php - 如何将SQL查询转换为准备好的语句PHP

我目前无法将下面的SQL查询转换为准备好的语句。

$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$dateswitch1 = date("Y-m-d", strtotime($XSS_BLOCK2));
$dateswitch2 = date("Y-m-d", strtotime($XSS_BLOCK3));

$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE $dateswitch1 AND $dateswitch2 BETWEEN StartDate AND EndDate");

例如。工作代码

$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE '2004-07-22' AND '2016-05-20' BETWEEN StartDate AND EndDate");

代码示例：

$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$dateswitch1 = date("Y-m-d", strtotime($XSS_BLOCK2));
$dateswitch2 = date("Y-m-d", strtotime($XSS_BLOCK3));
$securesqlstring = $secureconn->prepare("SELECT * FROM Lateday WHERE ? AND ? BETWEEN StartDate AND EndDate");
$securesqlstring->bindParam(1,$dateswitch1);
$securesqlstring->bindParam(2,$dateswitch2);
$securesqlstring->execute();

目前无法运作。

在另一个项目上工作的工作更新语句的示例我想将上面的SQL查询转换为类似下面的示例：

$id = $_POST["id"];
$stocklevel = $_POST["stocklevel"];

$XSS_Block1 = htmlentities ($id, ENT_QUOTES, "UTF-8");
$XSS_Block2 = htmlentities ($stocklevel, ENT_QUOTES, "UTF-8");

$conn = new PDO("mysql:host=localhost;dbname=;","","");
$mattssqlstring = $conn->prepare("UPDATE `products` SET stocklevel=stocklevel-? WHERE ID=? and stocklevel = ?");
$mattssqlstring->bindParam(1,$XSS_Block2);
$mattssqlstring->bindParam(2,$XSS_Block1);
$mattssqlstring->bindParam(3,$XSS_Block2);
$mattssqlstring->execute();

最佳答案

$XSS_BLOCK2 = "22-07-2004";
$XSS_BLOCK3 = "20-05-2016";
$securesqlstring = $secureconn->prepare("SELECT * FROM `Lateday` WHERE STR_TO_DATE(:date1,'%d-%m-%Y') AND STR_TO_DATE(:date2,'%d-%m-%Y') BETWEEN `StartDate` AND `EndDate`");
$mattssqlstring->bindParam(':date1',$XSS_BLOCK2);
$mattssqlstring->bindParam(':date2',$XSS_BLOCK3);
$securesqlstring->execute();