0

I am attempting to run the above statement from an onclick() event of a button. I can echo my variables $qtr, $saleqtr, $startdate, $enddate on screen but for some reason the sql statement that I am attempting to throw together never echo (nor does it execute, which is why I want to see the string).

Do I have a simple syntax mistake or is the issue elsewhere?

<?php
    if (isset($_POST['submit'])) {      
        $saleqtr = $_POST['qtr'];
                if ($saleqtr == "first") { $startdate = '20150101'; $enddate = '20150331';  }
        if (isset($startdate) && isset($enddate)) {
            $customername = $_POST['customer'];
            $option = array();
            $option['driver'] = 'mssql';
            $option['host'] = 'X';
            $option['user'] = 'user';
            $option['password'] = 'pass';
            $option['database'] = 'db';
            $option['prefix'] = '';
            $db = JDatabase::getInstance($option);
            $sql = $db->getquery(true);
            $sql = "SELECT Top 1 name from name where hiredate >= '$startdate' And hiredate <= '$enddate'";
        }
        echo $sql;
    }
?>

EDIT
Below is my click event

<body>
    <form method="POST">
        <input type="submit" name="submit" value="Click Me">
    </form>
</body>
BellHopByDayAmetuerCoderByNigh
  • 1,107
  • 4
  • 21
  • 41
  • Let's see your `onclick()` function. If it doesn't use AJAX you cannot call PHP code from it. – Jay Blanchard Jul 18 '17 at 15:12
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 18 '17 at 15:12
  • @JayBlanchard - see edit is that what you are after? – BellHopByDayAmetuerCoderByNigh Jul 18 '17 at 15:15
  • @JayBlanchard - this is not for a forward facing site - so I am not to concerned about SQL Injection (maybe I should be).... – BellHopByDayAmetuerCoderByNigh Jul 18 '17 at 15:15
  • Possible duplicate of [Reference - What does this error mean in PHP?](https://stackoverflow.com/questions/12769982/reference-what-does-this-error-mean-in-php) – BenRoob Jul 18 '17 at 15:17
  • 2
    If you don't have time to do it right the first time, when will you find the time to add it later? I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. – Jay Blanchard Jul 18 '17 at 15:19
  • What handles the click event you're generating? Is there an opening form tag? – Jay Blanchard Jul 18 '17 at 15:20
  • @JayBlanchard - yes, copy/paste error. See edit. – BellHopByDayAmetuerCoderByNigh Jul 18 '17 at 15:23
  • Nothing in your form indicates what handles the click event. Is there some JavaScript involved? – Jay Blanchard Jul 18 '17 at 15:32
  • @JayBlanchard - if I remove all the hsyntax from the php block and just add in if (isset($_POST['submit'])) { echo "You pressed the button"; } - I get the echo on screen so I know the button is being pressed. Something just seems off with the php. I verified through SSMS that it is a valid sql string also – BellHopByDayAmetuerCoderByNigh Jul 18 '17 at 15:37

1 Answers1

0

When you call $db->getquery(true); you are creating a joomla query object, said object has a __toString() function so the below should work for you.

echo $sql->__toString();

EDIT

Try this.

$sql = $db->getquery(true);
$sql->select("Top 1 name from name where hiredate >= '$startdate' And hiredate <= '$enddate'");

echo $sql->__toString();
Sean Jermey
  • 121
  • 4