[RESOLVED] Help with array foreach statement

Chris_96_WS6

Pulled this straight out of "Beginning PHP and MySQL 5" Second Edition, by W. Jason Gilmore.... using it to bulk modify selected records from a list:

// approve all selected & submitted records

  // has form been submitted?
  if (isset($_POST['Submit']))
  {
    // loop through each record with an enabled checkbox
    foreach($count=0; $count < count($_POST['rowlID']); $count++)
    {
      $rowID = $_POST['rowID']['$count'];
      $queryA = "UPDATE calendar SET Approved = "Yes" WHERE rowID = '$rowID'";

  $resultA = mysql_query($queryA);

  // Should have one affected row
  if((mysql_affected_rows() == 0) || mysql_affected_rows() == -1) {
    echo "<p>There are no unapproved records to approve.</p>";
    exit;
  }
}
echo "<p>The selected items were successfully approved.</p>";
  }

I'm getting this error re: the foreach statement:

Parse error: parse error, unexpected ';' in /home/htdocs/oor/gcm/admincp/eventcal/zindex.php on line 24

I can't find any documentation online that talks about that syntax as valid for "foreach"

Piranha

I can't find any documentation online that talks about that syntax as valid for "foreach"

That is because it is not. I think that you should look what the manual says about [man]foreach[/man]. Then you would see that you don't write it as that. The statements looks like a for-loop.

Chris_96_WS6

the script runs using for(), but it doesn't update anything....

Piranha

To get error messages from MySQL you should do like this:

$resultA = mysql_query($queryA) or die(mysql_error());

Chris_96_WS6

I managed to get it working, but only by making $rowID = the posted ROW ID, and not RowID + Count. That only updates the last checked record however.

Using the above code, it looks for a row ID that is actually the rowID + the count of records....and there is no row with that ID

What I need is a way for the update query to be able to parse out the arrayed $rowID to get just the rowID number out and not the count.

bradgrafelman

Probably because variables aren't parsed in single-quoted strings. Don't know about strings and variable parsing? Read the manual page that explains what a [man]string[/man] is.

Then again... why even use a string in there? Get rid of the quotes around the $count variable.

Also... did you realize you have unescaped quotes in your query?

Also... did you realize your query is vulnerable to SQL injection attacks? No user-supplied data should EVER be placed directly into a SQL query. Not only could they accidentally break your query with certain characters, but it also allows malicious users to inject SQL without your knowledge. Always run all user-supplied data through a function such as [man]msyql_real_escape_string/man (or some other function, depending upon the type of data you're expecting to get) before using it in a SQL query.

Oh, and by the way, if the rowID column is a numeric type, there's no reason to surround its value in quotes.

Weedpacket

And if all those records are having the same field updated to the same value there's no point in doing it in a loop.

$queryA = "Update calendar set approved='yes' where rowID in (" . join(',', $_POST['rowID'] . ")";
$resultA = mysql_query($queryA);

Although this is still just as vulnerable to injection attacks, and will go wonky if there are no rowIDs posted; obviously it's not the whole of the code.

Still, code presented for the purpose of teaching the language usually falls far short of what is required for real-world use. And vice versa. The two have quite different sets of standards to meet.