In article <OFE319C366.FA3FA287-ON85256F0E.006E3CA7-85256F0E.006F04C1@stripped>,
SGreen@stripped writes:
> Don't do an "@usrDays", just stick the number in there so that the
> statement you create looks exactly like the one you tested with.
> If you get a "number" from a user from a form, just put that value into
> the string. For instance if the user enters 43 into a field on the first
> page, put 43 into the query.
> Let's imagine that you get the value 43 into a variable (off of the
> request) called $daterange...
> and let's imagine that you build your query into a variable called $query
> I think this is how you would build the correct query (my PHP is rusty):
> $query = "SELECT DateEntry from Entry_table WHERE DateEntry >=
> DATE_SUB(CURDATE(), INTERVAL ". $daterange." day)";
> See? Pretend you are a typist and BUILD the string as you want it
> executed. Then do it.
I think this is bad advice, even for a novice like Stuart, because it
is susceptible to SQL injection attacks. I don't know if PHP has
prepared statements like Perl DBI; if not, $daterange should either be
quoted or checked in PHP if it's really a number.
