-1

im trying to apply filters to my query based on the pages URL. However it doesn't seem to be returning the correct data from my database.

    if ( $_GET['from'] == '' && $_GET['to'] == '' ) {
    $query = 'SELECT * FROM mhs_dashboard_revenue';
    echo 'none';
} else if ( $_GET['from'] == '' && $_GET['to'] != '' ) {
    $query = 'SELECT * FROM mhs_dashboard_revenue WHERE DateOfData BETWEEN 20150101 AND "$_GET[to]"';
    echo 'to';
} else if ( $_GET['from'] != '' && $_GET['to'] == '' ) {
    $query = 'SELECT * FROM mhs_dashboard_revenue WHERE DateOfData BETWEEN "$_GET[from]" AND 20900101';
    echo 'from';
} else if ( $_GET['from'] != '' && $_GET['to'] != '' ) {
    $query = 'SELECT * FROM mhs_dashboard_revenue WHERE DateOfData BETWEEN "$_GET[from]" AND "$_GET[to]"';
    echo 'both';
}

$result = mysqli_query($connection, $query);

$totalChampagne = 0;
$totalSpirts = 0;
$totalWine = 0;
$total = 0;

while($row = mysqli_fetch_assoc($result)) { ?>

<?php 

    $totalChampagne = $totalChampagne + $row['ChampagneValue']; 
    $totalSpirts = $totalSpirts + $row['SpirtsValue']; 
    $totalWine = $totalWine + $row['WineValue']; 
    $total =  $totalChampagne + $totalSpirts + $totalWine; 

?>

<!--
    <p>Id: <?php //echo $row['ID']; ?></p>
    <p>Date of: <?php //echo $row['DateOfData']; ?></p>
    <p>Champagne: <?php //echo $row['ChampagneValue']; ?></p>
    <p>Spirts: <?php //echo $row['SpirtsValue']; ?></p>
    <p>Wine: <?php //echo $row['WineValue']; ?></p>
    <hr>
-->

<?php } ?>

<p>Champagne Total = &pound;<?php echo $totalChampagne; ?></p>
<p>Spirts Total = &pound;<?php echo $totalSpirts; ?></p>
<p>Wine Total = &pound;<?php echo $totalWine; ?></p>
<p>Total = &pound;<?php echo $total; ?></p>

I've added echo's in each IF to make sure my values are being received and I can see the echo's in the right place based on the url.

The URL looks like - revenue_feed.php?from=20160101&to=20161115, which is a date formatted without the hyphens as when I tested it manually inputting the date hyphens broke it.

I hope it is a simple fix however I can't seem to work it out. All help is greatly appreciated.

laurent
  • 88,262
  • 77
  • 290
  • 428
Matt Hammond
  • 765
  • 1
  • 7
  • 25
  • This approach makes your application _wide open_ to sql injection attacks. Please learn about the security benefits of using "prepared statements" in combination with "parameter binding". That details is a _must_, it is not "nice to have". – arkascha Nov 15 '16 at 17:20
  • @arkascha Thank you, I am aware however it will be a closed site so sqi injection shouldnt be an issue, however If need I will escape the strings? – Matt Hammond Nov 15 '16 at 17:21
  • 1
    No, do not escape manually. As written: use "prepared statements" in combination with "parameter binding". And _please_ do not postpone that because "it is not required right now". You will certainly _not_ go through all your applications and change everything again later, once everything works. Do it _now_, it does not take longer. – arkascha Nov 15 '16 at 17:23
  • 4
    *"revenue_feed.php?from=20160101&to=20161115, which is a date formatted without the hyphens as when I tested it manually inputting the date hyphens broke it."* - then MySQL thought you were trying to do math (as in minus). If your date columns are of a `date` type, the format it is saved as is `YYYY-mm-dd` and if you were doing `from=2016-01-01` the this tells me that you need to quote your values. Checking for errors on the query would have told you about it also. – Funk Forty Niner Nov 15 '16 at 17:23
  • ^ you want that as an answer? because that's what's going on here. – Funk Forty Niner Nov 15 '16 at 17:25
  • @Fred-ii- I changed the query from single quotes to double and then wrapped the $_GET in single quotes. This seemed to fix the problem. Weird :) Thank you for your help however! – Matt Hammond Nov 15 '16 at 17:30
  • @Fred-ii- Thank you, I wasnt aware the quotes was the problem or I would have found that post. Thank you! – Matt Hammond Nov 15 '16 at 17:33
  • @Fred-ii- do you want me to remove my post? – Matt Hammond Nov 15 '16 at 17:35
  • that's entirely up to you. If you feel the answer given below didn't (also) solve it, then you can try deleting the question. Just don't accept it "just cuz" if it didn't ;-) – Funk Forty Niner Nov 15 '16 at 17:35

1 Answers1

1

For PHP variables to be interpreted, you need to put them inside double quotes (not single quotes as you did for the SQL queries). But in any case, your code is open to SQL injections and should be avoided.

Instead you could use prepared queries, which would give you something like this:

$sql = 'SELECT * FROM mhs_dashboard_revenue WHERE DateOfData BETWEEN ? AND 20900101';

$stmt = mysqli_prepare($connection, $sql);
mysqli_stmt_bind_param($stmt, "s", $_GET[from]);
mysqli_stmt_execute($stmt);
laurent
  • 88,262
  • 77
  • 290
  • 428
  • 1
    `BETWEEN "?"` are you 100% sure about that? – Funk Forty Niner Nov 15 '16 at 17:24
  • *"not single quotes as you did for the SQL queries)"*. that's ironic, yet you posted `BETWEEN "?"` you really believe that will work, huh? I sincerely doubt it, unless this is some kind of "guru prepared statement" I'm not aware of. – Funk Forty Niner Nov 15 '16 at 17:30
  • I mean the whole string needs to be in double quotes so that stuff like `"this is $myvar"` work. But that's beside the point since he should be using prepared statements so I left the string inside single quotes. Also yes I missed the double-quotes around the question mark. – laurent Nov 15 '16 at 17:33
  • *`"this is $myvar" work`* well sure it works; in PHP, not in MySQL/prepared statements. Those are two different animals altogether. – Funk Forty Niner Nov 15 '16 at 17:34