tags:

views:

311

answers:

1
Q: 

Date comparison in SQLite

How do you declare a date datatype in a table? Is it simply the following?

CREATE TABLE sampleDB (..., sampledate DATE, ...)

Now, if I want to query from that using a string through a POST form:

<?php
    $formdate = $_POST["inputname"];

    if($formdate) {
        echo "Searching using query: ".$formdate."<br>";
        $db = new SQLiteDatabase("testDB.db");
        $query = $db->query("SELECT * FROM sampleDB WHERE sampledate = ".$formdate);
        while($entry = $query->fetch(SQLITE_ASSOC)) {
            echo "result: " ... "<br>";
        }
    }
?>

This doesn't seem to work. It doesn't return the entry that I want.

When I store the date as a string and compare strings, all is well, but if SQLite has a DATE data type, I think there should be way to use it!

+4  A: 

There's a vulnerability in the code you posted that seems to make it easy for any user to inject arbitrary SQL commands. Two common ways to fix it are (1) sanitizing the input and (2) using an API that separates commands from (possibly untrusted) arguments. For (1) I'd look for SQL-specific escape functions in the PHP documentation. A well-known example for (2) is Perl's DBI. (I don't know whether there is a comparable library for PHP.)

In SQLite, there is no date or time type. If you already have date strings in the database, you'll have to make sure that they are consistently formatted. Date and Time Functions from the SQLite manual lists some functions that might come useful for your queries.

hillu  2009-11-17 10:38:32
To whomever voted my answer down. Saying "I don't like your answer" without giving a reason is lame.
hillu  2009-11-17 22:40:21
First, your response is rude. This site is for programming questions no matter what the level of expertise.Second, you told me about a problem without telling me how to fix it. What part is vulnerable to injection attacks? How do I fix that?Third, thank you for telling me that SQLite doesn't have a date or time type. That's the only part of your response that was immediately useful to me.Finally, I'm looking for a fast answer; not a programming lesson. From my understanding, that's what Stack Overflow is about: quick ANSWERS to our programming questions.
Teef L  2009-11-18 08:07:47
Your question was stated in a way that made it impossible for me to give you a quick answer, just some pointers. I assumed that you'd be able to do some (Google) research on what an SQL injection attack is, how to spot a vulnerability and fix it. Have fun with my revised answer.
hillu  2009-11-18 11:18:20

related questions

SQLite3::BusyException
How do I dump the data of some SQLite3 tables?
Database functionality with WPF app: SQLite, SQL CE, other?
SQLite UDF - VBA Callback
JavaScript sqlite
SQLite/PHP read-only?
Is there a MySQLAdmin or SQL Server Management Studio equivalent for SQLite databases on Windows?
What are the advantages of VistaDB
How Scalable is SQLite?
Programmatically access browser history
SQL Pagination
Metalanaguage to describe the Model from MVC to generate identical client and server side code
Java and SQLite
Is there a good IDE for SQLite ?
Does Visual Studio Server Explorer support custom database providers?
Objective-C: Passing around sets of data
What is the best way to connect and use a sqlite database from C#
Quick easy way to migrate SQLite3 to MySQL?
Why does sqlite3-ruby-1.2.2 not work on OS X?
T-Sql date format for seconds since last epoch / formatting for sqlite input
What's the best way of converting a mysql database to a sqlite one?
SQLite vs MySQL
Using SQLite with Visual Studio 2008 and Silverlight
Adobe Air - Using multiple SQLite databases at once
SQLite and XSD