Use Post Value In SQL Query

I am wanting to capture my post value and use it in my sql query. When I try this syntax NetBeans shows it is invalid syntax, but I am not sure how to fix it. What should I change so this becomes valid syntax (the issue is the query itself)

<html>
	<div>
		<div style="margin:10px;min-width: 200px;">Start Date: <input type="date" name="date_from" id="date_from"></div>
		<div style="margin:10px;min-width: 200px;">End Date: <input type="date" name="date_to" id="date_to"></div>
	</div>
</html>
<?php
	if (!isset($_POST['submitbutton'])) die();
	{
		$query = "Select * from helper where hiredate >= '" . $_POST['date_from'] . "'" AND hiredate <= '" . DATEADD(DAY,1,$_POST['date_to']) . "'";
	}
?>

you have an extra "
[php]
‘" . $_POST[‘date_from’] . "’"
[/php]

also you need to secure your variables before passing them to your query, this is open to sql injection.

What would be the proper way to secure the variables?

Also, your syntax looks exactly like mine?

that was your code I was pointing it out.

Ideally using PDO would be best then you can use prepared statements.

I’m guessing your using mysql so you can use mysql_real_escape_string()

[php]
if (!isset($_POST[‘submitbutton’])) die();
{
$query = “Select * from helper where hiredate >= '” . mysql_real_escape_string($_POST[‘date_from’]) . “’ AND hiredate <= '” . DATEADD(DAY,1,mysql_real_escape_string($_POST[‘date_to’])) . “’”;
}
[/php]

I am actually using SQL Server and connecting like the below

$option = array();
$option['driver'] = 'mssql';
$option['host'] = 'XXX.XXX.XX.XX';
$option['user'] = 'user';
$option['password'] = 'password';
$option['database'] = 'database';
$option['prefix'] = '';
$db = JDatabase::getInstance($option);
$sql = $db->getQuery(true);
$sql = "SELECT statement";
$db->setQuery($sql);
$sql = $db->loadObjectList();

NOOOOOOOOOOOO!!!

Don’t even think of suggesting for the OP to use mysql_* anything!

OP, if you are using the highly insecure, obsolete mysql_* functions, get your code off the internet right now and update it (re-write) with PDO. Here is a PDO tutorial. https://phpdelusions.net/pdo

as I haven’t used mmsql but this post explains how to send secure params to your query.

I wasn’t suggesting to use mysql I was guessing wrongly that the op was using mysql but that’s not the case. I did suggest to use PDO.

This is for an internal facing intranet site only. Do I need to stress over injection? (it is currently not up and running, I am building it from ground up)

If you use PDO with prepared statements injection issues are taken care of.

that’s really up to you but I would always secure it as much as possible, there may be cases where an employee entered something malicious and it would get through.

At the end of the days it’s your choice.

Do I need to stress over injection?

Yes, because what you are really doing is preventing sql special characters in the data from breaking the sql query syntax, which will generally produce a query error or will return incorrect results. Sql injection is just a special case of intentionally breaking the sql query syntax.

You can use the PDO extension with mssql server, and in fact you should, so that the php statements you learn to use will be usable for other database types and you won’t be learning special purpose php statements for each different database type.

Edit: BTW - the php mssql_ extension was removed in php 7.

I am using the php with Joomla - can Joomla use PDO? (I know this is a php forum, not designated for Joomla)

Sponsor our Newsletter | Privacy Policy | Terms of Service