-3

I need help with my SQL Query

<?php
include 'connect.php';
$pdo = Database::connect();

$sql = "SELECT Visit_Date FROM tbl_patient_med_record WHERE PatientID=".$_GET['PatientID'] order by Visit_Date limit 1;

foreach ($pdo->query($sql) as $row){    

    echo  date('F j,Y',strtotime($row['Visit_Date']));
}                       
Database::disconnect();
?>

The goal is to output the most recent value of Visit_Date. But it seems my code is not working. Any possible remedies for this? Thanks

The error is:

Parse error: syntax error, unexpected 'order' (T_STRING) in C:\xampp\htdocs\capstone_ncd\patient_Profile.php on line 337

Masivuye Cokile
  • 4,754
  • 3
  • 19
  • 34
ninja7
  • 1
  • 1
  • 1
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky May 31 '17 at 14:43
  • You need to properly concat your SQL string. – Qirel May 31 '17 at 14:45
  • 1
    Your query is not properly quoted. Run `php -l file.php` on the source file and it will tell you where the syntax error is. – Alex Howansky May 31 '17 at 14:45
  • Is there any error? – patwoj98 May 31 '17 at 14:45
  • The error is: Parse error: syntax error, unexpected 'order' (T_STRING) in C:\xampp\htdocs\capstone_ncd\patient_Profile.php on line 337. Yes, I am aware that my SQL string is not concatenated. Have tried adding dot before the order by clause. Still no solution – ninja7 May 31 '17 at 14:48
  • @JoshuaEmmanuel Look how to concat strings in the manual: http://php.net/manual/en/language.operators.string.php – Qirel May 31 '17 at 14:53

2 Answers2

0

Seems you've handled quotes wrongly. But this is vulnerable to SQL injections as Alex Howansky commented.

$sql = "SELECT Visit_Date FROM tbl_patient_med_record WHERE PatientID=".$_GET['PatientID']." ORDER BY Visit_Date LIMIT 1";
marmeladze
  • 6,468
  • 3
  • 24
  • 45
  • Thank you. It worked perfectly. I forgot to include the dot symbol before the order by clause. – ninja7 May 31 '17 at 14:56
  • Please don't post answers on obviously off-topic questions! See: **[Should one advise on off topic questions?](//meta.stackoverflow.com/q/276572/1768232)** Off-topic questions can be closed and deleted, which could nullify your contribution. – John Conde May 31 '17 at 14:56
  • Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard May 31 '17 at 15:21
0

$sql is badely formated.

an sql query look like this : SELECT * FROM membre WHERE pseudo='apseudo' LIMIT 1

You have to generate a string like this whit Php: you can do that way:

'SELECT * FROM membre WHERE pseudo=' . "'$pseudo'". ' LIMIT 1';

Your is like this:

SELECT * FROM membre WHERE pseudo= followed by bad stuff.

ninjaconcombre
  • 456
  • 4
  • 15
  • Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard May 31 '17 at 15:21