I’m just learning MySQL/PHP and I’m trying to update a mysql record of a selected value from the dropdown list. I have read through several tutorials, and tried to apply them, but I cannot get this working…
What I want : I got a dropdown list with two options (Approved, Disapproved). I want to UPDATE the selected value from the dropdown menu to the specific user using its user_id.
Problem: When I change the SQL query from WHERE user_id = ‘$user_id’ to WHERE user_id = 75 it will update the record with id 75. So it has something to do with that.
<table id="UserTable"> <tr bgcolor="#2ECCFA"> <th>ID</th> <th>First Name</th> <th>Last Name</th> <th>Email</th> <th>Approval</th> </tr> <?php while ($course = mysqli_fetch_assoc($records)) { ?> <tr> <td><?php echo $course['user_id'] ?></td> <td><?php echo $course['first_name'] ?></td> <td><?php echo $course['last_name'] ?></td> <td><?php echo $course['email'] ?></td> <td> <form method="post"> <select id="options">--> <select name="admin_approved"> <option value="1">Approved</option> <option value="0">Dissaproved</option> </select> <button type="submit" name="selectSubmit">Submit</button> </form> </td> </tr> <?php } ?></table><?phpif (isset($_POST['selectSubmit'])) { // Use button name $admin_approved = $_POST ['admin_approved']; $query = "UPDATE tbl_users SET admin_approved = '$admin_approved' WHERE user_id = 75";//WHERE user_id = '$user_id'"; $statement = mysqli_prepare($con, $query); mysqli_stmt_execute($statement); $con->close();}?>Advertisement
Answer
You need to pass the user_id via a hidden field in the form to be able to update a specific user.
<form method="post"> <input type="hidden" name="user_id" value="<?php echo $course['user_id'] ?>"><!-- the rest of the form --></form>Then your query becomes (is sql injectable):
$admin_approved = $_POST['admin_approved'];$user_id = $_POST['user_id'];$query = "UPDATE tbl_users SET admin_approved = '$admin_approved' WHERE user_id = '$user_id'";$statement = mysqli_prepare($con, $query);mysqli_stmt_execute($statement);While you say you’re not concerned with sql injection, to protect the query you can replace the code with the following which will protect it against sql injection:
$admin_approved = $_POST['admin_approved'];$user_id = $_POST['user_id'];$query = "UPDATE tbl_users SET admin_approved = ? WHERE user_id = ?";$statement = mysqli_prepare($con, $query);mysqli_stmt_bind_param($statement, 'si', $admin_approved, $user_id);mysqli_stmt_execute($statement);