rotaour Posted April 14, 2005 Share Posted April 14, 2005 I've got this code; if(($HTTP_POST_VARS['clear_CC'] == 'on') && ($invoicenumbers != '')) { tep_db_query("update " . TABLE_ORDERS . " set cc_number = '' where orders_id in (" . tep_db_input($invoicenumbers) . ") "); } elseif (($HTTP_POST_VARS['clear_CC'] == 'on') && (isset($HTTP_POST_VARS['startdate'])) && (isset($HTTP_POST_VARS['enddate']))) { tep_db_query("update " . TABLE_ORDERS . " set cc_number = '' where date_purchased between " . $HTTP_POST_VARS['startdate'] . " and " . $HTTP_POST_VARS['enddate'] . "23:59:59"); //tep_db_query("update " . TABLE_ORDERS . " set cc_number = '' where date_purchased between " . tep_db_input($startdate) . " and " . tep_db_input($enddate) . "23:59:59"); } The 'if' condition works fine, but when all the conditions are met for the 'elseif' I get this error; 1064 - You have an error in your SQL syntax near '23:59:59' at line 1 update orders set cc_number = '' where date_purchased between 2005-04-13 and 2005-04-14 23:59:59 [TEP STOP] Im not sure whats going on. The code I gleaned this from is; if ($invoicenumbers != '') { $orders_query = tep_db_query("select o.orders_id,h.comments,MIN(h.date_added) from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_STATUS_HISTORY . " h where o.orders_id in (" . tep_db_input($invoicenumbers) . ") and h.orders_id = o.orders_id" . $pull_w_status . $get_customer_comments . ' group by o.orders_id'); } else { $orders_query = tep_db_query("select o.orders_id,h.comments,MIN(h.date_added) from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_STATUS_HISTORY . " h where o.date_purchased between '" . tep_db_input($startdate) . "' and '" . tep_db_input($enddate) . "23:59:59' and h.orders_id = o.orders_id" . $pull_w_status . $get_customer_comments . ' group by o.orders_id'); } and it all works fine. Anyone see any glaring syntax problems? I'll post additional info if needed. Thanks Matt Mika Installed Contributions: Multi-Stores, QTPro, CCGV(trad), Batch Print, EasyPopulate, Simple Manual Order Entry, Encrypting Credit Card Via Mcrypt, UPSXML, Down for Maintenance, On The Fly GD Thumbs, SPPC, SPPC Hide, and various personal tweaks Link to comment Share on other sites More sharing options...
Jeremy at oddly enough Posted April 15, 2005 Share Posted April 15, 2005 I'd say the colons are causing the problem. If you notice in the code you used as an example, the time is enclosed in a double and single quote, but you code leaves it open. You might want to check the syntax on using time as a condition. Jeremy Link to comment Share on other sites More sharing options...
FalseDawn Posted April 15, 2005 Share Posted April 15, 2005 Jeremy is correct. Also, you should never, ever use raw GET, POST or cookie data in any kind of query - As a minimum, wrap the values in tep_db_input, preferably validate the values first as well. If this is on the admin side, and your admin is pwd protected, that's not so bad - if it's on your catalog side, it needs fixing. Do a google on "sql injection attacks" for why. Link to comment Share on other sites More sharing options...
Guest Posted April 15, 2005 Share Posted April 15, 2005 Looks to me like you are missing an operator: Here is a fragment from what you have posted: $HTTP_POST_VARS['enddate'] . "23:59:59"); I would think you need something like: $HTTP_POST_VARS['enddate'] . "= " . "23:59:59"); You should also be able to assign the result of the SQL expression to a variable then echo that to the screen so you can see the result more clearly. Hope this helps. Link to comment Share on other sites More sharing options...
rotaour Posted April 15, 2005 Author Share Posted April 15, 2005 Thanks for the replies guys. I was pretty sure it was the colons causing the problem and it was. I messed around with the quotes(some more) and came up with this which works! WooHoo!, but boy did I spent way too much time on this when I knew it was a stupid syntax issue... // Clear Credit Card if(($HTTP_POST_VARS['clear_CC'] == 'on') && ($invoicenumbers != '')) { tep_db_query("update " . TABLE_ORDERS . " set cc_number = '' where orders_id in (" . tep_db_input($invoicenumbers) . ") "); } elseif (($HTTP_POST_VARS['clear_CC'] == 'on') && (isset($HTTP_POST_VARS['startdate'])) && (isset($HTTP_POST_VARS['enddate']))) { tep_db_query("update " . TABLE_ORDERS . " set cc_number = '' where date_purchased between '" . tep_db_input($startdate) . "' and '" . tep_db_input($enddate) . "23:59:59'"); } // BTW, this is in a PWD protected admin area, but I dumped the $HTTP_POST_VARS['start/enddate'] for tep_db_input($start/enddate). This should be secure right? I pretty much consider myself a newbie still. I know nothing about the security end, but I do plan on researching that end so I have a clue. Thanks again! Matt Mika Installed Contributions: Multi-Stores, QTPro, CCGV(trad), Batch Print, EasyPopulate, Simple Manual Order Entry, Encrypting Credit Card Via Mcrypt, UPSXML, Down for Maintenance, On The Fly GD Thumbs, SPPC, SPPC Hide, and various personal tweaks Link to comment Share on other sites More sharing options...
FalseDawn Posted April 15, 2005 Share Posted April 15, 2005 Yes, that's better - make sure you do this on all such parameters. I've also noticed several contributions that leave gaping security holes by not doing this in the code, so be wary there, too. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.