Hello i would like to UPDATE all the row with a Boolean ( 1 ) when i check the checkbox , but i can't do it when i try.. He select and update all "$id" or update only the last $id of my cours table.
Someone can help ? :)
EDIT :
<form action='' method='POST'>
<?php
require 'inc/db.php';
$req = $pdo->query('SELECT * FROM cours WHERE isValid = 0' );
while ($row = $req->fetch(PDO::FETCH_ASSOC)) {
$originalDate = $row['date'];
$newDate = date("d-m-Y", strtotime($originalDate));
$id = $row['id'];
echo "<tr>";
echo "<td>" . htmlspecialchars($newDate) . "</td>";
echo "<td>" . htmlspecialchars($row['hours']) . "</td>";
echo "<td>" . htmlspecialchars($row['iduser']) . " / " . htmlspecialchars($row['lastname']) . " / " . htmlspecialchars($row['firstname']) . "</td>";
echo "<td>" . htmlspecialchars($row['courses']) . "</td>";
echo "<td><input type='checkbox' name='check[$id]' value='1' >" . $id . "</td> ";
print "</tr>";
}
print "</table>";
if(isset($_POST['check']) && count($_POST['check'] )) {
$ids = implode($_POST['check']);
$req2 = $pdo->prepare("UPDATE cours SET isValid = 1 WHERE id IN ({$ids})");
$req2->execute();
var_dump($_POST['check']);
}
?>
<button type="submit" name="send" class="btn btn-primary center-block" >send</button>
</form>
if(isset($_POST['check']) && count($_POST['check'])) {
$ids = implode(', ', $_POST['check']);
$sql = "UPDATE cours SET isValid = 1 WHERE id IN ({$ids})";
//run sql
}
Of course, it's still as vulnerable to sql injection as your current code. You'd want to either ensure all the ids are actually integers, or use parameters in your statement.
You may be having trouble debugging this, because you put your var_dump outside the loop. So you're only ever going to SEE the last id.
Related
I have an interesting challenge that I haven't been able to get my head around, I have a html table that is generated from php while loop and a mysql database, each generated row of this table has a button that allows someone to modify a row in a database, but whenever the button is pressed the action is performed across the whole generated table thanks to the while loop, and I don't know how to only get that row to perform an action.
Here is the code that I have so far in this section.
while ($submissionrow = mysqli_fetch_array($currentsubmissions)) {
if ($submissionrow[approved] === '1') {
$approvedtick = 'Approved';
}else {
$approvedtick = '';
}
if ($submissionrow[rejected] === '1') {
$rejectedsymbol = 'Rejected';
}else {
$rejectedsymbol = '';
}
if ($approvedtick == $blanksymbol && $rejectedsymbol == $blanksymbol) {
$inreviewmessage = 'In Review';
}else {
$inreviewmessage = '';
}
echo "<tr>";
echo "<td>" . $submissionrow[submission_ID] . "</td>";
echo "<td>" . $submissionrow[Username] . "</td>";
echo "<td>" . $currentyear . "</td>";
echo "<td>" . $submissionrow[CSEvent] . "</td>";
echo "<td>" . "";?>
<form method='post' action='<?php $_PHP_SELF ?>'>
<?php
echo "<button type='submit' name='$submissionrow[submission_ID]' id='accept_cs'>Approve</button>";
echo "<button type='submit' name='$submissionrow[submission_ID]' id='reject_cs'>Reject</button>";
?>
</form>
<?php echo "
" . "</td>";
echo "<td>" . $approvedtick . $rejectedsymbol . $inreviewmessage . "</td>";
if(isset($_POST['accept_cs'])) {
$accept_cs_sql = 'UPDATE CommunityService SET approved =1 WHERE submission_ID =' . $submissionrow[submission_ID];
printf($accept_cs_sql);
$retval = $dbcon->query("$accept_cs_sql");
echo "Updated Accepted Status successfully\n";
}
if(isset($_POST['reject_cs'])) {
$reject_cs_sql = 'UPDATE CommunityService SET rejected =1 WHERE submission_ID =' . $submissionrow[submission_ID];
printf($reject_cs_sql);
$retval = $dbcon->query("$reject_cs_sql");
echo "Updated Rejected Status successfully\n";
}
}
I can make the code submit the performed action, but it enacts this action on the ID of every row in the table, not just the row with that button that was pressed.
