Error in my first php code using GET

Question

I am writing my first server side api, and my code is giving me errors...

Here is the php code (I am using a get method)

<?php 

//Check if there is a function
if(function_exists($_GET['function'])) {

    //If it equals loadAll
    if ($_GET['function']=='loadAll'){

        //Then call the function and pass it the parameter it needs
        $_GET['function']($_GET['entity']);
    }

    //If found, call the function with value as a parameter
   $_GET['function']($_GET['value']);
}

/**
 * This method loads all of an object from the DB
 */
function loadAll($entity){

    //Variables for connecting to database.
    //These variable values come from hosting account.
    $hostname = "------";
    $username = "-----";
    $dbname = "-----";

    //These variable values need to be changed by you before deploying
    $password = "-----";

    //Connecting to your database
    mysql_connect($hostname, $username, $password) OR DIE ("Unable to 
    connect to database! Please try again later.");
    mysql_select_db($dbname);

    //Fetching from your database table.
    $query = "SELECT * FROM $entity";
    $result = mysql_query($query);

    $myJson=array();
    //Parse to array
    while($row = mysqli_fetch_array($result)){
        $myJson[]=$row;
    }

    //Close connection
    mysqli_close($con);

    //Encode and send response
    echo json_encode($myJson);
}
?>

My get URL is

http://someURL.com/api/index.php?function=loadAll&entity=School

My errors are:

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, resource given in D:\hosting\somenumber\html\api\index.php on line 42

Warning: mysqli_close() expects parameter 1 to be mysqli, null given in D:\hosting\somenumber\html\api\index.php on line 47
[]
Fatal error: Function name must be a string in D:\hosting\somenumber\html\api\index.php on line 14

I appreciate all your help

I am surprised your dangerous usage of user parameters in the first if statement even works. — Appleshell, Apr 09 '13 at 00:51
I'm pretty new to php, what is the better way to do this, and why is it an issue? — William Falcon, Apr 09 '13 at 00:52
You're doing a really dangerous thing there by calling a function by GET parameter... did someone write about PHP injection already? — metadings, Apr 09 '13 at 00:53
If the user would write something like `deleteDatabase` as the GET parameter, assuming that this function exists, it would get called. Another thing, that I just recognized, is, that you are mixing `mysql` and `mysqli` functions. These are different libraries and you should select just one. — Appleshell, Apr 09 '13 at 00:55
@AdamS `Fatal error: Function name must be a string` luckily he didn't do that before. — metadings, Apr 09 '13 at 00:57
By the way, using `SELECT * FROM $entity` you're also doing SQL injection. — metadings, Apr 09 '13 at 00:58
umm.. ok thank you for pointing that out. I figured as long as the functions in this page were safe (no deleteDatabase) then access was limited to what the functions I make. I'll read on the php injection. Do you have a link for the standard design pattern for security when writing apis? — William Falcon, Apr 09 '13 at 00:59
@waf your functions are safe - maybe. But what about thousands of built-in php functions? — barbashov, Apr 09 '13 at 01:00
Just check the input for predefined values that should be accepted and do hardcoded function calls. Also, when using the input e.g. in sql queries, escape it. — Appleshell, Apr 09 '13 at 01:00
Ok, that makes sense (if function name in this valid list, do it, otherwise don't) is what I imagine? What does escape the query mean? — William Falcon, Apr 09 '13 at 01:10

Toby Allen · Accepted Answer · 2013-04-09T00:58:13.707

3

mysql and mysqli functions are not interchangeable you need to use all mysql or all mysqli functions.

eg

//Connecting to your database
mysqli_connect($hostname, $username, $password) OR DIE ("Unable to 
connect to database! Please try again later.");//I changed this
mysqli_select_db($dbname);//I changed this
//Fetching from your database table.
$query = "SELECT * FROM $entity";
$result = mysqli_query($query);//I changed this

$myJson=array();
//Parse to array
while($row = mysqli_fetch_array($result)){  
    $myJson[]=$row;
}

edited Apr 09 '13 at 00:58

answered Apr 09 '13 at 00:51

Toby Allen

10,672
11
72
123

1

Follow up: mysql_* functions are deprecated and are not recommended to use. – barbashov Apr 09 '13 at 00:55
agreed i updated answer to use mysqli_ – Toby Allen Apr 09 '13 at 00:58
Awesome answer (I also forgot to init $con), that worked, thanks! – William Falcon Apr 09 '13 at 01:09

score 1 · Answer 2 · answered Apr 09 '13 at 00:56

1

You confuse mysql_query and mysqli_fetch_array. Choose mysqli only, rewriting queries and connection. mysql_query is deprecated as of PHP 5.5.0, and will be removed in the future.

answered Apr 09 '13 at 00:56

Nik Drosakis

2,176
20
28

Error in my first php code using GET

2 Answers2