1

My code is below. I am using infinityfree host. This is what I get an error.

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

<html lang="en">
<head>
<meta charset="UTF-8">
<title>Delete Record Form</title>
</head>
<body style="background-color:powderblue;">


<form action="deletePatientInfo.php" method="post">
<p>
<label for="PatientNumber">Patient Number:</label>
<input type="text" name="PatientNumber" id="patientNumber">
</p>

<hr>
<input type="submit" value="Delete" id = "delete" >
</form>
<form action="http://thecraaz.epizy.com/Sharara_Hospital.php">
    <input type="submit" value="Go to HomePage" />
</form>
<p style="font-family:verdana"> STAY HEALTHY STAY YOUNG </p>
</body>
</html>

The following is my PHP portion. Please help me. It is for a project.

<?php

$con = mysql_connect("sql212.epizy.com","***********","*********");

if (!$con)

  {

  die('Could not connect: ' . mysql_error());

  }

 

mysql_select_db("epiz_27319584_doctor_patient", $con);

 
$PatientNumber = $_POST['PatientNumber'];
$sql = "DELETE FROM Patient_File WHERE PatientNumber = $PatientNumber" ;
if (!mysql_query($sql,$con))

  {

  die('Error: ' . mysql_error());

  }
else
{
echo "1 record deleted successfully";
}


mysql_close($con)

?>
Markus Müller
  • 2,611
  • 1
  • 17
  • 25
binisha pokharel
  • 21
  • 1
  • 3
    **Warning**:You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized prepared statements instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even by trusted users, [you are still in risk of corrupting your data](https://bobby-tables.com/). [Escaping is not enough](https://stackoverflow.com/q/5741187). – Jason K Dec 03 '20 at 17:50
  • Are those real valid credentials? Remove ASAP. – Felippe Duarte Dec 03 '20 at 17:53
  • 1
    If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. [Start here phpdelusions.net/pdo](https://phpdelusions.net/pdo). – Jason K Dec 03 '20 at 17:55
  • I only see 1 sql statement. Looks ok, depending on whats in $PatientNumber . – Jason K Dec 03 '20 at 17:57
  • Make sure `$PatientNumber` has a value before you run the query. If it doesn't, it will break the query as it's doing now. – aynber Dec 03 '20 at 17:58
  • How do I add a value to $PatientNumber? I am new to this. – binisha pokharel Dec 03 '20 at 18:03
  • The expectation would be that it is being filled in from your form. And you a re poring that raw data into your sql. – Jason K Dec 03 '20 at 18:08
  • 1
    @JasonK The OP is not even using mysqli. Somehow they are using `ext/mysql` which has been removed from PHP for years. So they must be using PHP 5.x which is deprecated and unsupported. :-( – Bill Karwin Dec 03 '20 at 18:09
  • @BillKarwin glossed right over that. – Jason K Dec 03 '20 at 18:15
  • 1
    **Warning:** `mysql_*` extension is deprecated as of PHP 5.5.0, and has been removed as of PHP 7.0.0. Instead, either the [mysqli](https://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](https://www.php.net/manual/en/book.pdo.php) extension should be used. See also the [MySQL API Overview](https://www.php.net/manual/en/mysqlinfo.api.choosing.php) for further help while choosing a MySQL API. – Dharman Dec 03 '20 at 18:24
  • Make sure to change your database password. Even though it's been removed from the question now, it was visible for some time and is also still visible in the revision history. – El_Vanja Dec 03 '20 at 19:53

0 Answers0