Andrew Ballard wrote:
All the more reason I would turn it into a timestamp or DateTime object in PHP first. That will prevent trying to insert something like what I used above. Then I would get rid of the MySQL STR_TO_DATE function in the $mysqli_insert_sql value just replace it with something like this:date('Y-m-d', $length_start) If you enter it in that format MySQL will get it right without regard to locale settings. I hope that you are sanitizing the rest of the input as well, and not just shoving unchecked POST data into a database. Your example is a SQL injection attack waiting to be exploited. Andrew
I'm running mysql_real_escape_string(); on all of the variables prior to inserting/updating them.
I don't see the point in needing to convert it to a timestamp. The length_start and length_end fields in MySQL are defined as date fields. All I care about is the date, not the hours/minutes/seconds. If I insert it as date('Y-m-d', $length_start) then when I SELECT it back out, I will still have to do a date conversion back to MM-DD-YYYY when I display it to the user.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
