[SOLVED] Putting quotes

[anser316]

I cant work sql queries because i think quotes are needed for date.

On phpadmin i found out that without single quotes in date no rows are selected

i.e. expiry_date='2008-04-07' will work, but expiry_date=2008-04-07 will not.

 

Below are parts of two forms

 

Form 1

$counter=0;

$result =mysql_query("SELECT expiry_date

FROM stock_expdates");

while($row = mysql_fetch_array( $result )) {

echo "<input type='hidden' name=expiry_date[$counter] value='$row[expiry_date]'>";

$counter++;}

 

Form 2

$expdate=$_POST['expiry_date'][$row_value];

$result2 =mysql_query("DELETE FROM stock_expdates

WHERE expiry_date=$expdate") or die ("Query:<br>$result2<br>Error:<br>".mysql_error());

 

This does not delete.

when i echo $expdate, i get 2008-04-07. This is why i beleive the sql statement does not work properly.

I have 2 questions:

1.Am I right? 2.How can i send the date with single quotes

 

Help will be much appreciated, thanks

[atl_andy]

I tested this out using:

<?php
$expiry_date = "2008-04-07";
$add_quotes = str_replace($expiry_date, " '$expiry_date' ", $expiry_date);

echo $add_quotes;
?>

 

You would just need to pass $add_quotes to your query.

 

 

[laffin]

why even use str_replace?

 

$result2 =mysql_query("DELETE FROM stock_expdates
WHERE expiry_date='$expdate'") or die ("Query:
$result2
Error:
".mysql_error());

 

just add single quotes directly in the query string.

u shud be careful with the $_POST vars, and validate the info.

[atl_andy]

Yep, figured it was that easy....

[anser316]

thanks, validate?

[laffin]

taking GET POST directly will allow abuse for SQL Injection attacks.

 

prolly the simplest form of validating the GET POST for the date is using preg_match, since the date is always in a specific pattern.

$expiry_date=$_POST['expiry_date'][$row_value];
if(!preg_match('/^\d{4}-\d{2}-\d{2}$/',$expiry_date))
{
    // Does not match date format, fail processing
    header('Location: error.html');
    exit;
}
// Everything ok, continue processing