Thank you in advance
-jx
Sorry if my english is not correct. I will try my best..
The question is how can I insert record from existing table with insert button. Everything work fine except variable $book. It records value 0 to database. Here is code..
//if the user press "INSERT BOOK" button there will be new record in database
<?php
$reader=$_SESSION['user_id'];
$book=$row['book_id'];
if (isset($_POST['update'])){
$sql = "INSERT INTO `read` (`read_id`, `book`, `reader`) VALUES (LAST_INSERT_ID(), '$book' '$reader')";
$result = mysql_query($sql) or die(mysql_error());
if ($result) {
echo " Yes, it works!";
}
else{
echo "noup!";
}
}
if(isset($_POST['submit'])){
if(isset($_GET['go'])){
if(preg_match("/^[ a-zA-Z]+/", $_POST['name'])){
$name=$_POST['name'];
$result = mysql_query("SELECT * FROM book b JOIN `read` r ON (b.book_id = r.book) JOIN users u ON (r.reader = u.user_id) WHERE b.book_name LIKE '%" . $name . "%' or b.writer LIKE '%" . $name . "%' AND u.user_id !=". $_SESSION['user_id']);
$num_rows = mysql_num_rows($result);
if($num_rows>=1){
echo "<table id='table1'>
<tr>
<th>book_id</th>
<th>BOOKNAME</th>
<th>WRITER</th>
<th>PAGES</th>
</tr>";
while($row=mysql_fetch_array($result)){
echo "<form action=add_book.php method='post'>";
echo "<tr>";
echo "<td>" . $row['book_id'] . "</td>";
echo "<td>" . $row['book_name'] . "</td>";
echo "<td>" . $row['writer'] . "</td>";
echo "<td>" . $row['pages'] . "</td>";
//echo "<td>" . "<input type = 'hidden' name = 'hidden' value =" . $row['book_id'] . " </td>";
echo "<td>" . "<input class = 'field' type = 'submit' name = 'update' value = 'INSERT BOOK'>" . " </td>";
echo "</tr>";
echo "</form>";
}//WHILE LOOP
echo "</table>";
}
else{
echo "NO RESULTS";
}//else
}//if(preg_match..)
} //if(isset($_GET['go'])){
} //if(isset($_POST['submit'])){
?>
Here is the page show table from database and every row has textbox, and b_id to update table.
$result2 = mysqli_query($con,"SELECT * FROM zahialga WHERE bid IN ($imp)");
while($row = mysqli_fetch_array($result2))
{
echo "<tr>";
echo "<td>" . $row['b_id'] . "</td>";
echo "<td>" . $row['materials'] . "</td>";
echo "<td>" . $row['num'] . "</td>";
echo "<td> <input type='text' name='sh_num[]' maxlength='10'></td>";
echo "</tr>";
echo "<input type='hidden' name='b_id[]' value='" . $row['bid'] . "'>";
}
echo "</table>";
echo "<input type='submit' value='Илгээх'/>";
this is update page.
$con=mysqli_connect("localhost","root","","login");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sh_id_query = mysqli_query($con,"SELECT sh_id FROM zahialga order by bid desc limit 1");
$sh_id1 = $sh_id_query->fetch_object()->sh_id;
$sh_id2 = $sh_id1 + 1;
$count = count(array_filter($_POST["sh_num"]));
for($i=0;$i<$count;$i++)
{
$insert = mysqli_query($con,"UPDATE table SET
sh_id='{$sh_id2}',
sh_num='{$_POST['sh_num'][$i]}'
WHERE bid = '{$_POST['$b_id'][$i]}'");
}
this is getiing Notice: Undefined index: $b_id error. What im missed?
BTW sorry about my bad english.
