Pulling records between two dates from a VIEW

StackOverflow https://stackoverflow.com/questions/23666950

  •  22-07-2023
  •  | 
  •  

Question

I have a mysql datetime field that stores dates in the form '2013-12-25 00:00:00' I need to select all records for any month in the table with a query like:

$sql = "SELECT * 
        FROM `images` 
        WHERE (photodate BETWEEN '2003-11-01 00:00:00' AND '2003-12-03 00:00:00')
        ORDER BY photodate DESC
        LIMIT 30";

The above select query does the job fine.

In order to change the dates, I need to replace the '2003-11-01 00:00:00'AND'2003-12-03 00:00:00' with variables, so I set a variable with input data from two drop down lists for $startyear and $startmonth and convert it to what I think is the correct form using: 

$startdate = $startyear."-".$startmonth."-01 00:00:00";

I do the same to the $enddate by adding 1 to the $startmonth.

My code then becomes:

$sql = "SELECT *
        FROM `images`
        WHERE (photodate BETWEEN $startdate AND  $enddate)
        ORDER BY photodate DESC
        LIMIT 30";

This does not work at all and gives a MySQL error. Having struggled with it for a month and finding nothing on any forum that uses variables instead of text, I am totally at a loss as to how it could be done. All help appreciated.

Was it helpful?

Solution

You are vulnerable to SQL injection attacks, which is why it's not working. You're producing the literal query

... WHERE (photodate BETWEEN 2003-11-01 00:00:00 AND 2013-12-03 00:00:00)

The 2003-11-01 and 2013-12-03 will be interpreted as a series of mathematical subtractions, and the 00:00:00 will be a simple flat-out syntax error. You need to, at bare minimum, quote those values:

... WHERE (photodate BETWEEN '$startdate' AND '$enddate')
                             ^----------^-----^--------^--- note the quotes

so that mysql can see the WHOLE date as a date value, and not some arbitrary broken strings.

OTHER TIPS

I guess you're missing some apostrophes... try this:

$sql = "SELECT * FROM images WHERE (photodate BETWEEN '$startdate' AND '$enddate') ORDER BY photodate DESC LIMIT 30";

You could have problems with the logic. In $enddate doesn't adding 1 to the start month give you 13?

Try printing out the contents $sql when the variables are in and see how it compares to the working $sql.

Please add apostrophes your query (and sanitize your variables using mysql_real_escape_string, PDO bind values, mysqli_real_escape_string) :

$sql = 'SELECT * FROM 'images' WHERE (photodate BETWEEN '.$startdate.' AND  '.$enddate.') ORDER BY photodate DESC  LIMIT 30';

A little reminder, you shall NOT use MySQL (deprecated, old.. and not that fast), if you're using MySQLi or going to use it, please sanitize your variables like this, as Marc B said it could break your script and your app security :

<?php

// Starting MySQLi Connection
$db = mysqli_connect("host", "user", "password", "dbname");

// Sanitizing your variables
$startdate = mysqli_real_escape_string($db, $startdate);
$enddate = mysqli_real_escape_string($db, $enddate);

// Query
$sql = "SELECT * FROM 'images' WHERE (photodate BETWEEN ".$startdate." AND  ".$enddate.") ORDER BY photodate DESC  LIMIT 30";

// Doing the query and print the result array
$var = mysqli_query($db, $sql);
print_r($var);

// Closing connection
mysqli_close($db);
?>

Please refer to to this for PDO way or to this for MySQLi way, you can also check the MySQL_real_escape_string into PHP doc but MySQL functions are deprecated since PHP 5.5

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top