0

I know im doing it wrong because i edited this from just a name search can someone help me figure out what im doing wrong? Tried searching but nothing shows up.

    <form name="frmSearch" method="get" action="<?=$_SERVER['SCRIPT_NAME'];?>"
  <table class="table table-bordered">
    <tr>
      <th>Search by date
      <input name="ftxtKeyword"  type="date" id="ftxtKeyword" value="<?=$_GET["ftxtKeyword"];?>"> Between
      <input name="btxtKeyword"  type="date" id="btxtKeyword" value="<?=$_GET["btxtKeyword"];?>">
      <input type="submit" class="btn btn-primary" value="Search">
    </tr>
  </table>
</form>

<?
if($_GET["ftxtKeyword"] != "")
    {
    $objConnect = mysql_connect("localhost","root","1234") or die("Error Connect to Database");
    $objDB = mysql_select_db("mydatabase");
    $strSQL = "SELECT * FROM service WHERE Service_date BETWEEN ".$_GET["ftxtKeyword"]." AND ".$_GET["btxtKeyword"]."";
    $objQuery = mysql_query($strSQL) or die ("Error Query [".$strSQL."]");
    ?>
Noman
  • 4,088
  • 1
  • 21
  • 36
Joshua John
  • 21
  • 6
  • `echo $strSQL;` = debug – Mittul At TechnoBrave Mar 15 '18 at 13:02
  • 3
    Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in new code **[this happens](https://media.giphy.com/media/kg9t6wEQKV7u8/giphy.gif)** it is deprecated and has been for years and is gone for ever in PHP7. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions and prepared statements. [Start here](http://php.net/manual/en/book.pdo.php) – RiggsFolly Mar 15 '18 at 13:02
  • You are missing `}` and wide open to sql injection. – Noman Mar 15 '18 at 13:03

2 Answers2

2

Your SQL statement, is not quoting the dates correctly.

Instead of

$strSQL = "SELECT * FROM service WHERE Service_date BETWEEN ".$_GET["ftxtKeyword"]." AND ".$_GET["btxtKeyword"]."";

Change it to

$strSQL = "SELECT * FROM service WHERE Service_date BETWEEN '".$_GET["ftxtKeyword"]."' AND '".$_GET["btxtKeyword"]."'";

Few things to note:

  1. Do take @RiggsFolly's suggestion into account... do not use deprecated function, as when you eventually move to a server (or upgrade PHP to a higher version), you will run into a lot of headaches.

  2. Avoid using PHP short tags for echos. Instead of <?= use <?php echo. Why? Think what might happen when you move your code to an environment where php.ini settings has the short tags turned off?... headaches.

  3. In general, I would recommend using POST as a form's method instead of GET; when you use GET, you expose the params etc. right in the URL when you hit the submit button... and

  4. Do not use POST or GET values directly within your SQL statement. Use prepared statements and always sanitize user inputs... As a golden rule of thumb: NEVER trust the user :)

Rushikumar
  • 1,774
  • 5
  • 18
  • 28
1

Dates, assuming they are in the right format, need to be in quotes like this

BETWEEN '".$_GET["ftxtKeyword"]."' AND '".$_GET["btxtKeyword"]."'";

The right format would be YYYY-MM-DD

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149