There should be no $ sign:
$_POST['b_id'][$i]
$insert = mysqli_query($con,"UPDATE table SET
sh_id='{$sh_id2}',
sh_num='{$_POST['sh_num'][$i]}'
WHERE bid = '{$_POST['$b_id'][$i]}'");
// ^ additional $ sign here
should be
$insert = mysqli_query($con,"UPDATE table SET
sh_id='{$sh_id2}',
sh_num='{$_POST['sh_num'][$i]}'
WHERE bid = '{$_POST['b_id'][$i]}'");
I have two tables in mysql
practice_sheets and parent_pin
And I want to use one select statement and get data from both tables.
I have tried
$result = mysqli_query($con,"SELECT * FROM practice_sheets AND parent_pin
WHERE student_name='$_SESSION[SESS_FIRST_NAME] $_SESSION[SESS_LAST_NAME]'");
and also:
$result = mysqli_query($con,"SELECT * FROM practice_sheets, parent_pin
WHERE student_name='$_SESSION[SESS_FIRST_NAME] $_SESSION[SESS_LAST_NAME]'");
I've never tried to do this before and the previous solutions are what I found searching.
Update
I think it would help if I included my full code. the table data is going into a table on my page. the student_name field from the practice_sheets and parents_student from parent_pin will be matched.
<?php
$con=mysqli_connect();
// Check connection
if (mysqli_connect_errno()){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT * FROM practice_sheets
WHERE student_name='$_SESSION[SESS_FIRST_NAME] $_SESSION[SESS_LAST_NAME]'");
$numrows = mysqli_num_rows($result);
if($numrows == 0) {
echo "<div class='alert alert-danger'>";
echo "No Entries, See your instructor for details.";
echo "</div>";
} else {
echo "<table class='mws-table table-striped table-hover'>";
echo "<thead align='center'>";
echo "<tr>";
echo "<th>Sheet Number</th>";
echo "<th>Total Minutes</th>";
echo "<th>Due Date</th>";
echo "<th>PIN</th>";
echo "<th>View</th>";
echo "</tr>";
echo "</thead>";
echo "<tbody align='center'>";
while($row = mysqli_fetch_array($result)){
if ($row["total_min"]>=$row["required_min"]) {
echo "<tr class='success'>";
echo "<td>" . $row['id'] . "</td>";
echo "<td>" . $row['total_min'] . "</td>";
echo "<td>" . $row['due_date'] . "</td>";
echo "<td>" . $row['parent_pin'] . "</td>";
echo "<td> <a href='account/practiceSheets?id=" . $row["id"] . "&total_min=" . $row["total_min"] ."&due_date=" . $row["due_date"] ."&mon_min=" . $row["mon_min"] ."&tues_min=" . $row["tues_min"] ."&wed_min=" . $row["wed_min"] ."&thurs_min=" . $row["thurs_min"] ."&fri_min=" . $row["fri_min"] ."&sat_min=" . $row["sat_min"] ."&sun_min=" . $row["sun_min"] ."&name=" . $row["student_name"] ."&assignment=" . $row["assignment"] ."&required_min=" . $row["required_min"] ."'> <i class='icon-eye-open'> </i> </a> </td>";
echo "</tr>";
} else {
echo "<tr class='info'>";
echo "<td>" . $row['id'] . "</td>";
echo "<td>" . $row['total_min'] . "</td>";
echo "<td>" . $row['due_date'] . "</td>";
echo "<td>" . $row['parent_pin'] . "</td>";
echo "<td> <a href='account/practiceSheets?id=" . $row["id"] . "&total_min=" . $row["total_min"] ."&due_date=" . $row["due_date"] ."&mon_min=" . $row["mon_min"] ."&tues_min=" . $row["tues_min"] ."&wed_min=" . $row["wed_min"] ."&thurs_min=" . $row["thurs_min"] ."&fri_min=" . $row["fri_min"] ."&sat_min=" . $row["sat_min"] ."&sun_min=" . $row["sun_min"] ."&name=" . $row["student_name"] ."&assignment=" . $row["assignment"] ."&required_min=" . $row["required_min"] ."'> <i class='icon-eye-open'> </i> </a> </td>";
echo "</tr>";
}
}
echo "</tbody>";
echo "</table>";
mysqli_close($con);
}
?>
$result = mysqli_query($con,"SELECT *
FROM practice_sheets, parent_pin
WHERE student_name = parents_student
AND student_name='$_SESSION[SESS_FIRST_NAME] $_SESSION[SESS_LAST_NAME]'");
Use explicit names for WHERE statament, e.g.
