Re: [PHP] checking user input of MM-DD-YYYY

On Jan 15, 2008 11:51 AM, Adam Williams <awilliam@xxxxxxxxxxxxxxxx> wrote:


Andrew Ballard wrote:
Just curious why you won't take 1-15-2008. Once you validate it, you
can always assign it to a variable as either a timestamp or a DateTime
object and then format it however you want when you display it, send
it to a database, or whatever you are doing with the date.

FWIW, what you have above will also accept 42-75-2008.

Andrew


Because I'm inserting it into MySQL as a date conversion from American
date to a MySQL date field. %m must be ##, %d must be ##, and %Y must be
####. so if %m or %d is set to 1 - 9 and not 01 - 09 it will error.


$mysqli_insert_sql = "INSERT INTO contract (user_id, cwcv,
amount, responsibility, length_start, length_end, stage, title, lastmod,
divdirdate)
VALUES ( '$user_id', '". $_POST["cwcv"]."', '".$_POST["amount"]."',
'".$_POST["responsibility"]."',
STR_TO_DATE('".$_POST["length_start"]."', '%m-%d-%Y'),
STR_TO_DATE('".$_POST["length_end"]."', '%m-%d-%Y'), '1',
'".$_POST["title"]."', now(), now())";




All the more reason I would turn it into a timestamp or DateTime
object in PHP first. That will prevent trying to insert something like
what I used above. Then I would get rid of the MySQL STR_TO_DATE
function in the $mysqli_insert_sql value just replace it with
something like this:

date('Y-m-d', $length_start)

If you enter it in that format MySQL will get it right without regard
to locale settings.

I hope that you are sanitizing the rest of the input as well, and not
just shoving unchecked POST data into a database. Your example is a
SQL injection attack waiting to be exploited.

Andrew
.

Relevant Pages