Need help with a MySQL/PHP query involving date ranges

Question

Essentially I need to retrieve some account information from the dbase table where they have a client of the client that has been passed via GET, and the account placement date (dateplaced) is between the start and end dates passed from calendar fields again via GET.

The query below returns no rows. I have verified that the SELECT and FROM portions of the query work as intended, and the client select from GET works fine, so that leaves the date issues. "dateplaced" is stored in the database as a varchar in "dd/mm/yyyy" format. Upon researching I've found that mysql wants dates in "yyyy-mm-dd" format. I have pieced together the two parts of the between comparison from GET data, and am fairly certain they are formatted correctly. I tried just plainly using "dateplaced" instead of str_to_date() and it didn't work, so I tried str_to_date() as shown below, but it still doesn't work.

Can anyone spot my problem here? This is driving me nuts.

$query = mysql_query("SELECT accountnumber, firstname, middlename, lastname, currentbalance FROM dbase WHERE clientname = '" . $_GET['client'] . "' AND str_to_date(dateplaced, '%Y-%m-%d') BETWEEN '" . $_GET['calendar_start_year'] . "-" . $_GET['calendar_start_month'] . "-" . $_GET['calendar_start_day'] . "' AND '" . $_GET['calendar_end_year'] . "-" . $_GET['calendar_end_month'] . "-" . $_GET['calendar_end_day'] . "' ORDER BY lastname") or die(mysql_error());

Answer 1

str_to_date() takes the format of the existing string, not the desired string. So you need str_to_date(dateplaced, '%d/%m/%Y') to get Y-m-d.

Do your date creation outside the query. It's easier to debug.

$clean_name=mysqli_real_escape_string($_GET['client']);
$start_date=date_create("{$_GET['calendar_start_year']}-{$_GET['calendar_start_month']}-{$_GET['calendar_start_day']}")->format('Y-m-d');
$end_date=date_create("{$_GET['calendar_end_year']}-{$_GET['calendar_end_month']}-{$_GET['calendar_end_day']}")->format('Y-m-d');

$q="SELECT accountnumber, firstname, middlename, lastname, currentbalance 
FROM dbase 
WHERE clientname = '{$clean_name}' 
  AND str_to_date(dateplaced, '%d/%m/%Y') BETWEEN '$start_date' AND '$end_date' 
ORDER BY lastname;

PS, clean all your variables. There may be quote marks or other characters that need to be escaped (or evil hacker attempts). mysqli_real_escape_string() is what you should use.

Answer 2

First of all, you have left yourself wide-open to SQL injection by not escaping your user variables before inserting them into your query (see mysql_real_escape_string).

The reason your query isn't working is because STR_TO_DATE's second parameter needs the format of your source string, not the format you are trying to convert to.

// extract variables
$client = $_GET['client'];

$startYear = $_GET['calendar_start_year'];
$startMonth = $_GET['calendar_start_month'];
$startDay = $_GET['calendar_start_day'];

$endYear = $_GET['calendar_end_year'];
$endMonth = $_GET['calendar_end_month'];
$endDay = $_GET['calendar_end_day'] ;

// parse variables
$startDate = mktime(0, 0, 0, $startMonth, $startDay, $startYear);
$endDate = mktime(0, 0, 0, $endMonth, $endDay, $endYear);

// query database
$sql = printf(
   "SELECT accountnumber,
           firstname,
           middlename,
           lastname,
           currentbalance
    FROM dbase
    WHERE clientname = '%s'
    AND STR_TO_DATE(dateplaced, '%d/%m/%Y') BETWEEN '%s' AND '%s'
    ORDER BY lastname",
    mysql_real_escape_string($client),
    date('Y-m-d', $startDate),
    date('Y-m-d', $endDate));

$result = mysql_query($sql) or die(mysql_error());