Skip to content
Advertisement

UPDATE MySQL record of selected value from dropdown list

I’m just learning MySQL/PHP and I’m trying to update a mysql record of a selected value from the dropdown list. I have read through several tutorials, and tried to apply them, but I cannot get this working…

What I want : I got a dropdown list with two options (Approved, Disapproved). I want to UPDATE the selected value from the dropdown menu to the specific user using its user_id.

Problem: When I change the SQL query from WHERE user_id = ‘$user_id’ to WHERE user_id = 75 it will update the record with id 75. So it has something to do with that.

<table id="UserTable">
    <tr bgcolor="#2ECCFA">
        <th>ID</th>
        <th>First Name</th>
        <th>Last Name</th>
        <th>Email</th>
        <th>Approval</th>
    </tr>

    <?php
    while ($course = mysqli_fetch_assoc($records)) {
        ?>
        <tr>
            <td><?php echo $course['user_id'] ?></td>
            <td><?php echo $course['first_name'] ?></td>
            <td><?php echo $course['last_name'] ?></td>
            <td><?php echo $course['email'] ?></td>
            <td>
                <form method="post">
                    <select id="options">-->
                        <select name="admin_approved">
                            <option value="1">Approved</option>
                            <option value="0">Dissaproved</option>
                        </select>
                        <button type="submit" name="selectSubmit">Submit</button>
                </form>
            </td>
        </tr>
        <?php
    } ?>
</table>

<?php
if (isset($_POST['selectSubmit'])) { // Use button name
    $admin_approved = $_POST ['admin_approved'];
    $query = "UPDATE tbl_users SET admin_approved = '$admin_approved' WHERE user_id = 75";//WHERE user_id = '$user_id'";
    $statement = mysqli_prepare($con, $query);
    mysqli_stmt_execute($statement);

    $con->close();

}
?>

Advertisement

Answer

You need to pass the user_id via a hidden field in the form to be able to update a specific user.

<form method="post">
  <input type="hidden" name="user_id" value="<?php echo $course['user_id'] ?>">
<!-- ... the rest of the form -->
</form>

Then your query becomes (is sql injectable):

$admin_approved = $_POST['admin_approved'];
$user_id = $_POST['user_id'];
$query = "UPDATE tbl_users SET admin_approved = '$admin_approved' WHERE user_id = '$user_id'";
$statement = mysqli_prepare($con, $query);
mysqli_stmt_execute($statement);

While you say you’re not concerned with sql injection, to protect the query you can replace the code with the following which will protect it against sql injection:

$admin_approved = $_POST['admin_approved'];
$user_id = $_POST['user_id'];
$query = "UPDATE tbl_users SET admin_approved = ? WHERE user_id = ?";
$statement = mysqli_prepare($con, $query);
mysqli_stmt_bind_param($statement, 'si', $admin_approved, $user_id);
mysqli_stmt_execute($statement);

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement