Oracle Date Error ON IN valid Month

Question

My Query

SELECT POSSESSION.*,PLOT.*,SCHEME_BLOCK.BLOCK 
FROM POSSESSION, PLOT, SCHEME_BLOCK 
WHERE POSSESSION.PLOT_ID=PLOT.PLOT_ID AND PLOT.PLOT ='10' 
AND PLOT.BLOCK_ID = SCHEME_BLOCK.BLOCK_ID AND SCHEME_BLOCK.BLOCK_ID='3' 
AND POSSESSION.CREATED_ON between '1420066800' and '1443650400' 

MY php code is given as under..

$query = "SELECT " . $_REQUEST['tb'] . ".*,PLOT.*,SCHEME_BLOCK.BLOCK 
FROM " . $_REQUEST['tb'] . ", PLOT, SCHEME_BLOCK WHERE " . $_REQUEST['tb'] . ".PLOT_ID=PLOT.PLOT_ID AND PLOT.PLOT ='" . $_REQUEST['ps'] . "' 
AND PLOT.BLOCK_ID = SCHEME_BLOCK.BLOCK_ID AND SCHEME_BLOCK.BLOCK_ID='" . $_REQUEST['bid'] . "' AND SCHEME_BLOCK.CREATED_ON between '".strtotime(date('d-M-Y', strtotime($_REQUEST['sdate'])))."' and '".strtotime(date('d-M-Y', strtotime($_REQUEST['edate'])))."'";

While inserting the date I m doing this

$CREATED_ON=date("d-M-Y");

Error:

ORA-01843: not a valid month
01843. 00000 -  "not a valid month"
*Cause:    
*Action:

Please help me out...how can I get it right ... I m coding in php

Thanks in advance

Answer 1

POSSESSION.CREATED_ON between '1420066800' and '1443650400'

When you have values in single-quotes , it is a string , so '1443650400' is NOT a DATE . You must explicitly convert it into DATE using TO_DATE and a proper format model .

Answer 2

To begin with, this code looks like simple copy+paste you don't really understand:

strtotime(date('d-M-Y', strtotime($_REQUEST['sdate'])))

It actually does this:

1. Take a string
2. Convert to timestamp
3. Convert to string
4. Convert to timestamp again

Anyway, Oracle does not understand Unix timestamps in DATE columns. You have to use the TO_DATE() function to create a proper date and, of course, prepared statements to make it all sane. Something on this line:

$query = "SELECT ......... 
   AND POSSESSION.CREATED_ON between TO_DATE(:created_from, 'YYYY-MM-DD') 
       and TO_DATE(:created_to, 'YYYY-MM-DD')";

... and the parameter array would look like this:

$params = array(
    'created_from' => date('Y-m-d', $created_from_unix_timestamp),
    'created_to' => date('Y-m-d', $created_from_unix_timestamp),
);

... or this:

$params = array(
    'created_from' => $created_from_datetime_object->format('Y-m-d')
    'created_to' => $created_to_datetime_object->format('Y-m-d')
);

Still, you must be aware that dates without times default to 00:00:00 so a row there created_on is 2014-01-10 01:00:00 is greater than 2014-01-10 .

Last but not least, injecting raw external input into your code as in:

"SELECT " . $_REQUEST['tb'] . "...

... is a call to be hacked. Seriously. Usual excuses ("I'll fix it later", "it's just for internal usage") are only that, excuses.

Answer 3

Try to reformulate your query:

$query = "SELECT " . $_REQUEST['tb'] . ".*,PLOT.*,SCHEME_BLOCK.BLOCK 
FROM " . $_REQUEST['tb'] . ", PLOT, SCHEME_BLOCK WHERE " . $_REQUEST['tb'] . ".PLOT_ID=PLOT.PLOT_ID AND PLOT.PLOT ='" . $_REQUEST['ps'] . "' 
AND PLOT.BLOCK_ID = SCHEME_BLOCK.BLOCK_ID AND SCHEME_BLOCK.BLOCK_ID='" . $_REQUEST['bid'] . "' AND TRUNC(SCHEME_BLOCK.CREATED_ON, 'DD/MM/YYYY') between " . "TO_DATE('" . date('d-m-Y', strtotime($_REQUEST['sdate'])) . "', 'DD/MM/YYYY') and TO_DATE('" . date('d-m-Y', strtotime($_REQUEST['edate'])) . "', 'DD/MM/YYYY')";