1

My aim is to be able to pull specific data based on an ID that the user can select. I initially display the available IDs with the following:

<form action = "admin.php" method = "POST">
<?php 
$sql = "SELECT id FROM mensproducts";
$result = mysqli_query($connection,$sql);
if(mysqli_num_rows($result) > 0) {
 while ($row = mysqli_fetch_array($result)) {
    $id = $row['id'];
    echo $id;
?> 
<input type ="submit" name = "submitid" value = "Choose Id"/> <?php
   }
 }

This seems to be working fine as the availale IDs are displayed with a button next to them which is supposed to let the user pull the data from the ID they've selected. My code to pull that data is:

if (isset($_POST['submitid'])) {
$result = mysqli_query($connection,"SELECT * FROM mensproducts WHERE id = 
'$id'");
while($row = mysqli_fetch_assoc($result)){
echo "
<div class = 'id'> Id = ".$row['id']."</div>
<div class='name'>".$row['name']."</div>
<div class='desc'>".$row['description']."</div>
<div class='price'>£".$row['price']."</div>
      </form>
      </div>";
    }
  }
?>
</select>
</form>

However, it seems that no matter what button I press, only the data from the 3rd column is displayed. Is it an issue with my SQL statement? Formatting?

James Bolton
  • 21
  • 3
  • Welcome to Stack Overflow. Can you be more specific about the "3rd column" being displayed? Do you mean column as displayed visually in your HTML, database column, or do you actually mean database table _row_? – Michael Berkowski Mar 21 '19 at 02:14
  • 1
    I see a few problems here - the value of the variable `$id` is not defined in your form handler, and might be retaining a value from the original loop. You would need a form `` to pass it back along with the submit button. – Michael Berkowski Mar 21 '19 at 02:15
  • @MichaelBerkowski Sorry that I wasn't specific, it's the 3rd database row, hence id is always = 3? Hope that clears things up a little. Thank you for your help – James Bolton Mar 21 '19 at 02:19
  • 1
    You are always sending the last `id = $row['id'];` that you get from database since you are not saving that anywhere and it just overrides previous ones.If you had 10 columns,your id would always be 10. – Alex Mar 21 '19 at 02:24

1 Answers1

1

Assuming both the button listing and the form handling code chunks you posted are residing in the same file admin.php, I believe it is always showing the 3rd (last) row in your table because the first fetch while loop defines the variable $id, which you then used directly later when processing the form.

Instead, to select an $id value and pass it to the form handling code, you will need an additional <input> tag that holds its value, and retrieve it from $_POST in the form processing:

<?php 
$sql = "SELECT id FROM mensproducts";
$result = mysqli_query($connection,$sql);
if(mysqli_num_rows($result) > 0) {
 while ($row = mysqli_fetch_array($result)) {
    // THIS final value of $id is what is mistakenly being passed to your SQL, whatever it holds at the end of the loop.
    $id = $row['id'];
    echo $id;
    // Create an <input> with the $id -- this uses a hidden one
    // Note: each listing is now its own separate <form>
    // This does not matter for the HTML, though it might require changes to your CSS if it causes different visual appearance.
    // Necessary so that the same input name can be used.
?>
<form action="admin.php" method="POST"> 
  <input type="hidden" name="id" value="<?php echo $id; ?>" />
  <input type="submit" name="submitid" value="Choose Id"/>
</form>

Then in your form processor, retrieve $_POST['id'] which the form now sends, and use that in your SQL. 

if (isset($_POST['submitid'])) {
  // Get your $id from the form post
  $id =mysqli_real_escape_string($connection, $_POST["id"]);

  $result = mysqli_query($connection,"SELECT * FROM mensproducts WHERE id = '$id'");

  while($row = mysqli_fetch_assoc($result)){
  echo "
  <div class='id'> Id = ".$row['id']."</div>
  <div class='name'>".htmlspecialchars($row['name'])."</div>
  <div class='desc'>".htmlspecialchars($row['description'])."</div>
  <div class='price'>£".htmlspecialchars($row['price'])."</div>
      </div>";
    }
  }
?>
// I closed the </form> tag earlier.

Note: I am adding mysqli_real_escape_string() here, which is the bare minimum you must do to protect your code against database tampering via SQL injection. A better method is to use prepare()/bind_param()/execue() in MySQLi. See How can I prevent SQL injection in PHP for details and examples.

Note 2: I have removed the extra spaces around html attributes, turning <input name = 'submitid'> into <input name='submitid'>. While most browsers today won't care, it is accepted practice not to put spaces around the = in attributes

Note 3: I added htmlspecialchars() around the database values printed into your HTML. That correctly encodes any characters like < > & which might break the markup. An important habit to be in.

Michael Berkowski
  • 267,341
  • 46
  • 444
  • 390
  • I don't think that would work,since there are 3 buttons with same name="id" in 1 form,hence it will be the same,it will take the last one that was created – Alex Mar 21 '19 at 02:39
  • Well my initial idea was to have all of the IDs in a drop down list instead of having individual buttons. Would trying to implement it that way be a more suitable approach? – James Bolton Mar 21 '19 at 03:00
  • @JamesBolton you can make a drop down list that containing the same name, user select the id in drop down list and then he/she can click submit and it will POST to the page you've specified in `
    ` . The other page will get the id and will generate the details based on the submitted id.
     – mior farhan Mar 21 '19 at 03:57
  • @JamesBolton If you use a ` – Michael Berkowski Mar 21 '19 at 13:37