我有一个主要的php页面,用户输入日期范围来查看表格。我正在使用一个jquery datepicker,并通过ajax将值从datepicker传递到另一个php页面,我的SELECT语句出现在那里。这些值成功传递,我可以将它们回显到" yyyy-mm-dd"中的原始页面。格式(这就是我想要的)。然后,我需要运行一个SELECT语句,只拉出orderdate在用户选择的datepicker值之间的行。当我在没有WHERE子句的情况下运行查询时,查询成功,我的表显示数据。当我有Where子句时,会显示表格标题,但数据不会出现。如何让变量与查询一起使用而不存在SQLi风险?
这是我的代码从ajax中提取datepicker值(并试图将字符串转换为日期格式 - 我是新手,并且不确定这是否是问题):
//Get date range.
$revenuefromajax=$_POST['revenuefromtext'];
$revenuetoajax=$_POST['revenuetotext'];
$revenuefromstring = strtotime($revenuefromajax);
$revenuetostring = strtotime($revenuetoajax);
$revenuefrom=date("Y-m-d", $revenuefromstring);
$revenueto=date("Y-m-d", $revenuetostring);
echo $revenuefrom;
echo $revenueto;
MySQL查询:
$sql = "SELECT invoices.id, invoices.orderdate, invoices.stagestatus, FORMAT(TRIM(LEADING '$' FROM invoices.totalprice), 2) AS totalprice, clients.company, lineitems.invoiceid, FORMAT((lineitems.width * lineitems.height) /144, 2 ) AS sqft, lineitems.quantity AS qty, FORMAT((invoices.totalprice / ((lineitems.width * lineitems.height) /144)), 2) as avgsqftrevenue, FORMAT((TRIM(LEADING '$' FROM invoices.totalprice) / lineitems.quantity), 2) AS avgunitrevenue
FROM clients
INNER JOIN invoices ON clients.id = invoices.clientid
INNER JOIN lineitems ON invoices.id = lineitems.invoiceid
WHERE invoices.ordedate BETWEEN ('".$revenuefrom."') AND ('".$revenueto."')
ORDER BY invoices.id DESC
LIMIT 10";
$result = $conn->query($sql);
echo "<table id='revenueReportA' align='center' class='report_DT'>
<tr>
<th>Customer</th>
<th>SG</th>
<th>Revenue</th>
<th>SQ FT</th>
<th>AVG Revenue Per SQ FT</th>
<th>Number of Units</th>
<th>AVG Revenue Per Unit</th>
</tr>";
if ($result = $conn->query($sql)) {
// fetch associative array
while ($row = $result->fetch_assoc()) {
echo "<tr>";
echo "<td>" . $row['company'] . "</td>";
echo "<td>" . $row['id'] . "</td>";
echo "<td>" ."$". $row['totalprice'] . "</td>";
echo "<td>" . $row['sqft'] ." ". "ft<sup>2</sup>". "</td>";
echo "<td>" ."$". $row['avgsqftrevenue'] . "</td>";
echo "<td>" . $row['qty'] . "</td>";
echo "<td>" ."$". $row['avgunitrevenue'] . "</td>";
echo "</tr>";
}
echo "</table>";