including a PHP variable into SQL query string

[ThePiston]

I need to include a variable inside a string in a SQL query, but something isn't right.

This is the variable:

$curr_yr = date('Y') ;

and I need it to replace the "2015" in the following query:

$query = "SELECT COUNT(`id`)
from j17_cbsubs_subscriptions
WHERE id!=62
and id !=299
and expiry_date < '2015-12-31 23:59:58'
AND status='A'";

any help is appreciated!

 

[purbeast0]

very first google result for "including a PHP variable into SQL query string" ...

http://stackoverflow.com/questions/...-php-variable-inside-a-mysql-insert-statement

 

[ThePiston]

did that right after I posted when I realized that "string" was the operative word. thanks

 

[Cogman]

very first google result for "including a PHP variable into SQL query string" ...

http://stackoverflow.com/questions/...-php-variable-inside-a-mysql-insert-statement

The top rated answer is a little unsettling. It is basically advocating SQL injection prone methodologies.

OP, if you want data in your query, the right way is parameterized queries. Anything less is running a very large security risk.

 

[ThePiston]

so this is a bad idea?

$query = "SELECT COUNT(`id`)
from j17_cbsubs_subscriptions
WHERE id!=62
and id !=299
and expiry_date < '{$curr_yr}-12-31 23:59:58'
AND status='A'";

 

[Cogman]

so this is a bad idea?

$query = "SELECT COUNT(`id`)
from j17_cbsubs_subscriptions
WHERE id!=62
and id !=299
and expiry_date < '{$curr_yr}-12-31 23:59:58'
AND status='A'";

It depends on where curr_yr is coming from, but in general, yes. Seeing something like that makes me think "SQL injection attack" even if it isn't possible (input guaranteed to be an integer). Parameterized queries aren't much harder to write and they are always safe from injection attacks. It is just a good idea to always prefer them over string concatenation.

 

[Ken g6]

Here's why it's a bad idea:

[imglink]http://imgs.xkcd.com/comics/exploits_of_a_mom.png[/imglink]