anser316 Posted April 13, 2008 Share Posted April 13, 2008 I cant work sql queries because i think quotes are needed for date. On phpadmin i found out that without single quotes in date no rows are selected i.e. expiry_date='2008-04-07' will work, but expiry_date=2008-04-07 will not. Below are parts of two forms Form 1 $counter=0; $result =mysql_query("SELECT expiry_date FROM stock_expdates"); while($row = mysql_fetch_array( $result )) { echo "<input type='hidden' name=expiry_date[$counter] value='$row[expiry_date]'>"; $counter++;} Form 2 $expdate=$_POST['expiry_date'][$row_value]; $result2 =mysql_query("DELETE FROM stock_expdates WHERE expiry_date=$expdate") or die ("Query:<br>$result2<br>Error:<br>".mysql_error()); This does not delete. when i echo $expdate, i get 2008-04-07. This is why i beleive the sql statement does not work properly. I have 2 questions: 1.Am I right? 2.How can i send the date with single quotes Help will be much appreciated, thanks Link to comment https://forums.phpfreaks.com/topic/100964-solved-putting-quotes/ Share on other sites More sharing options...
atl_andy Posted April 13, 2008 Share Posted April 13, 2008 I tested this out using: <?php $expiry_date = "2008-04-07"; $add_quotes = str_replace($expiry_date, " '$expiry_date' ", $expiry_date); echo $add_quotes; ?> You would just need to pass $add_quotes to your query. Link to comment https://forums.phpfreaks.com/topic/100964-solved-putting-quotes/#findComment-516355 Share on other sites More sharing options...
laffin Posted April 13, 2008 Share Posted April 13, 2008 why even use str_replace? $result2 =mysql_query("DELETE FROM stock_expdates WHERE expiry_date='$expdate'") or die ("Query: $result2 Error: ".mysql_error()); just add single quotes directly in the query string. u shud be careful with the $_POST vars, and validate the info. Link to comment https://forums.phpfreaks.com/topic/100964-solved-putting-quotes/#findComment-516357 Share on other sites More sharing options...
atl_andy Posted April 13, 2008 Share Posted April 13, 2008 Yep, figured it was that easy.... Link to comment https://forums.phpfreaks.com/topic/100964-solved-putting-quotes/#findComment-516365 Share on other sites More sharing options...
anser316 Posted April 13, 2008 Author Share Posted April 13, 2008 thanks, validate? Link to comment https://forums.phpfreaks.com/topic/100964-solved-putting-quotes/#findComment-516372 Share on other sites More sharing options...
laffin Posted April 14, 2008 Share Posted April 14, 2008 taking GET POST directly will allow abuse for SQL Injection attacks. prolly the simplest form of validating the GET POST for the date is using preg_match, since the date is always in a specific pattern. $expiry_date=$_POST['expiry_date'][$row_value]; if(!preg_match('/^\d{4}-\d{2}-\d{2}$/',$expiry_date)) { // Does not match date format, fail processing header('Location: error.html'); exit; } // Everything ok, continue processing Link to comment https://forums.phpfreaks.com/topic/100964-solved-putting-quotes/#findComment-516376 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.