$result = mysqli_query("SELECT student_name.practice_sheets FROM practice_sheets AND parent_pin WHERE student_name.practice_sheets = '{$_SESSION['SESS_FIRST_NAME']} {$_SESSION['SESS_LAST_NAME']}'");
MySQL will not AFAIK automatically check where the constraints are and rightly so considering that you may have conflicting names. Note that this is still pseudo code and you will need to change the fetched results accordingly. Usually it is considered to be good practice to also define explicitly the columns you wish to fetch, but otherwise you can use JOIN as well.
And to help writing shorter code, you can also use shorthands for the table names, e.g.
$result = mysqli_query("SELECT student_name.ps AS name, pin.pp AS pin FROM practice_sheets AS ps, parent_pin AS pp WHERE student_name.ps = '{$_SESSION['SESS_FIRST_NAME']} {$_SESSION['SESS_LAST_NAME']}'");
Update
You also have in your updated version an issue. You call mysqli_fetch_array, which returns an ordered (i.e. numbered) array. If you wish to use keyed, use mysqli_fetch_assoc.
And you are closing the MySQL connection at the moment only if the query was successful. Move mysqli_close outside of the brackets.
Another (basic) question here. I need to know how to use html forms to filter the results of a mysql query using PHP. I have been looking at w3schools and I can see how using $_POST on one page can output to another page. But I cannot see exactly how to put the $_POST into my query. For example I have one page as below:
<form action="orderlist.php" method="post">
OrderNo: <input type="int" name="order_no" />
<input type="Submit" />
</form>
This is a page where the user can enter an order_no and click submit, which links to the 'orderslist.php' page. On that page I have the following code:
$result = mysql_query("SELECT * FROM orders");
echo "<table border='5'>
<tr>
<th>order_no</th>
<th>ord_date</th>
<th>est_completion_date</th>
<th>status</th>
<th>invoice_date</th>
<th>inv_amount</th>
<th>name</th>
<th>fName</th>
<th>lName</th>
</tr>";
// -- Use 'while' to check each row in $result in turn:
while($row = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['order_no'] . "</td>";
echo "<td>" . $row['ord_date'] . "</td>";
echo "<td>" . $row['est_completion_date'] . "</td>";
echo "<td>" . $row['status'] . "</td>";
echo "<td>" . $row['invoice_date'] . "</td>";
echo "<td>" . $row['inv_amount'] . "</td>";
echo "<td>" . $row['name'] . "</td>";
echo "<td>" . $row['fName'] . "</td>";
echo "<td>" . $row['lName'] . "</td>";
echo "</tr>";
}
echo "</table>";
This outputs everything from 'orders' into a table, but I want it to only output the row with the order_no that the user entered on the previous page. How do I do this? Is it something like:
$result = mysql_query("SELECT * FROM orders WHERE order_no = $_POST[order_no]");
Thank a lot
For starters, you should switch to PDO or mysqli -- the mysql_* functions are in the process of deprecation.
On to your question: yes, that's how you do it, with a WHERE clause. However, it is very (very very very) insecure to concatenate a variable directly out of $_POST without sanitation.
That said, at a minimum you should do this:
mysql_query('SELECT * FROM orders WHERE order_no = '.mysql_real_escape_string($_POST[order_no]));
Another thing... don't use SELECT *. You should always list the columns you expect to get from the database -- that way, if there is a problem (like the columns have changed), the query can let you know. With SELECT * you get back a magical grab-bag of data -- you have no idea what it is, and more importantly, if it has the values your code relies on.
