1

I have a table with a list of users. Each one has assigned a checkbox. When the admin select some checkboxes my script saves some information into the database for the selected users.

Now, my issue is that beside that checkbox I want to have a text input type so the admin can leave a comment as well for that user. So, when the checkbox is selected and the input type has some data, the data gets saved as well.

This is what I've done so far (besides the obvious issues with security, that I haven't taken into account yet):

My list is generated by a loop for each user:

<input type=text name="infoAdicional" value="'.$x['infoAdicional'].'">
<input name="enviar['.$x['userID'].']" type="checkbox" value="'.$x['userEmail'].'">

I've taken the information and generated a foreach loop for the checkbox, but cannot get the additional information from the text field to get saved (it does update other values:

        $userID = $_POST['enviar']; 
        $infoAdicional = $_POST['infoAdicional'];
        foreach ($userID as $id => $email) {
            $sql = "UPDATE cursosUsuarios 
                    SET estadoCertificado = 'pending', 
                    infoAdicional='$infoAdicional'
                    WHERE userID = '$id'
                    AND email = '$email'
                    ";
            ... 
        }

I think that's because $infoAdicional = $_POST['infoAdicional']; should be inside the loop, but just inserting it inside it, gets every user with a selected checkbox to have the same additional information, it does repeat itself.

Rosamunda
  • 14,620
  • 10
  • 40
  • 70
  • There is no quotes around type=text in html code – jophab Aug 21 '16 at 15:15
  • 1
    Even if you would put the variable inside, you get the same as if the variable was outside. You need to make the notes text input the same as the checkbox `infoAdicional['.$x['userID'].']` and then do in the loop `$infoAdicional = $_POST['infoAdicional'][$id]` – Charlotte Dunois Aug 21 '16 at 15:20
  • Don't you afraid if your non-prepared statements? Your php-variables are not working inside single-quotes though. – jaro1989 Aug 21 '16 at 15:21
  • @jaro1989 The variables are in double quotes, therefore they get evaluated. – Charlotte Dunois Aug 21 '16 at 15:22
  • Your code is vulnerable to [SQL-Injections](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Please start using Prepared, Parameterized Queries. – Charlotte Dunois Aug 21 '16 at 15:22
  • @CharlotteDunois about sql, not html. – jaro1989 Aug 21 '16 at 15:24
  • But some of the variables are working, like '$email' or '$id'. So I think there's something to do with my foreach loop? And yes, I'll add a prepared statement, just wanted a proof of concept with this, and I can "see" the code much clearer this way. – Rosamunda Aug 21 '16 at 15:38
  • Thanks @Charlotte Dunois you were right! It worked! If you add it as an answer I can check it as correct. Thank you! – Rosamunda Aug 21 '16 at 15:53

2 Answers2

2

It doesn't matter if you put the variable $infoAdicional inside the loop or not. The thing is that the last input field with the name overwrites all and therefore you will only have the note of the last user for all. What you need to change is, to make usage of the [] name syntax as you did it with the checkbox.

So your name attribute of the notes field would look like this name="infoAdicional['.$x['userID'].']" and in the loop you would make the assignment of infoAdicional[USERID] to $infoAdicional.

So your code would look like this

$userID = $_POST['enviar']; 
foreach ($userID as $id => $email) {
      $infoAdicional = $_POST['infoAdicional'][$id];
      $sql = "UPDATE cursosUsuarios 
                SET estadoCertificado = 'pending', 
                infoAdicional='$infoAdicional'
                WHERE userID = '$id'
                AND email = '$email'
                ";
      ... 
}

And your HTML code

<input type=text name="infoAdicional['.$x['userID'].']" value="'.$x['infoAdicional'].'">
<input name="enviar['.$x['userID'].']" type="checkbox" value="'.$x['userEmail'].'">
Charlotte Dunois
  • 4,638
  • 2
  • 20
  • 39
2

Change your input parameters to:

<input type=text name="enviar['.$x['userID'].']['infoAdicional']" value="'.$x['infoAdicional'].'"> 
<input name="enviar['.$x['userID'].']['email']" type="checkbox" value="'.$x['userEmail'].'">

So your data will stick to specific user. Then your loop will be like this:

$userInfo = $_POST['enviar']; //Info here, right?
foreach ($userInfo as $userId => $info) {
$sql = "UPDATE cursosUsuarios 
        SET estadoCertificado = 'pending', 
        infoAdicional='$info['infoAdicional']'
        WHERE userID = '$userId '
        AND email = '$info['email']'
        ";
   ... 
}

I've saved your syntax as it's your job to fill it with prepared statements etc.

jaro1989
  • 405
  • 8
  • 15