unexpected t variable

jeff5656 · March 5, 2008

I get the above syntax error with the following code:

<?php

include connectdb.php

$sql = UPDATE active_consults SET

patient_name = '" . $_POST['patient_name'] . "',

mrn = '" . $_POST['mrn'] . "',

location = '" . $_POST['location'] . "',

fellow = '" . $_POST['fellow'] . "',

rcf_date = '" . $_POST['rcf_date'] . "',

admission = '" . $_POST['admission'] . "',

consult_reason = '" . $_POST['consult_reason'] . "',

impression = '" . $_POST['impression'] . "',

recs = '" . $_POST['recs'] . "',

comments = '" . $_POST['comments'] . "'

where id_incr = '". $_GET['id_incr'] . "';

?>

Thank you!

corbin · March 5, 2008

$sql = "UPDATE

missing a starting ". ;p

uramagget · March 5, 2008

I don't know if it was erased by posting, though shouldn't it be:

include "connectdb.php";

darkfreaks · March 5, 2008

<?php
include "connectdb.php";

$sql = "UPDATE active_consults SET
patient_name = '" . {$_POST['patient_name'] }. "',
   mrn = '" .{ $_POST['mrn'] }. "',
   location = '" . {$_POST['location']} . "',
   fellow = '" . {$_POST['fellow']} . "',
   rcf_date = '" .{$_POST['rcf_date']} . "',
   admission = '" . {$_POST['admission'] }. "',
   consult_reason = '" .{ $_POST['consult_reason']}. "',
   impression = '" . {$_POST['impression']} . "',
   recs = '" .{ $_POST['recs']} . "',
   comments = '" . {$_POST['comments']} . "'
   where id_incr = '". {$_GET['id_incr']} . "''";


?>

wildteen88 · March 5, 2008

Try:

<?php

include 'connectdb.php';

if(isset($_GET['id_incr'] && is_numeric($_GET['id_incr']))
{
    $patient_name = mysql_real_escape_string($_POST['patient_name']);
    $mrn = mysql_real_escape_string($_POST['mrn']);
    $location = mysql_real_escape_string($_POST['location']);
    $fellow = mysql_real_escape_string($_POST['fellow']);
    $rcf_date = mysql_real_escape_string($_POST['rcf_date']);
    $admission = mysql_real_escape_string($_POST['admission']);
    $consult_reason = mysql_real_escape_string($_POST['consult_reason']);
    $impression = mysql_real_escape_string($_POST['impression']);
    $recs = mysql_real_escape_string($_POST['recs']);
    $admission = mysql_real_escape_string($_POST['admission']);
    $comments = mysql_real_escape_string($_POST['comments']);


    $sql = "UPDATE active_consults SET patient_name = '" . $patient_name . "',
                                       mrn = '" . $mrn . "',
                                       location = '" . $location . "',
                                       fellow = '" . $fellow . "',
                                       rcf_date = '" . $rcf_date . "',
                                       admission = '" . $admission . "',
                                       consult_reason = '" . $consult_reason . "',
                                       impression = '" . $impression . "',
                                       recs = '" . $recs . "',
                                       comments = '" . $comments . "'
            WHERE id_incr = '". $id . "'";
}

?>

Never place raw post/get data directly into an sql query. I have applied a bit of basic security to your code to help prevent SQL Injection attacks

darkfreaks · March 5, 2008

i guess you could post it straight into your query but like wildteen said it is not safe at all too. Please make sure you have used sanitation beforehand.

jeff5656 · March 5, 2008

I used the code from wildteen 88 and got this:

unexpected T_BOOLEAN_AND, expecting ',' or ')' in C:\wamp\www\consults\editpatient.php on line 6

revraz · March 5, 2008

Add a ) here

if(isset($_GET['id_incr']) && is_numeric($_GET['id_incr']))

BlueSkyIS · March 5, 2008

i find it helpful to use a code editor that complains if parentheses, brackets and other symmetrical symbols are unmatched.

jeff5656 · March 5, 2008

Thanks for all the help so far. I managed to get that to be without errors, but now it seems that the variables are empty (but in the address bar I DO see the correct id: http://localhost/consults/editpatient.php?action=edit&id=47)

For instance if i try to echo $patient_name nothing is displayed. I added a form to the end (see code below) to try to populate it witht he fields from the record specified in id_incr, but nothing shows up (I got rid of most of the form to make it easier):

<?php

include 'connectdb.php';

if(isset($_GET['id_incr']) && is_numeric($_GET['id_incr']))

{

$patient_name = mysql_real_escape_string($_POST['patient_name']);

$mrn = mysql_real_escape_string($_POST['mrn']);

$location = mysql_real_escape_string($_POST['location']);

$fellow = mysql_real_escape_string($_POST['fellow']);

$rcf_date = mysql_real_escape_string($_POST['rcf_date']);

$admission = mysql_real_escape_string($_POST['admission']);

$consult_reason = mysql_real_escape_string($_POST['consult_reason']);

