0

I have problem selecting some dates, here is html and php code:

 <div id = "date">

    <form action = "selectdate.php" method = "POST">
        From date: <input type = "date" name = "date" required>
        <input type = "date" name = "referer" style = "display: none" value = "<?=$date?>">
        <br />
        <br />
        To date: <input type = "date" name = "date" required>
        <input type = "date" name = "referer" style = "display: none" value = "<?=$date?>">     
        <input type = "submit" name = "submit" value = "get data">
  <br/>
    </form>

and php

    $result = pg_exec("SELECT kv.ph, kv.date FROM public.kv WHERE date BETWEEN
 '" . $_POST['date'] . "' AND  '" . $_POST['date']. "' ORDER BY date");

Result is only one record, and only shows record from last input date. I want to show records between this two dates. One more question, why WHERE operator don't work with text columns? I am using php 5.5. Big thanks in advance.

Improve this question
4
  • 1
    what if I POST date equal to now() and now() or false; drop table kv;--?..` Commented Nov 6, 2017 at 8:41
  • Sorry but I am newbie, don't understand. Commented Nov 6, 2017 at 8:45
  • 1
    your cincatination is prune to sql injection Commented Nov 6, 2017 at 8:46
  • @ejovrh2 you should use prepared statements: php.net/manual/en/mysqli.quickstart.prepared-statements.php Commented Nov 6, 2017 at 8:47

1 Answer 1

Reset to default
1

Your problem is in your HTML form you are re-using the name="date".

I'm not sure which field will actually give the value, but one of them will be overwriting the other. so you're essentially saying

select column from table where date between [date] and [same date]

Rename your fields to have unique names within the form (e.g. <input name="date_from"... <input name="date_to"... and use them as $_POST['date_from'] / $_POST['date_to'])

Beyond that, you also really need to look into using paramaterised queries, as it stands your code is incredibly vulnerable to injection attacks.

The PHP Postgres library comes with the handy pg_query_params function to pretty much deal with this for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.