2

I am implementing Backbone.js, and I am just trying to understand how the sync function works. To keep it very simple, here is the model.

var Item = Backbone.Model.extend({

defaults: {
  name: "Goo"
},

url: "commlink.php"
});

and then

Backbone.sync("create", item);

This is my commlink.php

$item=json_decode($_POST);
$name=$item->name;
$results=$mdb2->query("INSERT INTO list VALUES (NULL, '$name')");

I see a new row show up in my DB, however, the field "name" is blank. I tried both item.save() and the above method...both ended up with the same blank cell but a new entry.

This is the error in chrome in network/content:

<b>Warning</b>:  json_decode() expects parameter 1 to be string, array given in ...XXX...

This is in the request payload:

{"name":"Goo"}
William Sham
  • 12,849
  • 11
  • 50
  • 67
  • please have a look at this post http://stackoverflow.com/questions/5096549/how-to-override-backbone-sync – Rajkamal Subramanian Aug 02 '11 at 05:51
  • As far as i am aware the $_POST variable is a superglobal array, i.e. it will always be an array. – Adam Purdie Aug 02 '11 at 22:32
  • How do you think I can "receive" this request then...as described officially: "Backbone.sync is the function that Backbone calls every time it attempts to read or save a model to the server. By default, it uses (jQuery/Zepto).ajax to make a RESTful JSON request"-Backbone.js – William Sham Aug 02 '11 at 22:38
  • json_decode() will only take a string because thats what it does, it decodes a json string. http://stackoverflow.com/questions/6207286/backbone-js-how-to-use-with-php says to use $GLOBALS['HTTP_RAW_POST_DATA'] – Adam Purdie Aug 02 '11 at 22:38
  • You should also consult the standard SQL injection question here on SO, http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain. – El Yobo Aug 15 '11 at 01:56

3 Answers3

4
$rawJSONString = file_get_contents('php://input');
$item = json_decode($wrapperString);
//$item->name is the data you want
Peter Lyons
  • 142,938
  • 30
  • 279
  • 274
  • I did as you said. It's still giving me a new row with a blank field – William Sham Aug 02 '11 at 03:43
  • Have you looked at the raw JSON POST request body in the browser's debug console? Can you add the JSON content to your question so we can have a look? Are you sure the problem isn't when you build up your SQL statement string? – Peter Lyons Aug 02 '11 at 11:40
  • Where can I find that in chrome or IE? – William Sham Aug 02 '11 at 16:21
  • In Chrome it's in the View > Developer > Javascript Console menu item. In there use the "Network" tab and you will be able to see the request body. – Peter Lyons Aug 02 '11 at 20:01
  • This is what it is: Warning: json_decode() expects parameter 1 to be string, array given in.... I thought the backbone.sync makes json coded automatically? "Backbone.sync is the function that Backbone calls every time it attempts to read or save a model to the server. By default, it uses (jQuery/Zepto).ajax to make a RESTful JSON request"-Backbone.js – William Sham Aug 02 '11 at 21:07
  • Ah, do this: http://stackoverflow.com/questions/813487/how-to-post-json-to-php-with-curl/813512#813512 – Peter Lyons Aug 03 '11 at 14:37
  • The $_POST is already parsed by PHP. You want the raw JSON String, which you can then decode with json_decode. – Peter Lyons Aug 03 '11 at 14:37
  • @Peter...Thank you! After reading up on comments and other resources, I've decided to use a framework to implement a REST api instead of trying to piece it together myself – William Sham Aug 03 '11 at 23:16
1
$item = json_decode(file_get_contents('php://input'), true);
print_R($item);

Found this is more helpful

https://coderwall.com/p/vwvy_a

Akhilraj N S
  • 9,049
  • 5
  • 36
  • 42
0

SECURITY NOTE: as pointed out in the comment this is not the way you should ACTUALLY insert the user provided content into your database, this is simply to show you how to get access to the array information as JSON, you should use prepared statements, a framework database adapter, or some other appropriate solution for escaping the user provided content before sticking it into the database.

You're trying to run an array ($_POST) through a function (json_decode) that only accepts a string. The solution in this specific example would be to do this:

$results=$mdb2->query("INSERT INTO list VALUES (NULL, '{$_POST['name']}')");

This would work because you're accessing $_POST as the associative array that it is.

However what I think you actually want to do is first convert the $_POST array to json, then decode it so you can use it the way you wanted to (accessing it as an object, which the json_decode returns):

$item=json_encode($_POST);
$item=json_decode($item);
$name=$item->name;
$results=$mdb2->query("INSERT INTO list VALUES (NULL, '$name')");

For reference:

http://php.net/manual/en/function.json-decode.php

http://php.net/manual/en/function.json-encode.php

Stephen Washburn
  • 66
  • 1
  • 10
  • 1
    This is hideously unsafe. Please never blindly dump user-provided input directly into SQL strings; use PDO prepared statements, or your framework's database adapter. – Rob Howard Aug 16 '12 at 00:38
  • **Updated Answer accordingly with a warning** - you're right, I was specifically and only addressing the question which was asked, which was how to address the problem he was having with json_encode/json_decode that showed a lack of understanding of how they worked. You should ALWAYS escape any user provided data before it goes into your database, as you said by using prepared statements or a database adapter from the framework. – Stephen Washburn Aug 16 '12 at 08:05