Search by date range problem

code_junkie · 01-08-2009, 02:53 PM

I have a script the searches by date range, work s great. However, being in the new year I noticed if I do a search from 08 to 09 it doesn't return any result but if I search in just 08 or 09 it returns result correctly. Any ideas?

Enfernikus · 01-08-2009, 03:01 PM

Can you please post the script so we can see the problem?

code_junkie · 01-08-2009, 03:51 PM

HTML:

Code:

<form action="search_results.php" method="post" name="search_form">
		  <div class="row">
		    <div class="report_title"><p>Start Date:</p></div>
			<div class="report_field"><p><input name="date_start" type="text" id="date_start" maxlength="8" /></p></div>
		  </div>
		<div class="form_padding"></div>
		  <div class="row">
		    <div class="report_title"><p>End Date:</p></div>
			<div class="report_field"><p><input name="date_end" type="text" id="date_end" maxlength="8" /></p></div>
		  </div>
		<div class="form_padding"></div>
		  <div class="row">
		    <div class="report_title"><p>&nbsp;</p></div>
			<div class="report_field"><p><input type="reset" value="Reset" name="reset" />  <input type="submit" name="submit" value="Submit" /></p></div>
		  </div>
		<div class="clear"></div>
		</form>

PHP:

Code:

$MM_username = $_SESSION['MM_Username'];
error_reporting(E_ALL);
ini_set('display_errors', '1');

$maxRows_Recordset1 = 100;
$pageNum_Recordset1 = 0;
if (isset($_GET['pageNum_Recordset1'])) {
  $pageNum_Recordset1 = $_GET['pageNum_Recordset1'];
}
$startRow_Recordset1 = $pageNum_Recordset1 * $maxRows_Recordset1;

mysql_select_db($database_Company, $Company);
$query_Recordset1 = "SELECT * FROM call_in,drivers,company WHERE call_in.company_id = $MM_username AND call_in.company_id = company.company_id AND call_in.driver_id = drivers.driver_id AND call_in.date BETWEEN '" . $_POST['date_start'] . "' AND '" . $_POST['date_end'] . "' ORDER BY call_in.date DESC";
$query_limit_Recordset1 = sprintf("%s LIMIT %d, %d", $query_Recordset1, $startRow_Recordset1, $maxRows_Recordset1);
$Recordset1 = mysql_query($query_limit_Recordset1, $Company) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);

if (isset($_GET['totalRows_Recordset1'])) {
  $totalRows_Recordset1 = $_GET['totalRows_Recordset1'];
} else {
  $all_Recordset1 = mysql_query($query_Recordset1);
  $totalRows_Recordset1 = mysql_num_rows($all_Recordset1);
}
$totalPages_Recordset1 = ceil($totalRows_Recordset1/$maxRows_Recordset1)-1;

Scottymeuk · 01-08-2009, 04:27 PM

I really hope your not using that code live as its so insecure.

code_junkie · 01-08-2009, 04:32 PM

No, how would I secure it? I'm not that familiar with php.

Scottymeuk · 01-08-2009, 08:04 PM

You need to secure all of the $_POST and $_GET methods. An example is below (Please note that the mysql function I am using is the minimum you need to do. You should do a lot more and im sure if you search here you will find some tutorials on it. Search for xss protection or something):

PHP Code:


			
$theGet = mysql_real_escape_string($_GET['theGet']);

sketchMedia · 01-08-2009, 08:41 PM

Quote:

Search for xss protection or something

You mean SQL Injections, XSS (Cross Site Scripting) is when you allow a malicious user to enter unclean data (usually containing javascript code) to your site, which is then inturn displayed (at some point) to an unsuspecting user allowing the attacker to send sensitive data from that user (like cookies) elsewhere. SQL injection is where you allow a malicous user to 'Inject' his owb SQL commands through an unprotected SQL query (such as the one posted above)

I think these articles may help you understand:
Securing your MySQL Queries with Sprintf
How to Login to Any Account on an Insecure Site
http://www.tizag.com/mysqlTutorial/m...-injection.php

Also I advise that you turn error reporting off in a live server environment, don't make the hackers life easy by giving him feedback on his attempts (which in essence is what happens with errors).

Anyway to the problem. Is your database stripping of the preceding zero?, I say this because you are sending both 09 and 08 in the between statement as string (wrapped in single quotes), thus the db will be comparing:

the string "08" and the integer 8
and so on and so forth.

In other words, what's the column's data type? and what does it currently hold

Scottymeuk · 01-08-2009, 08:58 PM

Quote:

Originally Posted by sketchMedia

You mean SQL Injections, XSS (Cross Site Scripting) is when you allow a malicious user to enter unclean data (usually containing javascript code) to your site, which is then inturn displayed (at some point) to an unsuspecting user allowing the attacker to send sensitive data from that user (like cookies) elsewhere. SQL injection is where you allow a malicous user to 'Inject' his owb SQL commands through an unprotected SQL query (such as the one posted above)

I think these articles may help you understand:
Securing your MySQL Queries with Sprintf
How to Login to Any Account on an Insecure Site
http://www.tizag.com/mysqlTutorial/m...-injection.php

Also I advise that you turn error reporting off in a live server environment, don't make the hackers life easy by giving him feedback on his attempts (which in essence is what happens with errors).

Anyway to the problem. Is your database stripping of the preceding zero?, I say this because you are sending both 09 and 08 in the between statement as string (wrapped in single quotes), thus the db will be comparing:

the string "08" and the integer 8
and so on and so forth.

In other words, what's the column's data type? and what does it currently hold

Ye, my bad. I was thinking of xss mainly as i was just trying it out on a script. Sorry.

sketchMedia · 01-08-2009, 10:12 PM

Quote:

Ye, my bad. I was thinking of xss mainly as i was just trying it out on a script. Sorry.

hehe no probs mate, we all make mistakes.
Its hard to keep up with all these acronyms!

code_junkie · 01-09-2009, 12:55 PM

Quote:

Originally Posted by sketchMedia

You mean SQL Injections, XSS (Cross Site Scripting) is when you allow a malicious user to enter unclean data (usually containing javascript code) to your site, which is then inturn displayed (at some point) to an unsuspecting user allowing the attacker to send sensitive data from that user (like cookies) elsewhere. SQL injection is where you allow a malicous user to 'Inject' his owb SQL commands through an unprotected SQL query (such as the one posted above)

I think these articles may help you understand:
Securing your MySQL Queries with Sprintf
How to Login to Any Account on an Insecure Site
http://www.tizag.com/mysqlTutorial/m...-injection.php

Also I advise that you turn error reporting off in a live server environment, don't make the hackers life easy by giving him feedback on his attempts (which in essence is what happens with errors).

Anyway to the problem. Is your database stripping of the preceding zero?, I say this because you are sending both 09 and 08 in the between statement as string (wrapped in single quotes), thus the db will be comparing:

the string "08" and the integer 8
and so on and so forth.

In other words, what's the column's data type? and what does it currently hold

Thanks for the links, I'll read up on those as soon as I can. As for the db, there is a field for date. I guess I should have used the whole thing in my question. The dates are displayed as 12252008 or 1092009.

Scottymeuk · 01-09-2009, 04:13 PM

use:

PHP Code:


			
$date = date('Y',$dbRow['date']);

To be able to get the year from the time stamp. Not sure if thats what you need but it should help if you do.

sketchMedia · 01-09-2009, 04:36 PM

What is the columns datatype?