如何將SQL查詢轉換為准備好的語句PHP

Question

我目前無法將下面的SQL查詢轉換為准備好的語句。

$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$dateswitch1 = date("Y-m-d", strtotime($XSS_BLOCK2));
$dateswitch2 = date("Y-m-d", strtotime($XSS_BLOCK3));

$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE $dateswitch1 AND $dateswitch2 BETWEEN StartDate AND EndDate");

例如，工作代碼$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE '2004-07-22' AND '2016-05-20' BETWEEN StartDate AND EndDate");

代碼示例：

$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$dateswitch1 = date("Y-m-d", strtotime($XSS_BLOCK2));
$dateswitch2 = date("Y-m-d", strtotime($XSS_BLOCK3));
$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE ? AND ? BETWEEN StartDate AND EndDate");
$securesqlstring->bindParam(1,$dateswitch1);
$securesqlstring->bindParam(2,$dateswitch2);
$securesqlstring->execute();

目前無法運作。

在另一個項目上工作的工作更新語句的示例我想將上面的SQL查詢轉換為類似下面的示例：

$id = $_POST["id"];
$stocklevel = $_POST["stocklevel"];

$XSS_Block1 = htmlentities ($id, ENT_QUOTES, "UTF-8");
$XSS_Block2 = htmlentities ($stocklevel, ENT_QUOTES, "UTF-8");

$conn = new PDO("mysql:host=localhost;dbname=;","","");
$mattssqlstring = $conn->prepare("UPDATE `products` SET stocklevel=stocklevel-? WHERE ID=? and stocklevel = ?");
$mattssqlstring->bindParam(1,$XSS_Block2);
$mattssqlstring->bindParam(2,$XSS_Block1);
$mattssqlstring->bindParam(3,$XSS_Block2);
$mattssqlstring->execute();

Answer 1

$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$securesqlstring = $secureconn->prepare("SELECT * FROM `Lateday` WHERE STR_TO_DATE(:date1,'%d-%m-%Y') AND STR_TO_DATE(:date2,'%d-%m-%Y') BETWEEN `StartDate` AND `EndDate`");
$mattssqlstring->bindParam(':date1',$XSS_BLOCK2);
$mattssqlstring->bindParam(':date2',$XSS_BLOCK3);
$securesqlstring->execute();