approve/reject button not working properly

Question

I am practicing php by making an approved/reject system, in which administrator approves/rejects student records. It works fine with one row, but with multiple rows fetched from the table either all get approved or all get rejected. What needs to be revised in the following?

 <?php
   session_start():
  ?>
<table>
        <tr>
            <th>ID</th>
            <th>Approval</th>
            <th>Picture</th>
            <th>Status</th>
</tr>
   
<?php
include "dbconn.php";
$i=1;
$query = "select * from data";
$sql = mysqli_query($conn,$query);
$count = mysqli_num_rows($sql);

   if($count>0)
   {
        while($row=mysqli_fetch_array($sql))
   {

?>
<tr>
    <td> <?php echo $row['id']; $_SESSION['stuappid']=$row['id'];?> </td>
    <td> <?php echo $row['approval']; ?> </td>
    <td> <img src ="<?php echo $row['picture']; ?>" height="100px" width="100 px">  </td>
    <td>
        <form method="post" action="">
            <button type="submit" name="approved">Approve</button>
        </form>
        <form method="post" action="">
            <button type="submit" name="rejected" >Reject</button>
        </form>
    </td>

</tr>
</table>
<?php

$i++;
if(isset($_POST['approved']))
{
    $query2 = "update data set approval= 'Approved' where                                                                                               id='".$_SESSION['stuappid']."'";
    $sql2 = mysqli_query($conn,$query2);
    $query22= "INSERT into approved(id,status) values ('".$_SESSION['stuappid']."','Approved')";
    $sql3 = mysqli_query($conn,$query22);

}
if(isset($_POST['rejected']))
{
    $query4 = "update data set approval= 'Rejected' where id='".$_SESSION['stuappid']."'";
    $sql41 = mysqli_query($conn,$query4);
    $query5= "INSERT into rejected(id,status) values ('".$_SESSION['stuappid']."','Rejected')";
    $sql51 = mysqli_query($conn,$query5);
   
}
}
}

else{
echo "No Record";

 }

you want to bring from the table BOTH rejjected and approved?..try to give more info..by the way..where is the form open tag? — Dimitris Papageorgiou, Dec 10 '21 at 18:32
fetching from a table named "data" with attributes id,picture and approval. if approved the data gets inserted in a new table and similarly with rejected. now if only one row exists in the data table, this code is working however if multiple rows exist in the data table, all rows either get rejected or get approved. — user401, Dec 10 '21 at 18:35
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Dec 10 '21 at 18:36
@user401 so there is a problem when you try to approve/regect many rows — Dimitris Papageorgiou, Dec 10 '21 at 18:38

WOUNDEDStevenJones · Accepted Answer · 2021-12-10T22:33:30.180

There are a couple things that can be adjusted here. A simpler way to structure this is by adding a hidden input field with the relevant row_id value inside of your forms:

<input type="hidden" name="row_id" value="<?= $row['id']; ?>" />

(<?= is shorthand for <?php echo : What does '<?=' mean in PHP?)

Then you can move your UPDATE queries outside of the while loop to keep things simpler (and use the submitted row_id value [$_POST['row_id']] instead of the $_SESSION value, which may have been part of the issue).

Now instead of mixing the output/update logic inside the same loop, your update logic executes first if the page has been submitted, and then the table data is output below that.

<?php
    session_start():

    include "dbconn.php";

    if (isset($_POST['approved']))
    {
        $appUpdateQuery = "UPDATE data SET approval= 'Approved' WHERE id='".$_POST['row_id']."'";
        $appUpdateResult = mysqli_query($conn, $appUpdateQuery);
        $appInsertQuery = "INSERT INTO approved(id,status) VALUES ('".$_POST['row_id']."','Approved')";
        $appInsertResult = mysqli_query($conn, $appInsertQuery);
    }
        
    if (isset($_POST['rejected']))
    {
        $rejUpdateQuery = "UPDATE data SET approval= 'Rejected' WHERE id='".$_POST['row_id']."'";
        $rejUpdateResult = mysqli_query($conn,$rejUpdateQuery);
        $rejInsertQuery = "INSERT INTO rejected(id,status) VALUES ('".$_POST['row_id']."','Rejected')";
        $rejInsertResult = mysqli_query($conn, $rejInsertQuery);
    }
?>

<table>
    <tr>
        <th>ID</th>
        <th>Approval</th>
        <th>Picture</th>
        <th>Status</th>
    </tr>

<?php
    $selectQuery = "SELECT * FROM data";
    $sql = mysqli_query($conn, $selectQuery);
    $count = mysqli_num_rows($sql);

    if ($count>0)
    {            
        while ($row = mysqli_fetch_array($sql))
        {
?>
            <tr>
                <td> <?php echo $row['id']; $_SESSION['stuappid'] = $row['id']; ?> </td>
                <td> <?= $row['approval']; ?> </td>
                <td> <img src ="<?= $row['picture']; ?>" height="100px" width="100 px">  </td>
                <td>
                    <form method="post" action="">
                        <input type="hidden" name="row_id" value="<?= $row['id']; ?>" />
                        <button type="submit" name="approved">Approve</button>
                    </form>
                    <form method="post" action="">
                        <input type="hidden" name="row_id" value="<?= $row['id']; ?>" />
                        <button type="submit" name="rejected" >Reject</button>
                    </form>
                </td>
            </tr>
<?php
        }
    } else {
        echo "No Record";
    }
?>

</table>

Based on your current queries, you can probably remove the approved and rejected columns from your approved and rejected tables if the values there will all be the same. Similarly, the approval column in data should be a boolean so you can store 0 or 1 instead of a full string.

Don't forget that you'll also need to update your MySQL queries to avoid SQL injection. https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php is a good reference. — WOUNDEDStevenJones, Dec 10 '21 at 19:19

score -1 · Answer 2 · edited Dec 10 '21 at 23:14

-1

Add your table inside the while loop where your are running this query

   while($row=mysqli_fetch_array($sql))

edited Dec 10 '21 at 23:14

Muhammad Dyas Yaskur

6,914
10
48
73

answered Dec 10 '21 at 18:33

purab manglani

5
2

approve/reject button not working properly

2 Answers2