Handle POST request in JSON format

Question

I'm trying to handle a POST request from a web service. It's sending an HTTP POST request like this:

{
"latitude":"12.232",
"longitude":"123.323"
}

It's posting to a PHP file on my server. I know that it is hitting the file for sure. However, I'm not getting the data.

In my PHP, I have this (leaving out a bunch of stuff:

$json = file_get_contents('php://input');
$obj = json_decode($json);
$mine ="sixteen"; //using this for a test

$sql = "INSERT INTO rr_emergency (random) VALUES('$obj');";
$result = $dbh->query($sql)->fetchAll(PDO::FETCH_ASSOC);

This makes no change to my database.

If I do this instead:

$sql = "INSERT INTO rr_emergency (random) VALUES('$mine');";

Then "sixteen" is added in the right spot in a new row in my table each time the webservice calls my PHP. This is how I know I'm receiving data.

NOTE: I was trying to simply add $obj into my table just to see the data format that's returned before I tried to properly parse it and put everything where it belongs.

What am I doing wrong here? I think the problem is here ($json = file_get_contents('php://input');), but not sure what else to try.

Thanks.

Answer 1

So there's a few problems

$obj = json_decode($json);

This will return an object. You want an array

$obj = json_decode($json, true);

Then your PDO is incorrect

$sql = "INSERT INTO rr_emergency (random) VALUES(:val);";
$prep = $dbh->prepare($sql);
foreach($obj as $row) $prep->execute([':val' => $row]);

This will insert your data correctly (using a prepared statement) and loop over the JSON return data

Answer 2

You're trying to insert an object, when you really need a string. use:

$obj = json_decode($json, true)
$obj_str = implode(", ", $obj);
$sql = "INSERT INTO rr_emergency (random) VALUES('$obj_str');";

After I posted the above, you added:

I was trying to simply add $obj into my table just to see the data format

Objects do not inherently convert to strings, so putting $obj within your query doesn't work. The way I store objects in my DB when I've needed to, is to store the JSON notation directly.

$json = file_get_contents("php://input");
$sql = "INSERT INTO rr_emergency (random) VALUES('$json')";

You lose the ability to perform filtering and selecting operations within the object, but it's an effective way to pack away data that you won't need the DB to parse through.

If you need well formatted, easy to read structure:

$obj = json_decode($json);
$obj_str = print_r($obj,true); //store formatted string
$sql = "INSERT INTO rr_emergency (random) VALUES('$obj_str');";

If as you said, all you need to do is "just see the data format", I suggest echoing to the screen or writing to a log file; do one of the following. To print to screen:

print_r($obj);

To write to file:

$filepath = "/path/to/file.txt"
file_put_contents($filepath,print_r($obj,true));

Important note

Entering text directly into your DB queries without escaping it makes you vulnerable to SQL injection attacks. Use prepared statements instead.