So, putting it together:
$pdo = new PDO("mysql:host=localhost;dbname=database", '-username-', '-password-');
$sth = $pdo->prepare('
SELECT
`order_no`,
`ord_date`,
`est_completion_date`,
`status`,
`invoice_date`,
`inv_amount`,
`name`,
`fName`,
`lName`
FROM
orders
WHERE
order_no = :order_no
');
$sth->execute(array(':order_no'=>$_POST[order_no]));
while ($order= $sth->fetch()) {
echo "<tr>";
echo "<td>" . $order->order_no . "</td>";
echo "<td>" . $order->ord_date . "</td>";
echo "<td>" . $order->est_completion_date . "</td>";
echo "<td>" . $order->status . "</td>";
echo "<td>" . $order->invoice_date . "</td>";
echo "<td>" . $order->inv_amount . "</td>";
echo "<td>" . $order->name . "</td>";
echo "<td>" . $order->fName . "</td>";
echo "<td>" . $order->lName . "</td>";
echo "</tr>";
}
Edit: One last note, the input you're using is not valid; type="int" is not a recognized input type. Here's a list of types for HTML 4, and a list for HTML 5:
As you can see, HTML 5 does have a new input type "number". It is not fully adopted, but if you wanted to use it:
<input type="number" name="order_no" />
Be aware, however, that not all browsers will restrict the input to numeric: http://caniuse.com/#feat=input-number
Documentation
mySql SELECT - http://dev.mysql.com/doc/refman/5.0/en/select.html
mysql_query (DEPRECATED) - http://php.net/manual/en/function.mysql-query.php
PDO - http://www.php.net/manual/en/book.pdo.php
PDO::prepare - http://www.php.net/manual/en/pdo.prepare.php
PDOStatement::fetch - http://www.php.net/manual/en/pdostatement.fetch.php
PDOStatement::execute - http://www.php.net/manual/en/pdostatement.execute.php
Without injection vulnerability (require 'mysql_connect' before) :
if(isset($_POST['order_no']))
{
$orderNo = mysql_real_escape_string($_POST['order_no']);
$result = mysql_query("SELECT * FROM orders WHERE order_no = $orderNo");
echo "<table border='5'>";
echo " <tr>";
echo " <th>order_no</th>";
echo " <th>ord_date</th>";
echo " <th>est_completion_date</th>";
echo " <th>status</th>";
echo " <th>invoice_date</th>";
echo " <th>inv_amount</th>";
echo " <th>name</th>";
echo " <th>fName</th>";
echo " <th>lName</th>";
echo " </tr>";
if(mysql_num_rows($result) == 0)
{
echo '<tr><td colspan="9">Order not found</td></tr>';
}
else
{
while($row = mysql_fetch_assoc($result))
{
echo "<tr>";
echo " <td>" . $row['order_no'] . "</td>";
echo " <td>" . $row['ord_date'] . "</td>";
echo " <td>" . $row['est_completion_date'] . "</td>";
echo " <td>" . $row['status'] . "</td>";
echo " <td>" . $row['invoice_date'] . "</td>";
echo " <td>" . $row['inv_amount'] . "</td>";
echo " <td>" . $row['name'] . "</td>";
echo " <td>" . $row['fName'] . "</td>";
echo " <td>" . $row['lName'] . "</td>";
echo "</tr>";
}
}
echo "</table>";
}
Try this:
$orderNumber = mysql_real_escape_string($_POST['order_no']);
$result = mysql_query("SELECT * FROM orders WHERE order_no = $orderNumber");
This takes the value of $_POST['order_no'] and somewhat sanitizes it. You then apply the value of $orderNumber to MySQL.
However, you're much better off using PDO or MySQLi. Both protect you (if used correctly) from SQL injection. Currenly, your code is VERY prone to SQL injection.
Your form should be something like this:
<form action="orderlist.php" method="post">
OrderNo: <input type="text" name="order_no" />
<input type="Submit" value="Submit"/>
</form>
To get any value that is typed by user in the form you should use type="text".
There is nothing like type="int" in standard HTML.
Don't get confused, the Input TYPE in HTML is not the same as one you use in Programming languages to declare Data type. Here TYPE is just to let the browser know that its a text field / Radio Button etc.
To understand Valid Input Types better read this w3.org recommendation on HTML forms.
On orderlist.php you can query to retrieve the required data:
if(isset($_POST['order_no'])) {
$orderNo = mysql_real_escape_string($_POST['order_no']);
$result = mysql_query("SELECT * FROM orders WHERE order_no = $orderNo");
while($row = mysql_fetch_array($result)) {
//code to print table.
}
}
Note:
This type of code is Vulnerable to easy attacks, and it is never recommended to put user input directly into SQL query, it should always be filtered first.