The Mayor ,'End of Days'
Got a question about technology? Ask it here. Discussion of hardware, software, TiVos, multi-region DVDs, Windows, Macs, LINUX, hand-helds, iPods, anything tech related. Better than any helpdesk!
Here's a hopefully simple question for a PHP/MySQL programmer:
I have a PHP page and I want to give it a date as a parameter. The page will then pull off of the database, all records with a matching date. The database field is called Playdate and the parameter is just date. I'd like the URL to look like
blahblahblah.php?date=20070112
So I thought I should be able to do something like
WHERE date_format(Playdate, '%Y%m%d') = $date"
But that doesn't pull any records.
Suggestions?
I don't know the answer to your question, but your code as written will make you vulnerable to an SQL injection attack.
Please elaborate....
blahblahblah.php?date=foo';DROP%20TABLE%20XXX
Does it help that the page uses read-only access and that there's nothing in the database that I care if people see?
Does it help that the page uses read-only access and that there's nothing in the database that I care if people see?
Yeah, it helps. But avoiding that sort of thing is a good habit to get into.
While riding home, I think I figured out a simple way to avoid injection attacks: simply validate that the $date variable is exactly 8 numeric digits.
That should protect me, yes?
That should protect me, yes?
Yes.
Thanks.
Annnnndddd... I think I figured out the answer to my original question. I had ORDER BY before the WHERE. By flipping them, I'm finally getting some data! Whee!
interesting development:
Cisco may have lost rights to iPhone trademark last year and tried to extend the trademark with the patent office by slapping a sticker on an existing product.