doumu9799 2018-10-30 18:44
浏览 228
已采纳

在codeigniter中向SQL注入一个SQL

I am trying to inject a SQL with a DATE_FORMAT method and it gives me parsing error. But the query working perfectly in phpmyadmin. Below you can find my code which is my controller

public function index() {
  $sql = "SELECT DATE_FORMAT('added_date', "%M") AS Month, SUM(total) FROM tbl_order GROUP BY DATE_FORMAT('added_date', "%M")";
  $query = $this->db->query($sql);
  $orderData= $query->result_array();
  $data["orderData"] = $orderData;
  var_dump($data);die;
  $this->load->view('admindashboard/index.php',$data);
}

I have attached the error message as wellenter image description here

  • 写回答

3条回答 默认 最新

  • drgwsx8405 2018-10-30 18:48
    关注

    I think you can try to use '%M' instead of "%M", because it will split the string by ".

    $sql = "SELECT DATE_FORMAT(added_date, '%M') AS Month, 
    SUM(total) 
    FROM tbl_order 
    GROUP BY DATE_FORMAT(added_date, '%M')";
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?