url date to sql using php

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • cellurl
    New Member
    • Jun 2013
    • 5

    url date to sql using php

    I am having trouble with "date".
    Thanks for looking!
    I will give kudos on our site for any help,
    and or a paypal tip.

    Code:
    http://www.wikispeedia.org/a/marks_bb2b.php?since=2013-11-11
    ------./a/marks_bb2b.php-----------
    Code:
    <?php
    header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
    header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Cache-Control: post-check=0, pre-check=0", false);
    header("Pragma: no-cache");
    header("content-type:text/xml");
    include("../dbconnect.php");
    
    $since=$_GET['since'];
    
    echo "<markers>";
    
              $query = " SELECT * from signs4 where submittedOn >= $since LIMIT 63";
    
                 $results = mysql_query($query);
                 while ($row=mysql_fetch_array($results)){
                       echo '<marker label="'.$row[0].'" lat="'.$row[1].'" lng="'.$row[2].'"   mph="'.$row[3].'"  kph="'.$row[4].'
    "   cog="'.$row[5].'" submittedOn="'.$row[6].'" deletedOn="'.$row[7].'" />';}
    
    echo "</markers>";
    ?>
  • Dormilich
    Recognized Expert Expert
    • Aug 2008
    • 8694

    #2
    dates are passed as string and hence you need to wrap them in quotes (otherwise SQL will interpret it as Math: 2013-11-11 = 1991)

    PS. you’re wide open to SQL Injection and you’re using the outdated and deprecated mysql extension. better use Prepared Statements as provided in the PDO or MySQLi extensions.

    Comment

    • Luuk
      Recognized Expert Top Contributor
      • Mar 2012
      • 1043

      #3
      Originally posted by Dormilich
      you’re wide open to SQL Injection
      OK, i can be
      Originally posted by manual
      mysql_query() sends a unique query (multiple queries are not supported).....
      But it would be better to give some example how this can be dealt with, so celurl can take advantage of this....

      A simple

      wont work for sql-injection, because of the above quote from the docs.

      Comment

      • Dormilich
        Recognized Expert Expert
        • Aug 2008
        • 8694

        #4
        A simple

        wont work for sql-injection, because of the above quote from the docs.
        who said SQL Injection is limited to do multiple queries? what about UNIONs and sub-SELECTs?

        But it would be better to give some example how this can be dealt with
        plenty of examples on how to use a Prepared Statement. and I always try to teach how to solve a problem. because I firmly believe, that just handing over the solution neither satifies me nor helps the OP in the long run.

        Comment

        • Luuk
          Recognized Expert Top Contributor
          • Mar 2012
          • 1043

          #5
          ok, i must not have awake this morning.... ;)

          Comment

          • cellurl
            New Member
            • Jun 2013
            • 5

            #6
            thanks for the prepared statement info. I read about it.

            How do I get """" around the date?
            I am a php hack at best...
            Thanks again.

            Comment

            • Luuk
              Recognized Expert Top Contributor
              • Mar 2012
              • 1043

              #7
              Line#14
              Code:
              $query = " SELECT * from signs4 where submittedOn >= '$since' LIMIT 63";

              Comment

              • cellurl
                New Member
                • Jun 2013
                • 5

                #8
                Didn't seem to work....

                Code:
                 $query = " SELECT * from signs4 where submittedOn >= '$since' LIMIT 63";
                I think it needs double-quote, but I don't know how to string that together.
                For example, in mysql this works
                Code:
                SELECT * FROM SIGNS WHERE submittedOn > "2013-01-01";
                Last edited by cellurl; Jun 7 '13, 04:47 PM. Reason: more insight.

                Comment

                • cellurl
                  New Member
                  • Jun 2013
                  • 5

                  #9
                  thanks Dormilich. I wanted to give you partial credit, but cant!
                  Give me a bitcoin or paypal and I will tip.

                  Comment

                  • Dormilich
                    Recognized Expert Expert
                    • Aug 2008
                    • 8694

                    #10
                    I think it needs double-quote
                    SQL allows both single quotes and double quotes. so it doesn’t matter.

                    Comment

                    Working...