1

Well I have these two statements. IGNORE THE SECURITY RISK (SQL INJECTION) A user inputs a date in this format 2016-7-9. How can one get and modify the date since I've tried with 

$sql =  "SELECT DISTINCT msisdn FROM customer WHERE time_paid BETWEEN ADDDATE('$time1',INTERVAL 0 HOUR) AND ADDDATE('$time2',INTERVAL '23:59' HOUR_MINUTE)";

Where $time1 and $time2 are in this format so the select statement does not work. I could be wrong but I think it expects in this format 2016-01-12?

This works: 

$sql =  "SELECT DISTINCT msisdn FROM customer WHERE time_paid BETWEEN 2015-01-10 12:23:34 AND 2017-12-12 12:12:12";

Anyone how can I use this format 2016-3-3 in my query?

Improve this question
5
  • what's format of your time_paid column? Commented Jul 8, 2016 at 15:26
  • It is time_paid DATETIME ...on the table Commented Jul 8, 2016 at 15:28
  • 1
    I hate when people say "I'm not that far along..." or "This site will not be public..." or "It's only for school, so security doesn't matter...". If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, "I'll add security later..." or "Security isn't important now..." or "Ignore the security risk...". If you don't have time to do it right the first time, when will you find the time to add it later? Commented Jul 8, 2016 at 15:31
  • How about str_pad or some other magic sauce you php people use Commented Jul 8, 2016 at 15:33
  • 1
    @JayBlanchard +1000000 Nobody ever finds the time to go back and fix the security flaws left exposed by lazy coding until it has been exploited and the data is defaced or destroyed. It is SO SIMPLE to code with parameters it is laziness or negligence to do it any other way. Commented Jul 8, 2016 at 16:14

1 Answer 1

Reset to default
1

Format your MySQL time_paid DATETIME column value to match with your constraint value this way:

DATE_FORMAT(time_paid, '%Y-%c-%e') // 2016-3-3

where,

%Y - Four digits year e.g., 2000, 2001,…etc.

%c - Month in numeric e.g., 1, 2, 3…12

%e - Day of the month without leading zero e.g., 1,2,…31

So, your SQL would be:

$sql =  "SELECT DISTINCT msisdn FROM customer WHERE DATE_FORMAT(time_paid, '%Y-%c-%e') BETWEEN ADDDATE('$time1',INTERVAL 0 HOUR) AND ADDDATE('$time2',INTERVAL '23:59' HOUR_MINUTE)";
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.