[thelist] FPDF+sql command error
Noah St. Amand
noah at tookish.net
Wed Oct 24 11:45:31 CDT 2007
jothi jothi wrote:
>> My codes are as bellows:
>>
>> $sql = "SELECT Node_ID ,Date, AVG(voltage),AVG(Temper), AVG(light),AVG(accel_x), AVG(accel_y), AVG(mag_x), AVG(mag_y), AVG(mic) from suhu where Date >'{$_POST['year']}-01-01' and Date <= '{$_POST['year']}-12-31'
>> group by `Date`,Node_ID ";
Aside from the problem you're having making the query work, it's
generally a very bad idea to include raw post data in a query. At the
very least, you should sanitize the year:
$year = mysql_real_escape_string($_POST['year']);
. . . then use "$year" in your query rather than $_POST['year'].
If you wanted to go a little further, you could make sure that
$_POST['year'] is a four digit integer that is, for example, larger than
1990 and smaller than next year (I have no idea what you're actually
storing, so that may be impractical, but something like that should be
feasible).
Cheers,
Noah
More information about the thelist
mailing list