Comboboxes return null value in PHP

Question

Hi I have five (05) comboboxes in the form that fetch values from database but while editing form all comboboxes return no value. I have to select values in the combobox all the time to update form. Here is my code:

if(isset($_POST['submit']))
{
    $fname=validate($_POST['fname']);
    $mname=validate($_POST['mname']);
    $lname=validate($_POST['lname']);
    $gender=validate($_POST['gender']);
    $contact=validate($_POST['contact']);
    $proid=validate($_POST['proid']);
    $distid=validate($_POST['districtid']);
    $degid=validate($_POST['degreeid']);
    $batchid=validate($_POST['batchid']);
    $majorid=validate($_POST['majorid']);
    $desg=validate($_POST['designation']);
    $inst=validate($_POST['institute']);
    $add=validate($_POST['address']);
    $userid=$_SESSION['id'];
    $img=validate($_POST['featured_img']); 
    $oldimg=validate($_POST['old']); 
    $tmp_name = $_FILES['featured_img']['tmp_name'];
    $dest = "alumni_images/";
    
    if($img=='') {
        $img=$oldimg;
        $sql = "UPDATE alumnidata SET firstname='$fname',middlename='$mname',
                                    lastname='$lname',gender='$gender',
                                    address='$add',province_id='$proid',
                                    district_id='$distid',contact='$contact',
                                    degree_id='$degid',batch_id='$batchid',
                                    major_id='$majorid',job_title='$desg',
                                    connected_to='$inst',avatar='$img' 
                WHERE user_id='$userid'";
        if (mysqli_query($con, $sql)) {
            move_uploaded_file($tmp_name,$dest.$img);
            $msg="Data has been updated successfully";
                
        } else {
            $error= "<b>in updating record:</b><br/>" . mysqli_error($con);
        }
    } else {
        $sql = "UPDATE alumnidata SET firstname='$fname',middlename='$mname',
                                        lastname='$lname',gender='$gender',
                                        address='$add',province_id='$proid',
                                        district_id='$distid',contact='$contact',
                                        degree_id='$degid',batch_id='$batchid',
                                        major_id='$majorid',job_title='$desg',
                                        connected_to='$inst',avatar='$img' 
                WHERE user_id='$userid'";
        if (mysqli_query($con, $sql)) {
            move_uploaded_file($tmp_name,$dest.$img);
            $msg="Data has been updated successfully"; 
        } else {
            $error= "<b>in updating record:</b><br/>" . mysqli_error($con);
        }
    }

Here is my HTML code of one combobox and similar code is for other 04 comboboxes. I have to choose value every time for updating form because if i don't do this, comboboxes return empty value:

<select name="proid" class="form-control" id="provinceid" required="required">
    <option value="<?php echo $row['province_id'];?>" disabled selected><?php echo $row['province_name'];?></option>

<?php
$query1="Select * from tblprovinces";
$result1  = mysqli_query($con,$query1);
if(mysqli_num_rows($result1)>0) {
    while($row1= mysqli_fetch_assoc($result1)) {
?>
        <option value="<?php echo $row1['province_id']; ?>"><?php echo $row1['province_name']; ?></option>
<?php
    }
}
?>
</select>

What is the question/issue? You are open to SQL injections. Also your `if` doesn't make sense, you execute same query regardless — user3783243, Jun 01 '22 at 15:44
ISSUE IS: I have to choose data in combobox to edit, if i don't choose, it retunrs "no" value after submitting form. same query for updating image in database... if image is not updated then keep old image in the database otherwise new image path will be inserted. — Sikander Shahzad, Jun 01 '22 at 15:48
Good code indentation would help us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](https://www.php-fig.org/psr/psr-12/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. — RiggsFolly, Jun 01 '22 at 15:58
You have to look at the `$_POST['proid']` if it is set, you then set that as the selected line in your dropdown. And so on for all the dropdowns — RiggsFolly, Jun 01 '22 at 16:06
**Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. — ADyson, Jun 01 '22 at 16:14
https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use it again. — ADyson, Jun 01 '22 at 16:14
`if (empty($_POST['proid']))` ...do something... `else` ... do something else. Not really clear why that's puzzling you? Did I miss part of the issue? — ADyson, Jun 01 '22 at 16:15
validate(); function has already been created to tackle SQL injection — Sikander Shahzad, Jun 01 '22 at 17:10
Whatever that function is doing, I can guarantee that it doesn't (fully) protect you against sql injection, because only prepared statements and parameters can do that. There are ways round all other defences. Please read https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php . You are also vulnerable to various more mundane, silly syntax errors accidentally occurring in the sql as well. Again, parameterization will prevent that. — ADyson, Jun 01 '22 at 17:14

score 0 · Answer 1 · answered Jun 01 '22 at 16:44

0

Thanks for helping. My problem is solved. I renamed the primary key field name different.... Three tables had same field name

answered Jun 01 '22 at 16:44

Sikander Shahzad

25
4

Comboboxes return null value in PHP

1 Answers1