$impression = mysql_real_escape_string($_POST['impression']);

$recs = mysql_real_escape_string($_POST['recs']);

$admission = mysql_real_escape_string($_POST['admission']);

$comments = mysql_real_escape_string($_POST['comments']);

$sql = "UPDATE active_consults SET patient_name = '" . $patient_name . "',

mrn = '" . $mrn . "',

location = '" . $location . "',

fellow = '" . $fellow . "',

rcf_date = '" . $rcf_date . "',

admission = '" . $admission . "',

consult_reason = '" . $consult_reason . "',

impression = '" . $impression . "',

recs = '" . $recs . "',

comments = '" . $comments . "'

WHERE id_incr = '". $id . "'";

}

?>

<h2>Add new patient</h2>

<tr>

<th scope="col">Patient Name</th>

<th scope="col">Fellow</th>

</tr>

<tr>

</label></td>

</tr>

</table>

</table>

<p>

</p>

</form>

jeff5656 · March 5, 2008

BTW, the page preceding the above page is attached below, in case the problem is that this script is sending empty variables (although as I said, the correct id_incr value is displayed in the address bar:

<?php require('secure.php');

include "dateheader.php";

include "connectdb.php";

$query = "SELECT id_incr, patient_name, mrn, location, fellow, rcf_date, admission, consult_reason, impression, recs, comments ".

"FROM active_consults WHERE signoff_status = 'a' ".

"ORDER BY patient_name";

$results = mysql_query ($query) or die (mysql_error());

$num_pts = mysql_num_rows ($results);

$consultheading =<<<EOD

<table width="70%" border = "1" cellpadding = "2"

cellspacing = "2" align = "center">

<th> Fellow </th>

<th> Date of Consult</th>

<th> Reason for Admssion </th>

<th> Reason for Consult </th>

<th> Impression </th>

<th> Comments </th>

</tr>

EOD;

echo $consultheading;

while ($row = mysql_fetch_assoc ($results)) {

?>

<tr>

<?php echo $row['patient_name'];?> </td>

<?php echo $row['mrn'];?> </td>

<?php echo $row['location'];?> </td>

<?php echo $row['fellow'];?> </td>

<?php echo $row['rcf_date'];?> </td>

<?php echo $row['admission'];?> </td>

<?php echo $row['consult_reason'];?> </td>

<?php echo $row['impression'];?> </td>

<?php echo $row['recs'];?> </td>

<?php echo $row['comments'];?> </td>

<a href="editpatient.php?action=edit&id=<?php

echo $row['id_incr']; ?>">[EDIT]</a> </td>

</tr>

<?php

}

?>

<td> Total active patients: <?php echo $num_pts; ?> </td>

</tr>

</table>

darkfreaks · March 6, 2008

<?php

require('secure.php');
include ("dateheader.php");
include ("connectdb.php");

$patient_name= strip_tags(trim( mysql_real_escape_string($_POST['patient_name'])));
    $mrn = strip_tags(trim(mysql_real_escape_string($_POST['mrn'])));
    $location = strip_tags(trim(mysql_real_escape_string($_POST['location'])));
    $fellow = strip_tags(trim(mysql_real_escape_string($_POST['fellow'])));
    $rcf_date =strip_tags(trim( mysql_real_escape_string($_POST['rcf_date'])));
    $admission =strip_tags(trim( mysql_real_escape_string($_POST['admission'])));
    $consult_reason = strip_tags(trim(mysql_real_escape_string($_POST['consult_reason'])));
    $impression =strip_tags(trim( mysql_real_escape_string($_POST['impression'])));
    $recs = strip_tags(trim(mysql_real_escape_string($_POST['recs'])));
    $comments =strip_tags(trim(mysql_real_escape_string($_POST['comments']));

if(isset($_GET['id_incr']||is_numeric($_GET['id_incr'])||
!empty($patient_name)||!empty($mrn)||
!empty($location)||!empty($fellow)||
!empty($rcf_date)||!empty($admission)||!empty($consult_reason)||
!empty($impression)||!empty($recs)||!empty($comments))
{  
     $sql = "UPDATE active_consults SET patient_name = '" . $patient_name . "',
                                       mrn = '" . $mrn . "',
                                       location = '" . $location . "',
                                       fellow = '" . $fellow . "',
                                       rcf_date = '" . $rcf_date . "',
                                       admission = '" . $admission . "',
                                       consult_reason = '" . $consult_reason . "',
                                       impression = '" . $impression . "',
                                       recs = '" . $recs . "',
                                       comments = '" . $comments . "'
            WHERE id_incr = '". $id . "'";
}

else{ die("Please go back and fill out the form <a href=>Here</a>!");}
    
    ?>

revraz · March 6, 2008

Probably because your URL contains "id" and you are getting "id_incr" ?

darkfreaks · March 6, 2008

that is a good possibility reveraz but the code above should stop empty values or error

Sign In

unexpected t variable

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived

Important Information