Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Please help SQL Masters!?!?!?


rotaour

Recommended Posts

I've got this code;

if(($HTTP_POST_VARS['clear_CC'] == 'on') && ($invoicenumbers != '')) {
tep_db_query("update " . TABLE_ORDERS . " set cc_number = '' where orders_id in (" . tep_db_input($invoicenumbers) . ") ");
} elseif (($HTTP_POST_VARS['clear_CC'] == 'on') && (isset($HTTP_POST_VARS['startdate'])) && (isset($HTTP_POST_VARS['enddate']))) {
tep_db_query("update " . TABLE_ORDERS . " set cc_number = '' where date_purchased between " . $HTTP_POST_VARS['startdate'] . " and " . $HTTP_POST_VARS['enddate'] . "23:59:59");
//tep_db_query("update " . TABLE_ORDERS . " set cc_number = '' where date_purchased between " . tep_db_input($startdate) . " and " . tep_db_input($enddate) . "23:59:59");
}

 

The 'if' condition works fine, but when all the conditions are met for the 'elseif' I get this error;

 

1064 - You have an error in your SQL syntax near '23:59:59' at line 1

update orders set cc_number = '' where date_purchased between 2005-04-13 and 2005-04-14 23:59:59

[TEP STOP]

 

Im not sure whats going on. The code I gleaned this from is;

 

if ($invoicenumbers != '') {
$orders_query = tep_db_query("select o.orders_id,h.comments,MIN(h.date_added) from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_STATUS_HISTORY . " h where o.orders_id in (" . tep_db_input($invoicenumbers) . ") and h.orders_id = o.orders_id" . $pull_w_status . $get_customer_comments . ' group by o.orders_id');
} else {  
$orders_query = tep_db_query("select o.orders_id,h.comments,MIN(h.date_added) from " . TABLE_ORDERS . " o, " . TABLE_ORDERS_STATUS_HISTORY . " h where o.date_purchased between '" . tep_db_input($startdate) . "' and '" . tep_db_input($enddate) . "23:59:59'  and h.orders_id = o.orders_id" . $pull_w_status . $get_customer_comments . ' group by o.orders_id');
}

 

and it all works fine. Anyone see any glaring syntax problems?

I'll post additional info if needed.

Thanks

Matt Mika

Installed Contributions: Multi-Stores, QTPro, CCGV(trad), Batch Print, EasyPopulate, Simple Manual Order Entry, Encrypting Credit Card Via Mcrypt, UPSXML, Down for Maintenance, On The Fly GD Thumbs, SPPC, SPPC Hide, and various personal tweaks

Link to comment
Share on other sites

Jeremy is correct.

Also, you should never, ever use raw GET, POST or cookie data in any kind of query - As a minimum, wrap the values in tep_db_input, preferably validate the values first as well.

If this is on the admin side, and your admin is pwd protected, that's not so bad - if it's on your catalog side, it needs fixing.

Do a google on "sql injection attacks" for why.

Link to comment
Share on other sites

Looks to me like you are missing an operator: Here is a fragment from what you have posted: $HTTP_POST_VARS['enddate'] . "23:59:59");

 

I would think you need something like: $HTTP_POST_VARS['enddate'] . "= " . "23:59:59");

 

You should also be able to assign the result of the SQL expression to a variable then echo that to the screen so you can see the result more clearly. Hope this helps.

Link to comment
Share on other sites

Thanks for the replies guys. I was pretty sure it was the colons causing the problem and it was. I messed around with the quotes(some more) and came up with this which works! WooHoo!, but boy did I spent way too much time on this when I knew it was a stupid syntax issue...

 

// Clear Credit Card
if(($HTTP_POST_VARS['clear_CC'] == 'on') && ($invoicenumbers != '')) {
tep_db_query("update " . TABLE_ORDERS . " set cc_number = '' where orders_id in (" . tep_db_input($invoicenumbers) . ") ");
} elseif (($HTTP_POST_VARS['clear_CC'] == 'on') && (isset($HTTP_POST_VARS['startdate'])) && (isset($HTTP_POST_VARS['enddate']))) {
tep_db_query("update " . TABLE_ORDERS . " set cc_number = '' where date_purchased between '" . tep_db_input($startdate) . "' and '" . tep_db_input($enddate) . "23:59:59'");
}
//

 

BTW, this is in a PWD protected admin area, but I dumped the $HTTP_POST_VARS['start/enddate'] for tep_db_input($start/enddate). This should be secure right? I pretty much consider myself a newbie still. I know nothing about the security end, but I do plan on researching that end so I have a clue.

 

Thanks again!

Matt Mika

Installed Contributions: Multi-Stores, QTPro, CCGV(trad), Batch Print, EasyPopulate, Simple Manual Order Entry, Encrypting Credit Card Via Mcrypt, UPSXML, Down for Maintenance, On The Fly GD Thumbs, SPPC, SPPC Hide, and various personal tweaks

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...