[thelist] FPDF+sql command error

Noah St. Amand noah at tookish.net
Wed Oct 24 11:45:31 CDT 2007

jothi jothi wrote:
>> My codes are as bellows:
>> $sql = "SELECT Node_ID ,Date, AVG(voltage),AVG(Temper), AVG(light),AVG(accel_x), AVG(accel_y), AVG(mag_x), AVG(mag_y), AVG(mic) from suhu where Date >'{$_POST['year']}-01-01' and Date <= '{$_POST['year']}-12-31'
>> group by `Date`,Node_ID ";

Aside from the problem you're having making the query work, it's 
generally a very bad idea to include raw post data in a query. At the 
very least, you should sanitize the year:

$year = mysql_real_escape_string($_POST['year']);

. . . then use "$year" in your query rather than $_POST['year'].

If you wanted to go a little further, you could make sure that 
$_POST['year'] is a four digit integer that is, for example, larger than 
1990 and smaller than next year (I have no idea what you're actually 
storing, so that may be impractical, but something like that should be 


More information about the thelist mailing list