Currently I'm working with this code, it works as it is however needless to say it leaves it open to vulnerabilities any time I change $dateTo
to :dateTo
the query stops working any advice would be great.
$from = $_POST['from'];
$dateTo = $_POST['dateTo'];
$hourTo = $_POST['hoursTo'];
$hourFrom = $_POST['hoursFrom'];
$minuteTo = $_POST['minutesTo'];
$minuteFrom = $_POST['minutesFrom'];
$sql = "SELECT sum(countAudit) AS AMZL, sum(countAudit) AS OTHER, dateEntered, count(sort_id) AS Audited, sum(error) AS error, timeEntered
FROM audits WHERE (dateEntered BETWEEN ':from' AND '$dateTo')";
$query = $db->prepare($sql);
$query->bindParam(':from', $from);
$query->bindParam(':dateTo', $dateTo);
$query->execute();
foreach($db->query($sql) as $row){
echo $row['AMZL'] . "<br>";
}
Use prepared statements properly, named placeholders doesn't need to be quoted.
Plus, don't directly inject variables inside the query statement:
AND '$dateTo')";
It defeats the purposes of prepared statements.
And don't mix up ->query()
and ->execute()
. Just use straight up ->execute()
:
$db->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
// turn on error reporting
$from = $_POST['from'];
$dateTo = $_POST['dateTo'];
$hourTo = $_POST['hoursTo'];
$hourFrom = $_POST['hoursFrom'];
$minuteTo = $_POST['minutesTo'];
$minuteFrom = $_POST['minutesFrom'];
$sql = "
SELECT
sum(countAudit) AS AMZL,
dateEntered,
count(sort_id) AS Audited,
um(error) AS error,
timeEntered
FROM audits
WHERE (dateEntered BETWEEN :from AND :dateTo)
"; // ^remove quotes^
$query = $db->prepare($sql);
$query->bindParam(':from', $from);
$query->bindParam(':dateTo', $dateTo);
$query->execute(); // execute
$results = $query->fetchAll(PDO::FETCH_ASSOC);
// don't forget to fetch the results
foreach($results as $row){
echo $row['AMZL'] . "<br>";
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.