On Jan 15, 2008 1:31 PM, Adam Williams <awilliam@xxxxxxxxxxxxxxxx> wrote:
> Andrew Ballard wrote:
> > All the more reason I would turn it into a timestamp or DateTime
> > object in PHP first. That will prevent trying to insert something like
> > what I used above. Then I would get rid of the MySQL STR_TO_DATE
> > function in the $mysqli_insert_sql value just replace it with
> > something like this:
> >
> > date('Y-m-d', $length_start)
> >
> > If you enter it in that format MySQL will get it right without regard
> > to locale settings.
> >
> > I hope that you are sanitizing the rest of the input as well, and not
> > just shoving unchecked POST data into a database. Your example is a
> > SQL injection attack waiting to be exploited.
> >
> > Andrew
> >
> >
>
> I'm running mysql_real_escape_string(); on all of the variables prior to
> inserting/updating them.
>
> I don't see the point in needing to convert it to a timestamp. The
> length_start and length_end fields in MySQL are defined as date fields.
> All I care about is the date, not the hours/minutes/seconds. If I
> insert it as date('Y-m-d', $length_start) then when I SELECT it back
> out, I will still have to do a date conversion back to MM-DD-YYYY when I
> display it to the user.
you might want to ensure the syntactically correct date is also semantically
correct.
the code jim posted will ensure the date entered by the user actually
exists.
experiment w/ these 2 values using the code from his post.
$_POST['input'] = '10-10-2007'; // passes
$_POST['input'] = '20-10-2007'; // fails
-nathan
