0

In a webshop admin, i am listing out the orders from sql. Here, i have a search form also, where i type in a keyword, and start search.

Now, i added a date from, and a date end input to the form. How can i add these to the sql select, if the admin enter the dates, not just the keyword only?

<td style="text-align: center;">
    <input type="text" name="date_from" value="<?php if(isset($_POST['date_from'])) { echo $_POST['date_from'];} ?>" size="7"  class="datepicker">
    <span> - </span>
    <input type="text" name="date_end" value="<?php if(isset($_POST['date_end'])) { echo $_POST['date_end'];} ?>" size="7"  class="datepicker">
</td> 

$sql = "SELECT rendeles_user_id , rendeles_id, nev, status, vegosszeg,br_vegosszeg, datum, ido, egyeb FROM rendeles_adatok WHERE $kereses_helye LIKE '%$kw%' ORDER BY $kereses_rendezes $kereses_sorrend";

$kereses_helye means that where i want to search. (user name, order id, email....)

Improve this question
1
  • where are you assigning $kereses_helye? Show the complete code or this is not something that can really be helped. Make sure you have the form sending and receiving the data. This is too hard to follow right now. Commented Dec 16, 2017 at 11:19

1 Answer 1

Reset to default
1

You could build the where clause before the sql statement based upon the existence of POST date values - it's not pretty and this and the original code are vulnerable to sql injection. I assumed ( probably incorrectly ) in the query that the column datum was a date column in the db

$where = !empty( $_POST['date_from'] ) && !empty( $_POST['date_end'] ) ? "where `$kereses_helye` like '%$kw%' and `datum` between '{$_POST['date_from']}' and '{$_POST['date_end']}' " : "where `$kereses_helye` like '%$kw%'";

$sql = "select 
    rendeles_user_id,
    rendeles_id,
    nev,
    status,
    vegosszeg,
    br_vegosszeg,
    datum,
    ido,
    egyeb 
    from rendeles_adatok 
    {$where}
    order by $kereses_rendezes $kereses_sorrend";
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

But if date_from is empty, and date_end is not empty?
!empty( $_POST['date_from'] ) && !empty( $_POST['date_end'] ) ~ it should require both be NOT empty to proceed

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.