-2

I have an SQL query in PHP where I am trying to pass a number into the where clause. If I pass the variable it doesn't work, however if I enter the variable manually it does work.

I tried converting to int and it still won't work.

 $numYear = '2017';
 $numMonth = '3';

 $query_select = "SELECT date, url, EXTRACT(YEAR FROM date) AS numYear, EXTRACT(MONTH FROM date) AS numMonth, MONTHNAME(date) AS nameMonth FROM pages WHERE (url LIKE 'newspage/%' AND url NOT LIKE 'newspage/') AND (YEAR(date) = '.$numYear.' AND MONTH(date) = '.$numMonth.' ) ORDER BY date DESC LIMIT 1";

Have I forgotten something?

GiarcTNA
  • 499
  • 2
  • 17
  • 2
    Learn about prepared Statements to prevent sql injection – Jens Jan 30 '18 at 06:21
  • 2
    just remove `.` There is no need use `.` as you have used `"` – Jigar Shah Jan 30 '18 at 06:21
  • Possible duplicate of [How can prepared statements protect from SQL injection attacks?](https://stackoverflow.com/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks) – Blue Jan 30 '18 at 06:25

2 Answers2

3

Maybe You have just used dot so

$query_select = "SELECT url, summary, page_name, created_date, EXTRACT(YEAR FROM created_date) AS numYear, EXTRACT(MONTH FROM created_date) AS numMonth, MONTHNAME(created_date) AS nameMonth FROM pages WHERE (url LIKE 'news/%' AND url NOT LIKE 'news/') AND (YEAR(created_date) = '$numYear' AND MONTH(created_date) = '$numMonth' ) AND active = 1 ORDER BY created_date DESC LIMIT 1";

Check this.

P.S you should use prepared statements.

Bits Please
  • 877
  • 6
  • 23
1

Datetime in where clause.

In datetime would have "" or '' 

$DATE = "2017-12-31"
'SELECT * FROM Table WHERE date ='".$DATE."'ORDER BY ASE'

or

$DATE = "'".2017-12-31."'"
'SELECT * FROM Table WHERE date ='.$DATE
ucode
  • 31
  • 1
  • 1
  • 5