How to use sprintf to create a query with date_format ()

Question

How to use sprintf to create a query with date_format ()

Navigation

#1 by (1 votes)
#2 by (0 votes)

0

I'm reformulating a client system and it is using procedural mode in login and not PDO, but to give more security, I used sprintf , but it is not working. See:

$sql = sprintf(
    "SELECT *, DATE_FORMAT(DataAcesso,'%d/%m/%Y') AS DataDeAcesso, 
    DATE_FORMAT(DataAcesso,'%H:%i') AS HoraDeAcesso 
    FROM loja_admin WHERE EmailAdmin = '%s' AND SenhaAdmin = '%s'",
    mysqli_real_escape_string($this->conexao, $loginUsuario), 
    mysqli_real_escape_string($this->conexao, $codificado)
);

$query = mysqli_query($this->conexao, $sql);

And when I give echo to variable $sql , nothing appears. But when I shoot DATE_FORMAT() , it works. Would you have any way to resolve this?

php sql mysqli

asked by anonymous 20.03.2017 / 23:53

2 answers

1

I'm redesigning a client system and it's using the procedural mode in login and not PDO, but to give more security, I used sprintf, but it is not working.

Whether or not to use sprintf() , PDO, or use procedural mode of mysqli_* does not change anything in relation to code security.

What really guarantees the security of the code is that you escape the parameters of your query with mysqli_real_escape_string() or else use

21.03.2017 / 02:54

MVC structure on remote server Overwrite Bootstrap classes with CSS file

score 0 · Accepted Answer

I was able to solve by escaping the % character. See:

$sql = sprintf(
    "SELECT *, DATE_FORMAT(DataAcesso,'%%d/%%m/%%Y') AS DataDeAcesso, 
    DATE_FORMAT(DataAcesso,'%%H:%%i') AS HoraDeAcesso 
    FROM loja_admin WHERE EmailAdmin = '%s' AND SenhaAdmin = '%s'",
    mysqli_real_escape_string($this->conexao, $loginUsuario), 
    mysqli_real_escape_string($this->conexao, $codificado)
);