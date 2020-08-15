The main thing you want to do is to use prepared statements for anything database related. This will prevent things like ‘DROP DATABASE’ from getting into your system. You always want to use prepared statements. Not just for this example but for everything.

You can do sanitation and validation but it’s probably not so important when using public API. But I’ll show you an example.

Start by converting the json data to a php array just like in your original post:

$data = '{"Routes":[],"Quotes":[{"QuoteId":1,"MinPrice":1775.0 blah blah blah $data = json_decode($data,true);

Now we need to extract the places information so it can be looked up later. This is done by creating an array indexed by placeId:

$places = []; foreach($data['Places'] as $placeRaw) { $place = [ 'placeId' => $placeRaw['PlaceId'], 'iataCode' => $placeRaw['IataCode'], 'name' => $placeRaw['Name'], ]; $places[$place['placeId']] = $place; }

Do the same thing for quotes while using the $places for place information:

$quotes = []; foreach($data['Quotes'] as $quoteRaw) { $placeId = $quoteRaw['OutboundLeg']['DestinationId']; $place = $places[$placeId]; $quote = [ 'quoteId' => $quoteRaw['QuoteId'], 'minPrice' => filter_var($quoteRaw['MinPrice'],FILTER_SANITIZE_NUMBER_FLOAT), 'direct' => $quoteRaw['Direct'], 'placeId' => $place['placeId'], 'iataCode' => $place['iataCode'], 'name' => $place['name'], ]; $quotes[$quote['quoteId']] = $quote; }

You may have noticed the filter_var function for min price. filter_var is used for filtering and sanitizing input data. There are a bunch of filter types. The one I used here ensures that doubles only contain numbers or decimal points. I’ll let you decide which filter types are best for your data. I’m not convinced that you really need to do this for this sort of data but you certainly can if you want to.

At this point we have a nice simple array of quotes to be inserted into the database. Start by preparing an insert statement.

$link = mysqli_connect("localhost", "user", "password", "booking"); if($link === false){ die("ERROR: Could not connect. " . mysqli_connect_error()); } $stmt = mysqli_prepare($link, 'INSERT INTO quotes (quoteid, minprice, direct, placeid, iatacode, name) VALUES(?,?,?,?,?,?)' );

All those question marks represent places where you bind data to the statement. SQL injections will not be able to pass through bound data. You can think of a prepared statement as a function to which you will later pass arguments for processing.

Next we need to tell the statement where the ? data is coming from. This is called binding:

// Binding is a bit of a pain with mysqli, PDO does it much better // Create the variables to bind with fake values $quoteId = 0; $minPrice = 0.0; $direct = false; $placeId = 0; $iataCode = 'iata code'; $name = 'destination name'; mysqli_stmt_bind_param($stmt,'idiiss', $quoteId,$minPrice,$direct,$placeId,$iataCode,$name);

The ‘idiiss’ string indicated the type of data being passed. Int Dec Int Int String String

Once the statement is prepared and bound, it’s just a question of looping through the quotes array and executing the statement:

foreach($quotes as $quote) { $quoteId = $quote['quoteId']; $minPrice = $quote['minPrice']; $direct = $quote['direct']; $placeId = $quote['placeId']; $iataCode = $quote['iataCode']; $name = $quote['name']; mysqli_stmt_execute($stmt); }

And that is it. Your database table should be loaded.