Author Topic: Use Post Value In SQL Query  (Read 312 times)

chalupabatman

  • New Member
  • *
  • Posts: 13
  • Karma: 0
    • View Profile
I am wanting to capture my post value and use it in my sql query.  When I try this syntax NetBeans shows it is invalid syntax, but I am not sure how to fix it.  What should I change so this becomes valid syntax (the issue is the query itself)
1
2
3
4
5
6
7
8
9
10
11
12
13
  <html>
   <div>
   <div style="margin:10px;min-width: 200px;">Start Date: <input type="date" name="date_from" id="date_from"></div>
   <div style="margin:10px;min-width: 200px;">End Date: <input type="date" name="date_to" id="date_to"></div>
   </div>
  </html>
  <?php
   if (!isset(
$_POST['submitbutton'])) die();
  
{
 
$query "Select * from helper where hiredate >= '" $_POST['date_from'] . "'" AND hiredate <= '" . DATEADD(DAY,1,$_POST['date_to']) . "'";
  }
 ?>

 

PHP Help Forum

Use Post Value In SQL Query
« on: May 18, 2017, 11:18:10 am »


daveismyname

  • Senior Member
  • ****
  • Posts: 317
  • Karma: 8
  • PHP Helper
    • View Profile
    • Personal Blog and Tutorial
you have an extra "
1
2
3
 
 
'" . $_POST['date_from'] . "'"
 



also you need to secure your variables before passing them to your query, this is open to sql injection.

PHP Help Forum

Re: Use Post Value In SQL Query
« Reply #1 on: May 18, 2017, 11:26:22 am »



PHP Help Forum

Re: Use Post Value In SQL Query
« Reply #2 on: May 18, 2017, 11:29:09 am »


daveismyname

  • Senior Member
  • ****
  • Posts: 317
  • Karma: 8
  • PHP Helper
    • View Profile
    • Personal Blog and Tutorial
that was your code I was pointing it out.

Ideally using PDO would be best then you can use prepared statements.

I'm guessing your using mysql so you can use mysql_real_escape_string()

1
2
3
4
5
6
 
 
if (!isset($_POST['submitbutton'])) die();
   
	
{
  
	
	
$query "Select * from helper where hiredate >= '" mysql_real_escape_string($_POST['date_from']) . "' AND hiredate <= '" DATEADD(DAY,1,mysql_real_escape_string($_POST['date_to'])) . "'";
  
	
}
 



PHP Help Forum

Re: Use Post Value In SQL Query
« Reply #3 on: May 18, 2017, 11:33:41 am »


chalupabatman

  • New Member
  • *
  • Posts: 13
  • Karma: 0
    • View Profile
I am actually using SQL Server and connecting like the below
1
2
3
4
5
6
7
8
9
10
11
12
13
  $option = array();
  $option['driver'] = 'mssql';
  $option['host'] = 'XXX.XXX.XX.XX';
  $option['user'] = 'user';
  $option['password'] = 'password';
  $option['database'] = 'database';
  $option['prefix'] = '';
  $db = JDatabase::getInstance($option);
  $sql = $db->getQuery(true);
 $sql = "SELECT statement";
 $db->setQuery($sql);
 $sql = $db->loadObjectList();
 

PHP Help Forum

Re: Use Post Value In SQL Query
« Reply #4 on: May 18, 2017, 11:35:10 am »


Kevin Rubio

  • Professional PHP Helper
  • Senior Member
  • *
  • Posts: 1844
  • Karma: 108
  • Programmer Available for hire
    • View Profile
    • Galaxy Internet

I'm guessing your using mysql so you can use mysql_real_escape_string()

NOOOOOOOOOOOO!!!!!!!!!!

Don't even think of suggesting for the OP to use mysql_* anything!

OP, if you are using the highly insecure, obsolete mysql_* functions, get your code off the internet right now and update it (re-write) with PDO. Here is a PDO tutorial. https://phpdelusions.net/pdo
PDO Bumpstart Database

The XY Problem
The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help. http://xyproblem.info/

PHP Help Forum

Re: Use Post Value In SQL Query
« Reply #5 on: May 18, 2017, 11:38:45 am »



PHP Help Forum

Re: Use Post Value In SQL Query
« Reply #6 on: May 18, 2017, 11:39:43 am »


daveismyname

  • Senior Member
  • ****
  • Posts: 317
  • Karma: 8
  • PHP Helper
    • View Profile
    • Personal Blog and Tutorial
NOOOOOOOOOOOO!!!!!!!!!!

Don't even think of suggesting for the OP to use mysql_* anything!

OP, if you are using the highly insecure, obsolete mysql_* functions, get your code off the internet right now and update it (re-write) with PDO. Here is a PDO tutorial. https://phpdelusions.net/pdo

I wasn't suggesting to use mysql I was guessing wrongly that the op was using mysql but that's not the case. I did suggest to use PDO.

PHP Help Forum

Re: Use Post Value In SQL Query
« Reply #7 on: May 18, 2017, 11:40:51 am »



PHP Help Forum

Re: Use Post Value In SQL Query
« Reply #8 on: May 18, 2017, 11:46:18 am »


Kevin Rubio

  • Professional PHP Helper
  • Senior Member
  • *
  • Posts: 1844
  • Karma: 108
  • Programmer Available for hire
    • View Profile
    • Galaxy Internet
PDO Bumpstart Database

The XY Problem
The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help. http://xyproblem.info/