1

I am working on a PHP form that loads data from a database, and for each record, there is a select box that allows users to change the record's status (Accepted, Rejected, Pending). When a user changes the status, it should update the corresponding record's status in the database.

The problem I am facing is that the select box works perfectly for all records, except for the first one displayed in the table. When I try to change the status of the first record, nothing happens. The form loads five rows, and this issue only occurs with the first record.

Here is the PHP code for the form:

                      <?php
if (mysqli_num_rows($result) > 0) {
    while ($row = mysqli_fetch_assoc($result)) {
        $stav = htmlspecialchars($row['stav']); 
        echo "<tr data-stav='$stav'>";
        echo "<td><input type='checkbox' name='selected_ids[]' value='" . $row['id'] . "'></td>";
        echo "<td>" . $row['id'] . "</td>";
        echo "<td>" . $stav . "</td>";
        echo "<td>" . $row['datum_vlozeni'] . "</td>";
        echo "<td>" . $row['pocet_stojanu'] . "</td>";
        echo '<td>
            <form method="post" action="php/change_stav.php">'; // Vytvoříme formulář pro změnu stavu
        echo '<input type="hidden" name="id" value="' . $row['id'] . '">'; // Skryté pole s ID záznamu
        echo '<select name="stav" onchange="this.form.submit()">'; // Dropdown se jménem "stav"
        echo '<option value="odesláno" ' . ($stav === 'odesláno' ? 'selected' : '') . '>Odesláno</option>';
        echo '<option value="přijato" ' . ($stav === 'přijato' ? 'selected' : '') . '>Přijato</option>';
        echo '<option value="odmítnuto" ' . ($stav === 'odmítnuto' ? 'selected' : '') . '>Odmítnuto</option>';
        echo '<option value="Předáno BKOM" ' . ($stav === 'Předáno BKOM' ? 'selected' : '') . '>Předáno BKOM</option>';
        echo '</select>';
        echo '</form>';
        echo '</td>';
        echo '<td>
            <a href="update.php?hash_kod=' . $row['hash_kod'] . '" title="Upravit">
                <i class="bi bi-pencil-square"></i>
            </a>
            <a href="php/export_pdf.php?hash_kod='. $row['hash_kod'] .'" target="_blank" title="Export do PDF">
                <i class="bi bi-file-earmark-pdf"></i>
            </a>
        </td>';
        echo "</tr>";
    }
} else {
    echo "<tr><td colspan='6'>Žádné záznamy k zobrazení.</td></tr>";
}

?>

And here is the PHP code that processes the form action:

<?php
if ($_SERVER["REQUEST_METHOD"] === "POST") {
    // připojení k databázi
    $servername = "localhost";
    $username = "root";
    $password = "";
    $dbname = "podnety";
    $conn = new mysqli($servername, $username, $password, $dbname);
    $conn->set_charset("utf8");

    // Ochrana proti SQL injection  
    $id = mysqli_real_escape_string($conn, $_POST['id']);
    $stav = mysqli_real_escape_string($conn, $_POST['stav']);

    // Aktualizace stavu v databázi
    $sql = "UPDATE podnety SET stav = '$stav' WHERE id = '$id' AND delete_record IS NULL";
    if (mysqli_query($conn, $sql)) {
        header("Location: ../admin.php"); // Přesměrování zpět na hlavní stránku
        exit;
    } else {
        echo "Chyba: " . mysqli_error($conn);
    }
}
?>

I don't understand why the select box behaves differently for the first record compared to others. Can someone please help me identify the issue and provide a solution? Thank you!

I have thoroughly reviewed my code, but I cannot pinpoint the reason why the select box behaves differently for the first record. I have also searched for similar problems but haven't found a suitable solution yet. Any help or insights into this matter would be greatly appreciated. Thank you!

Jiří Komínek
  • 19
  • 2
  • 1
    Your code is vulnerable! Please refer to prepared statements to make secure queries to your database: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – isuckatcode Jul 30 '23 at 20:52
  • I'm sure it's a lovely language, but I must admit I'm not able to read the comments and as it is that much code, I guess it would help if I could. – hakre Jul 30 '23 at 20:53
  • As you can reproduce (I can't), what is the SQL that you generate for the error case? – hakre Jul 30 '23 at 21:00
  • 3
    One obvious thing to check is, does your "first" record have a non-Null "delete_record" value? (Given you are only updating the "stav" value if "delete_record" is Null, that's the first thing I'd be checking) – Craig Jul 30 '23 at 21:01
  • There's nothing in your code that's different for the first record. So the problem must be with the data. It's probably related to the `delete_record` column, as @Craig suggests. – Barmar Jul 30 '23 at 22:16
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Jul 30 '23 at 23:42

0 Answers0