mysql select this or that?

Question

On page load mysql query:

$today = date('D, d M, Y');
$sql = "SELECT * FROM programs WHERE singleday = '$today' AND city = 'New York'";

And I have a calender, while changing the date I want to pick data and display according to date:

<form method="post">
  <input align="center" type="text" id="picker" 
    onchange="this.form.submit()" name="picker" size="30"/>
</form>

and

$sql = "SELECT * FROM programs 
  WHERE singleday = '$_POST[picker]' AND city = 'New York'";

So what I need is while going to New York want to show today's data and while changing the calendar date show data on the particular date, on the same page.

Please help

Please take some care into choosing a descriptive title, formatting your code and phrasing your problem. I have tried to make sense of what you are saying, but am having a pretty hard time doing so. If you phrase your problem in such a way that others understand it within a matter of seconds, you will receive higher quality answers. — Aron Rotteveel, May 06 '11 at 07:41
btw, if you checked if $_POST['picker'] existed, then you could use either of the sql statements. you can check it exists with isset — BugFinder, May 06 '11 at 07:48
Is this homework? I've seen a few questions around this vague use case lately. — Lightness Races in Orbit, May 06 '11 at 09:09

score 0 · Answer 1 · answered May 06 '11 at 07:42

0

I see 3 obvious options:

when the date changes, it posts the form and reloads the whole page.
have the date part in an iframe, so it only reloads the date part, but works like option 1 essentially
ajax, so the date changes, triggers a call to send back data you load into a defined area

.

answered May 06 '11 at 07:42

BugFinder

17,474
4
36
51

To which option? Im guessing the ajax one.. See http://stackoverflow.com/questions/5647904/how-to-call-multiple-ajax-functions-to-php-without-repeating-code/5647934#5647934 – BugFinder May 06 '11 at 07:45

score 0 · Answer 2 · edited May 23 '17 at 12:29

You can't always get what you want [...] but sometimes you get what you need --Mick Jagger

See: How does the SQL injection from the "Bobby Tables" XKCD comic work?
For explanation on SQL-injections.

You have a SQL-injection hole in the following code

$sql = "SELECT * FROM programs 
  WHERE singleday = '$_POST[picker]' AND city = 'New York'";

Change it to:

$mydate = mysql_real_escape_string($_POST[picker]);
$sql = "SELECT * FROM programs 
  WHERE singleday = '$mydate' AND city = 'New York'";
//                  ^       ^ these quotes must be there to be protected.

mysql select this or that?

2 Answers2