1

On my website I have made a automatic invoice system. It will generate a invoice for a certain user from a certain month. You can select the user, month and year and then click generate.

But, In my MYSQL Database, I've stored the products the user ordered on date with a Unix Timestamp. now I want to load all the products from a certain month by checking if the Unix Timestamp matches. But it won't work.

My code:

require "connect.php";
$create_by=$_GET['user'];
$jaar=$_GET['jaar'];
$maand=$_GET['maand'];
$number = cal_days_in_month(CAL_GREGORIAN, $maand, $jaar);
$result = mysql_query("SELECT *
FROM `mrbs_entry`
WHERE start_time >= UNIX_TIMESTAMP(".$jaar."-".$maand."-01)
AND start_time <= UNIX_TIMESTAMP(".$jaar."-".$maand."-".$number.")
AND create_by = '".$create_by".' 
ORDER BY `start_time`, `room_id`");

The date is given through the link, like user, maand, jaar.

maand is the month, and jaar is the year.

Improve this question
1
  • Is start_time a UNIX timestamp? Commented Jan 15, 2016 at 14:23

1 Answer 1

Reset to default
3

You didn't quote your date values within the query, so effectively you're building 

... WHERE start_time >= UNIX_TIMESTAMP(2016-01-15)

That's not a date value, it's a double mathematical subtraction, and you're really executing UNIX_TIMESTAMP(2000), which is way back in 1970.

WHERE start_time >= UNIX_TIMESTAMP('".$jaar."-".$maand."-01')
                                   ^-----------------------^

Note the indicated quotes. And also note that you're wide open for sql injection attacks, so enjoy having your server pwn3d.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

What do you mean with sql injection attacks
I love that xkcd-strip!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.