PHP and MySQL WHERE AND

Question

I have a form that posts to createcsv.php. The form has two fields "entmonth" and "entyear". I am having trouble in createcsv.php where "entmonth" pulls correctly, but "entyear" doesn't seem to pull the $_POST['entyear'] variable. I have some input and need to know where I have gone wrong in these lines of code.

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB"); 
$entmonh='$_POST[entmonth]';
$entyear='$_POST[entyear]';
$select = "SELECT * FROM POs WHERE entmonth = '$entmonth' AND entyear = '$entyear'";

#entmonth and $entyear contain strings rather than assignation — Royal Bg, Nov 25 '13 at 15:34
you should post also the html `
`. And with a code like that, you will have a lot of bad comments about using mysql_ instead of mysqli_ — Asenar, Nov 25 '13 at 15:34
Also note that it's a bad idea to put POST variables in an SQL query. This allows to SQL Injection Attacks. Look into mysqli with parameterized queries instead. — Johan van der Slikke, Nov 25 '13 at 15:36
Please, before you write **any** more SQL interfacing code, you must read up on [proper SQL escaping](http://bobby-tables.com/php) to avoid severe [SQL injection bugs](http://bobby-tables.com/). Also, `mysql_query` should not be used in new applications. It's a deprecated interface that's being removed from future versions of PHP. A modern replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/). A guide like [PHP The Right Way](http://www.phptherightway.com/) will help you avoid making mistakes like this. — tadman, Nov 25 '13 at 15:44
Please stop writing new `mysql_*` code, these functions are depreciated and pending removal. Please use `mysqli_*` or read up on PDO. — lampwins, Nov 25 '13 at 15:57

Shankar Narayana Damodaran · Answer 1 · 2013-11-25T15:53:25.707

6

Remove the single quotes $entmonh='$_POST[entmonth]'; <---- from here and do like this below

$entmonh=$_POST['entmonth'];
$entyear=$_POST['entyear'];

^{Disclaimer: Make use of Prepared Statements to avoid SQL Injection Attacks.}

edited Nov 25 '13 at 15:53

answered Nov 25 '13 at 15:34

Shankar Narayana Damodaran

68,075
43
96
126

Absolutely perfect. Thank you. Would you please explain why my original attempt did not work? I'd like to learn as I go. – user2516979 Nov 25 '13 at 15:39
Read up on how [strings work in PHP](http://php.net/manual/en/language.types.string.php). Single quotes are for literal text. – tadman Nov 25 '13 at 15:44
You had enclosed the `$_POST` variable under single quotes which will not parse the content inside your `$_POST` var. If you had used double quotes it would have worked. – Shankar Narayana Damodaran Nov 25 '13 at 15:48
But the code is still vulnerable to SQL injection. Please, @user2516979, use Lohardt's code instead of just copy-pasting this answer. – Marcel Korpel Nov 25 '13 at 15:50
@user2516979, Since you are in a learning phase, Make use of Prepared Statements . Start here. http://php.net/manual/en/pdo.prepared-statements.php – Shankar Narayana Damodaran Nov 25 '13 at 15:55

Lohardt · Answer 2 · 2013-11-25T15:47:01.517

1

Yes you could use:

$entmonh=$_POST[entmonth];
$entyear=$_POST[entyear];

as others have said.

But you should try and use mysqli or PDO insted, because you are working with an outdated php module and your metode is also unsecure. Here is a link to a good tutorial: http://net.tutsplus.com/tutorials/php/pdo-vs-mysqli-which-should-you-use/

An example from the link, a simple connection with named parameters to protect your database from injections:

$pdo = new PDO("mysql:host=localhost;dbname=database", 'username', 'password');

$params = array(':username' => 'test', ':email' => $mail, ':last_login' => time() - 3600);

$pdo->prepare('
   SELECT * FROM users
   WHERE username = :username
   AND email = :email
   AND last_login > :last_login');

$pdo->execute($params);

edited Nov 25 '13 at 15:47

answered Nov 25 '13 at 15:44

Lohardt

1,057
1
12
26

That tutorial is wrong, you can use prepared statements with MySQLi, too. – Marcel Korpel Nov 25 '13 at 15:46
The tutorial says so aswell. I used PDO as an example. – Lohardt Nov 25 '13 at 15:47
I know, but in the *top table* it says that MySQLi doesn't support prepared statements. – Marcel Korpel Nov 25 '13 at 15:48
He refers to client side prepared statements, http://stackoverflow.com/questions/10146733/what-are-client-side-prepared-statements – Lohardt Nov 25 '13 at 15:57
1

Thanks for the link to that question! – Marcel Korpel Nov 25 '13 at 16:00

lampwins · Answer 3 · 2014-04-05T02:53:28.867

If you insist on using the now depreciated mysql_* plugin, please at least do it this way:

mysql_connect($host, $username, $password)or die("cannot connect"); 
mysql_select_db($db_name)or die("cannot select DB"); 

$entmonh = mysql_real_escape_string($_POST['entmonth']);
$entyear = mysql_real_escape_string($_POST['entyear']);

$select = "SELECT * FROM POs WHERE entmonth = '$entmonth' AND entyear = '$entyear'";

This will provide some protection against SQL injection.

But please do not write new code this way. Use mysqli_* or learn PDO (or prepared statements with mysqli).

PHP and MySQL WHERE AND

3 Answers3