Linus Juhlin Jan 09 '19 at 01:33
  • I am manually sending a bad request where the data point does not exist in the server but nothing is happening. – AdamElsbury Jan 09 '19 at 01:39
  • 1
    @AdamElsbury That's not a bad request, though. That's a good request that happens to return zero results. – ceejayoz Jan 09 '19 at 01:45
1

PHP can automatically set a status of 500 in case of an error (if display_errors is disabled) but for anything else, you need to explicitly tell it how to respond.

For example, say you want to respond with a 404 if there are no records found...

$conn = new PDO ('mysql:host=localhost;dbname=***;charset=utf8', '***', '***', [
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
]);

// Note that I'm using a prepared statement
$stmt = $conn->prepare('SELECT * FROM pointsofinterest WHERE region = ?');

$stmt->execute([filter_input(INPUT_GET, 'region')]);
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);

if (count($results) === 0) {
    http_response_code(404);
}

echo json_encode($results);

See http://php.net/manual/function.http-response-code.php

ceejayoz
  • 176,543
  • 40
  • 303
  • 368
Phil
  • 157,677
  • 23
  • 242
  • 245