select option value from database on selected

Question

I have a small problem. I have a edit.php page. This page list the products information that can be edited.

I run a query

while($rows=mysql_fetch_assoc($query)){


echo"<form method=\"POST\" action=\"edit.php\">";
echo "<input type ='hidden' name='ID' value = '{$rows['ID']}'>"; 
echo "Product:&nbsp <input type='text' name='product' value = '{$rows['ProductName']}'>"; 

Before the while loop I store the details in variables as such:

$hiddenid = $_POST['ID'];   
$productName = $_POST['product'];

and this works. when I load the php form it shows the product name (in a text field) retrieved from the DB. However the problem is I want to store the product name as a drop down list box that has already been selected by the user and then select that.

So, basically what I wish to do is instead of displaying the DB retrieved options in a text box I wish the option the user has selected to be displayed in a dropdown list box.

I hope this makes sence? Why are my option values not showing at all and secondly they are not showing the SELECTED option either (retrieved from the DB).

Any help please?

Answer 1

Focusing on this one area, you should be getting a PHP error unless it is a copy error. Notice the following changes:

while($rows=mysql_fetch_assoc($query)){
?>
    <form method=\"POST\" action=\"edit.php\">
    <input type ='hidden' name='ID' value = '<?php echo $rows['ID'];?>'>
    <select name ="pnames">
        <?php foreach ($arrayproducts as $key => $value) {
        ?>  
            <option value = "<?php echo $key; ?>" 
            <?php
                if ($key == $productName){
                    echo 'selected="selected"';
                } 
            ?> >
            <?php echo $value; ?> 
            </option>
     <?php } //end foreach ?>   
   </select>
<?php }//end while ?>

You had plain HTML code in the PHP segment in the beginning.

Also, I believe you want

if ($value == $productName){

Answer 2

This probably isn't such a good place for this, but since I see tons of code daily that is horrible I figured I would chime in.

First of all, check your inputs. You should never trust any variables from a user $_GET, $_POST, etc. The looseness of the original code is just looking for an SQL injection attack.

<?php

This thing looks like it's expecting some sort of passed ID which would then pull the productName from the database... it's really unclear. So we're assuming variables are already defined. Need to use code like this:

if(!empty($_GET['id'])&&is_numeric($_GET['id'])){
   $id=$_GET['id'];
} else {
   $id='';
}

//Declare your array
$arrayproducts = array();


while($rows=mysql_fetch_array($query)){

You need to call something out here for the returned array... without seeing the SQL it's hard to say what you're expecting, but your callouts should look like this...

//Whatever the name from SQL is for the column
$temp_ID = $rows['id'];

//Whatever the name for the product column is
$temp_Prod = $rows['prod'];

//Load the array
$arrayproducts[$temp_ID]=$temp_Prod;
}

It's best to load a var for everything and then post it in one shot rather than in and out of PHP. The code will be much faster and you'll be able to keep track of the code.

$page = "<form method=\"POST\" action=\"edit.php\">";

Check to see if that ID worked. Regex would be best, but one thing at a time here.

if(!empty($id)){
    $page .= "<input type =\"hidden\" name=\"ID\" value = \"$id\">";
} 
$page .= "<select name =\"pnames\">\n";

foreach ($arrayproducts as $key => $value) {

   $page .= "<option value = \"$key\"";

It's best to use the auto-increment fields and built-in IDs for mysql so there isn't a chance of having a duplicate ID taking over an existing record.

      if ($id == $key){
        $page .= ' selected="selected"';
      }
   $page .= ">$value</option>\n";

//close the foreach
}

$page .= "</select>\n"; 

print $page;
?>