0

My patient_display.php code calls patient_history.php file passing the P_ID. Below is my code.

patient_display.php:
echo '<form name="Patient" action="patient_history_display.php" method="get">';
$pid=$_GET["patient_id"];
echo '<input type="text" name="p_id" value= '.$pid.' >';
</form>

patient_history.php:
$result = mysqli_query($con,"SELECT P.P_F_NAME, P.P_L_NAME,P.P_ADDR,     round(datediff(now(),P.P_DOB)/365) AS P_AGE, D.D_DESC, A.A_DESC 
FROM P_HAS_A  PA, patient P, P_HAS_D PD, n_provide_m NM, disease D, allergy A 
WHERE P.P_ID = PD.P_ID AND PD.D_ID = D.D_ID AND P.P_ID = PA.P_ID AND PA.A_ID = A.A_ID AND P.P_ID='{$_GET["p_id"]}';");
$pid=$_GET["p_id"];

However, it is throwing the below error SCREAM: Error suppression ignored for Notice: Undefined index: p_id in

user3575178
  • 21
  • 4
  • Remove $pid=$_GET["patient_id"]; from patient_display.php: – Anish Apr 26 '14 at 05:33
  • do u mean to change code as below? echo ''; – user3575178 Apr 26 '14 at 05:34
  • did you get value for p_id in that line ?? – Jenz Apr 26 '14 at 05:35
  • oh sorry I havent seen the below line. Like @Jenz said are you getting the value for pid ? – Anish Apr 26 '14 at 05:36
  • in which line you are getting the error. Share the complete error message. – Jenz Apr 26 '14 at 05:37
  • SCREAM: Error suppression ignored for ( ! ) Notice: Undefined index: p_id in C:\wamp\www\Project\db2\db2\patient_history_display.php on line 124 Call Stack # Time Memory Function Location 1 0.0008 696312 {main}( ) ..\patient_history_display.php:0. The line 124 is $result = mysqli_query($con,"SELECT P.P_F_NAME, P.P_L_NAME,P.P_ADDR, round(datediff(now(),P.P_DOB)/365) AS P_AGE, D.D_DESC, A.A_DESC FROM P_HAS_A PA, patient P, P_HAS_D PD, n_provide_m NM, disease D, allergy A WHERE P.P_ID = PD.P_ID AND PD.D_ID = D.D_ID AND P.P_ID = PA.P_ID AND PA.A_ID = A.A_ID AND P.P_ID='{$_GET["p_id"]}';"); – user3575178 Apr 26 '14 at 05:39
  • Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). – Gumbo Apr 26 '14 at 05:42

3 Answers3

0

Just check before using $_GET and $_POST whether its value set(exists) or not. You can use '@','isset','strlen' and '!empty'. so your condition would be 

 if(isset($_GET['patient_id'])) { 
   $id = $_GET['patient_id'];
   echo '<input type="text" name="p_id" value= '.$pid.' >';
 }

and same for $_GET['p_id']

Wit Wikky
  • 1,542
  • 1
  • 14
  • 28
0

I think you have error in the sql. Try with this:

$pid=$_GET["p_id"];
$result = mysqli_query($con,"SELECT P.P_F_NAME, P.P_L_NAME,P.P_ADDR,     round(datediff(now(),P.P_DOB)/365) AS P_AGE, D.D_DESC, A.A_DESC 
FROM P_HAS_A  PA, patient P, P_HAS_D PD, n_provide_m NM, disease D, allergy A 
WHERE P.P_ID = PD.P_ID AND PD.D_ID = D.D_ID AND P.P_ID = PA.P_ID AND PA.A_ID = A.A_ID AND P.P_ID='$pid'");
Jenz
  • 8,280
  • 7
  • 44
  • 77
0

try this

echo '<form name="Patient" action="patient_history.php" method="get">';
$pid=$_GET["p_id"];
echo '<input type="text" name="p_id" value= '.@$pid.' >';
</form>

And patient_history.php:

$pid = $_GET['p_id'];
$result = mysqli_query($con,"SELECT P.P_F_NAME, P.P_L_NAME,P.P_ADDR,
round(datediff(now(),P.P_DOB)/365) AS P_AGE, D.D_DESC, A.A_DESC 
FROM P_HAS_A  PA, patient P, P_HAS_D PD, n_provide_m NM, disease D, allergy A 
WHERE P.P_ID = PD.P_ID AND PD.D_ID = D.D_ID AND P.P_ID = PA.P_ID AND PA.A_ID = A.A_ID AND
P.P_ID='{$pid';");
Mayur
  • 227
  • 1
  • 8