On Jan 15, 2008 11:51 AM, Adam Williams <awilliam@xxxxxxxxxxxxxxxx> wrote:
>
>
> Andrew Ballard wrote:
> > Just curious why you won't take 1-15-2008. Once you validate it, you
> > can always assign it to a variable as either a timestamp or a DateTime
> > object and then format it however you want when you display it, send
> > it to a database, or whatever you are doing with the date.
> >
> > FWIW, what you have above will also accept 42-75-2008.
> >
> > Andrew
> >
> >
> Because I'm inserting it into MySQL as a date conversion from American
> date to a MySQL date field. %m must be ##, %d must be ##, and %Y must be
> ####. so if %m or %d is set to 1 - 9 and not 01 - 09 it will error.
>
>
> $mysqli_insert_sql = "INSERT INTO contract (user_id, cwcv,
> amount, responsibility, length_start, length_end, stage, title, lastmod,
> divdirdate)
> VALUES ( '$user_id', '". $_POST["cwcv"]."', '".$_POST["amount"]."',
> '".$_POST["responsibility"]."',
> STR_TO_DATE('".$_POST["length_start"]."', '%m-%d-%Y'),
> STR_TO_DATE('".$_POST["length_end"]."', '%m-%d-%Y'), '1',
> '".$_POST["title"]."', now(), now())";
>
>
>
All the more reason I would turn it into a timestamp or DateTime
object in PHP first. That will prevent trying to insert something like
what I used above. Then I would get rid of the MySQL STR_TO_DATE
function in the $mysqli_insert_sql value just replace it with
something like this:
date('Y-m-d', $length_start)
If you enter it in that format MySQL will get it right without regard
to locale settings.
I hope that you are sanitizing the rest of the input as well, and not
just shoving unchecked POST data into a database. Your example is a
SQL injection attack waiting to be exploited.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
