Pulling records between two dates from a VIEW

StackOverflow https://stackoverflow.com/questions/23666950

  •  22-07-2023
  •  | 
  •  

Domanda

I have a mysql datetime field that stores dates in the form '2013-12-25 00:00:00' I need to select all records for any month in the table with a query like:

$sql = "SELECT * 
        FROM `images` 
        WHERE (photodate BETWEEN '2003-11-01 00:00:00' AND '2003-12-03 00:00:00')
        ORDER BY photodate DESC
        LIMIT 30";

The above select query does the job fine.

In order to change the dates, I need to replace the '2003-11-01 00:00:00'AND'2003-12-03 00:00:00' with variables, so I set a variable with input data from two drop down lists for $startyear and $startmonth and convert it to what I think is the correct form using: 

$startdate = $startyear."-".$startmonth."-01 00:00:00";

I do the same to the $enddate by adding 1 to the $startmonth.

My code then becomes:

$sql = "SELECT *
        FROM `images`
        WHERE (photodate BETWEEN $startdate AND  $enddate)
        ORDER BY photodate DESC
        LIMIT 30";

This does not work at all and gives a MySQL error. Having struggled with it for a month and finding nothing on any forum that uses variables instead of text, I am totally at a loss as to how it could be done. All help appreciated.

È stato utile?

Soluzione

You are vulnerable to SQL injection attacks, which is why it's not working. You're producing the literal query

... WHERE (photodate BETWEEN 2003-11-01 00:00:00 AND 2013-12-03 00:00:00)

The 2003-11-01 and 2013-12-03 will be interpreted as a series of mathematical subtractions, and the 00:00:00 will be a simple flat-out syntax error. You need to, at bare minimum, quote those values:

... WHERE (photodate BETWEEN '$startdate' AND '$enddate')
                             ^----------^-----^--------^--- note the quotes

so that mysql can see the WHOLE date as a date value, and not some arbitrary broken strings.

Altri suggerimenti

I guess you're missing some apostrophes... try this:

$sql = "SELECT * FROM images WHERE (photodate BETWEEN '$startdate' AND '$enddate') ORDER BY photodate DESC LIMIT 30";

You could have problems with the logic. In $enddate doesn't adding 1 to the start month give you 13?

Try printing out the contents $sql when the variables are in and see how it compares to the working $sql.

Please add apostrophes your query (and sanitize your variables using mysql_real_escape_string, PDO bind values, mysqli_real_escape_string) :

$sql = 'SELECT * FROM 'images' WHERE (photodate BETWEEN '.$startdate.' AND  '.$enddate.') ORDER BY photodate DESC  LIMIT 30';

A little reminder, you shall NOT use MySQL (deprecated, old.. and not that fast), if you're using MySQLi or going to use it, please sanitize your variables like this, as Marc B said it could break your script and your app security :

<?php

// Starting MySQLi Connection
$db = mysqli_connect("host", "user", "password", "dbname");

// Sanitizing your variables
$startdate = mysqli_real_escape_string($db, $startdate);
$enddate = mysqli_real_escape_string($db, $enddate);

// Query
$sql = "SELECT * FROM 'images' WHERE (photodate BETWEEN ".$startdate." AND  ".$enddate.") ORDER BY photodate DESC  LIMIT 30";

// Doing the query and print the result array
$var = mysqli_query($db, $sql);
print_r($var);

// Closing connection
mysqli_close($db);
?>

Please refer to to this for PDO way or to this for MySQLi way, you can also check the MySQL_real_escape_string into PHP doc but MySQL functions are deprecated since PHP 5.5

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top