Andrew Ballard wrote:
All the more reason I would turn it into a timestamp or DateTime
object in PHP first. That will prevent trying to insert something like
what I used above. Then I would get rid of the MySQL STR_TO_DATE
function in the $mysqli_insert_sql value just replace it with
something like this:
date('Y-m-d', $length_start)
If you enter it in that format MySQL will get it right without regard
to locale settings.
I hope that you are sanitizing the rest of the input as well, and not
just shoving unchecked POST data into a database. Your example is a
SQL injection attack waiting to be exploited.
Andrew
I'm running mysql_real_escape_string(); on all of the variables prior to
inserting/updating them.
I don't see the point in needing to convert it to a timestamp. The
length_start and length_end fields in MySQL are defined as date fields.
All I care about is the date, not the hours/minutes/seconds. If I
insert it as date('Y-m-d', $length_start) then when I SELECT it back
out, I will still have to do a date conversion back to MM-DD-YYYY when I
display it to the user.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
