Home/ Questions/Q 9133407
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T08:28:59+00:00

i have here a snippet of php that i used to pull certain dates

  • 0

i have here a snippet of php that i used to pull certain dates inbetween the two date that the user supplied

if($start_date!="" && $end_date!=""){
$query[]="submit_time BETWEEN '$start_date' and '$end_date'";
}

Why is it that after the string is processed, that works. however it seems that the widley excepted way to do this is:

if($start_date!="" && $end_date!=""){
$query[]="submit_time BETWEEN '".$start_date."' and '".$end_date."'";
}

can any one elaborate why both ways work and which one is the best? i was told today i should tdo it the first way, but i have ALWAYS seperated the variable from the string. any ideas?

or perhaps a better example:

$sql="SELECT * FROM $tbl_name WHERE submit_time BETWEEN 
'$start_date' and '$end_date'";

V.S.

$sql="SELECT * FROM $tbl_name WHERE submit_time BETWEEN 
'".$start_date."' and '".$end_date."'";
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Neighter is the corect way. If that is the only checking you do you are in for sql injection.

    You should be using prepared statements:

    http://php.net/manual/en/pdo.prepare.php

    if you are just talking about string interpolation in general, I much prefer sprintf as I think it is way more readable and it does type conversions:

    $name = 'John Doe';
sprintf("Hello %s - How are you today", $name);

    Please under no circumstance use user provided start and end dates in your sql.

    • 0