Home > Archive > PHP DB > November 2006 > Re: [PHP-DB] updating date field
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: [PHP-DB] updating date field
|
|
|
|
> <code>
>
>
>
> if (isset($_POST['eMonth']) && $_POST['eMonth'] != '')
>
> $eMonth = $_POST['eMonth'];
>
> else $eMonth = '01';
>
>
>
> if (isset($_POST['eDay']) && $_POST['eDay'] != '')
>
> $eMonth = $_POST['eDay'];
>
> else $eMonth = '01';
>
>
>
> if (isset($_POST['eYear']) && $_POST['eYear'] != '')
>
> $eYear = $_POST['eYear'];
>
> else $eYear = '2007';
Can I suggest the use of curly braces? It's much easier to read:
if (isset($_POST['eYear']) && $_POST['eYear'] != '') {
$eYear = (int)$_POST['eYear'];
} else {
$eYear = '2007';
}
>
> $updateEventQuery = "UPDATE events SET EventDate = '$eYear-$eMonth-$eDay',
> AppliedFYE = '$appliedFYE', LocationID = '$eLocation', StartTime =
> '$eHour:$eMin $eAMPM', Type = '$eType', Format = '$eFormat', Description =
> '$eDescription', EventApproved = '$eApproved', EventOfficial = '$eOfficial',
> LastUpdateBy = '".$_SESSION['ContactID']."' WHERE EventID =
> '".$_GET['eventid']."'";
You have sql injection bugs waiting to happen here.
make sure the eventid is an integer at least:
...." . (int)$_GET['eventid'] . "'";
And I also suggest reading up about escaping strings
(http://php.net/mysql_real_escape_string &
http://php.net/mysql_escape_string).
Of course you might have taken all that out to post an easier example,
if that's the case then ignore those comments ;)
> UPDATE events SET EventDate = '2006-10-10', AppliedFYE = '2007', LocationID
> = '14', StartTime = '5:00 PM', Type = '3', Format = 'BOARD', Description =
> 'Regular board meeting', EventApproved = '1', EventOfficial = '0',
> LastUpdateBy = '209' WHERE EventID = '54'
>
>
>
> When this query is actually run on the DB though, it queries with no errors,
> and all the data is saved/updated properly *except* the date - it becomes
> 0000-00-00.
I was going to suggest it's an invalid date-format but that looks fine.
What is eventdate? a date field, a timestamp, other ?
--
Postgresql & php tutorials
http://www.designmagick.com/
| |
| John Pillion 2006-11-21, 3:56 am |
| [sorry, I failed to cc the list]
>You have sql injection bugs waiting to happen here.
>
> make sure the eventid is an integer at least:
>
> ..." . (int)$_GET['eventid'] . "'";
>
> And I also suggest reading up about escaping strings
> (http://php.net/mysql_real_escape_string &
> http://php.net/mysql_escape_string).
Thanks, I'll take care of that.
> I was going to suggest it's an invalid date-format but that looks fine.
>
> What is eventdate? a date field, a timestamp, other ?
It's a date field. I'm doing the same thing with other tables, and don't
have any trouble when inserting the date, it seems to only be when
updating. I've even tried doing the query from the phpMyAdmin - and again,
it seems to execute ok, and doesn't return any errors, but the date gets
lost. I haven't tried updating *only* the date field from phpMyAdmin - I'll
try that tomorrow
| |
|
| John Pillion wrote:
> [sorry, I failed to cc the list]
>
>
>
>
> Thanks, I'll take care of that.
>
>
>
>
>
>
> It's a date field. I'm doing the same thing with other tables, and don't
> have any trouble when inserting the date, it seems to only be when
> updating. I've even tried doing the query from the phpMyAdmin - and again,
> it seems to execute ok, and doesn't return any errors, but the date gets
> lost. I haven't tried updating *only* the date field from phpMyAdmin -
> I'll
> try that tomorrow
Another thing to check - does it have a default on that field? Maybe try
removing that and see what happens?
--
Postgresql & php tutorials
http://www.designmagick.com/
|
|
|
|
|