I have a JS array "edit_date" containing multiple dates. I want to send the array to a php page to be stored in database. Instead of using JSON and jquery i have used my codes like this:
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("a").innerHTML= this.responseText;
}
};
xhttp.open("GET", "page_name.php?a=" + edit_date , true);
xhttp.send();
so data goes to php like strings. so I split the string into array in php like:
$data = $_REQUEST['a'];
$data2= $_REQUEST['b'];
$student_id= $_REQUEST['c'];
$array=(explode(",",$data));
and coverted all the array elements to date format and inserted it in database like:
foreach($array as $e)
{
$date= date("d-m-Y", strtotime($e));
$sql= "INSERT into student_connects_teacher_date (teacher_id,student_id,dates) values ('$data2','$student_id','$e')";
if(!mysqli_query($con,$sql))
{
die("error". mysqli_connect_error());
}
}
It worked fine till now. But I want to know is it a good approach to have? I used this since using json and jquery didn't worked for me. Will this approach give any problem in future if I need to use the data? If it isn't a good approach, than what's the reason?
You'll need to check if the date in $e is a valid date before converting it to a timestamp. I don't know the format of your input, but there are multiple ways of doing this. For example with PHP's DateTime class:
if (DateTime::createFromFormat('Y-m-d H:i:s', $e) === false) {
// invalid date, so skip
continue;
}
Also, you really need to use prepared & parameterized statements for your queries, because right now you're vulnerable for SQL injection. You should never include variables in your queries like this.
You control the value of the date value and format (after validation), but you'll might also need something like htmlspecialchars() method to clean stuff up in regard to XSS.
Possible solution for not being vulnerable for SQL injection:
$stmt = mysqli_prepare($con, "INSERT into student_connects_teacher_date (teacher_id,student_id,dates) values (?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sis', $data2, $student_id, $e);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
Also, creating and closing the statement can be done outside of the foreach loop.
Sidenote: if you just want to explode the string, you don't need the extra parenthesis.
$array=(explode(",",$data));
Can be just:
$array = explode(",", $data);
Wrapping expressions or basically anything in parenthesis might return different results as PHP handles it differently.