0

I have a html form which generates a second html form via $_POST.

The first form submits $_POST['id'], which will then generate another form that will submit $_POST['fields'] which is used to update a mysql db. However, the mysqli query used to update the db relies on both $_POST['id'] and $_POST['fields'] values.

I can't work around how to submit $_POST['fields'] without $_POST['id'] being reset, because $_POST['fields'] is generated precisely by the submission of $_POST['id'].

I tried passing $_POST values to $_SESSION, and while the values are passed successfully, the $_POST['id'] value will always reset to NULL once $_POST['fields'] is submitted. Here's the whole code:

<?php 

include 'head.html';
echo "<body>";
include 'connection.php';   

$query = mysqli_query("SELECT * FROM table") or die(mysqli_error());
$querytwo = mysqli_query("SELECT * FROM table WHERE id='{$_POST[id]}'") or die(mysqli_error());

//generates $_POST['id'] form

echo "<form action=\"admin.php\" method=\"post\"><select name=\"id\">";
    while ($row = mysqli_fetch_array($query)) 
    {
        echo "<option value=\"$row[id]\">$row[firstName] $row[lastName]</option>";
    }
echo "</select><input type=\"submit\"></form><br>";

 //generates $_POST['fields'] form

if (isset($_POST['id']) && !empty($_POST['id'])) 
{   
        $rowtwo = mysqli_fetch_array($querytwo);    
        $exclude = array(2);

        for($column_value = 0; $column_value < 17; $column_value++) 
         {
            if (in_array($column_value, $exclude)) 
            {
                continue;
            }
                $field = mysqli_field_name($querytwo, $column_value);
                echo "<form method=\"POST\">" . "$field" . ": <input type=\"text\" name=\"fields\" value=\"$rowtwo[$column_value]\"><input type=\"submit\"></form>";    
        }
}  

 //updates db with $_POST['id'] and $_POST['fields'] values

if (isset($_POST['field']) && !empty($_POST['field']))
{
    $column_value = range(0, 20);
    $field = mysqli_field_name($querytwo, $column_value);
    mysqli_query("UPDATE table SET '$field'='{$_POST[fields]}' where id='{$_POST[id]}'");

} else 
{
 echo "not updated yet";    
}
?>
</body>
</html>
Patrick Reck
  • 11,246
  • 11
  • 53
  • 86
discardthis
  • 169
  • 1
  • 6
  • 14
  • 2
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Apr 01 '14 at 13:49

4 Answers4

1

Try session variables. At the top of your PHP file (BEFORE any HTML) put session_start(), then set $_SESSION['id'] = $_POST['id'], and finally access the stored variable in your mysql call with $_SESSION['id'].

Session variables will stay accessible until the user closes their browser window (or after about 20 minutes, when they time out), and are secure because they are stored on the server, not as cookies.

DankMemes
  • 2,085
  • 2
  • 21
  • 30
  • I tried that doing exactly that, except $_SESSION will be reset to NULL when a $_POST value is submitted after a $_POST has already been submitted. – discardthis Apr 01 '14 at 13:55
  • Make sure you do `session_start()` both times. Once you start a session, the session should never be NULL unless you close the session, the user closes their browser window, or the timeout of ~20 minutes is reached. If the session is still NULL that means your server is not configured right. – DankMemes Apr 01 '14 at 13:57
  • Previously I tried some debugging, where I would set $_SESSION = "43", or some random number. $_SESSION was working in this instance because I would reset the page and a var_dump would indicate that $_SESSION was still equal to its defined value. However, this $_POST thing is still not working. – discardthis Apr 01 '14 at 14:07
  • This should not be the case. Can you comment a pastebin of your FULL code with sessions or something to work with? – DankMemes Apr 01 '14 at 14:21
0

When you generate the second form, pass $_POST['id'] to it and put it in a hidden input.

Patrick Reck
  • 11,246
  • 11
  • 53
  • 86
0

Don´t know if is the best way to do this, but in this case, i would put an extra hidden input named ID in the second form too.

Something like :

echo "<input type='hidden' name='id' value='".$_POST['id']."' />";
Panos Kalatzantonakis
  • 12,525
  • 8
  • 64
  • 85
Tarciso Junior
  • 549
  • 9
  • 16
0

You can send the id parameter in hidden tag.

    for($column_value = 0; $column_value < 17; $column_value++) 
     {
        if (in_array($column_value, $exclude)) 
        {
            continue;
        }
            $field = mysqli_field_name($querytwo, $column_value);
            echo "<form method=\"POST\">" . "$field" . ": <input type=\"text\" name=\"fields\" value=\"$rowtwo[$column_value]\"> <input type=\"hidden\" name=\"id\" value=\"$_POST['id']\"> <input type=\"submit\"></form>";    
    }
Parag Tyagi
  • 8,780
  • 3
  • 42
  • 47