Update multiple rows with one submit

jreid

Hi everyone,

This script has given me much grief, and I've read lots of others on the 'net. The script basically works but only for one row. I think I'm passsing arrays as I was echo-ing them out at one stage but now seem to have broken that... Ie $count returns 1.
The idea of the script is to allow user editing of picture gallery names and display options etc...
Here's some code:

<?php
require_once ('../includes/admin_header.html');
include ('../../bb_dbc.php');

// Set error handling
	error_reporting(E_ALL);
	// See if the user is lodded in
	if (isset($_SESSION['first_name'])) {
	$name =  $_SESSION['first_name'];
	$member_id = $_SESSION['member_id'];
} else {
	header ("Location:  http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . "/login.php");

} // Redirect to Login.php



//Start the main if conditional

if(isset($_POST['submit']))	{

include_once("dBug.php");
	new dBug($_POST['submit']);

// find out how many records there are to update
$count = count($_POST['submit']);
//echo "Rows = $count<br />";
var_dump ($_POST['submit']);
// start a loop in order to update each record
$i = 0;
while ($i < $count) {
echo "$member_id<br />";
// define each variable
$id = $_POST['group_id'][$i];
echo "$id<br />";
//Do group name
$group_name = addslashes ($_POST['group_name'][$i]);
echo "$group_name<br />";
//Do status
$status = $_POST['group_status'][$i];
if ($status == "Online")	{
$status = "Y";
}	elseif ($status == "Offline")	{
$status = "N";
}
echo "$status<br />";
// Do Captions
$captions =  $_POST['group_captions'][$i];
if ($captions == "Yes")	{
$captions = "Y";
}	elseif ($captions == "No")	{
$captions = "N";
}
echo "$captions<br />";
// Do Locations
$locations =  $_POST['group_location'][$i];
if ($locations == "Yes")	{
$locations = "Y";
}	elseif ($locations == "No")	{
$locations = "N";
}
echo "$locations<br />";
// Do yeartaken
$yeartaken = $_POST['group_yeartaken'][$i];
if ($yeartaken == "Yes")	{
$yeartaken = "Y";
}	elseif ($yeartaken == "No")	{
$yeartaken = "N";
}
echo "$yeartaken<br />";


$query = "UPDATE bb_groups SET group_name='$group_name', member_id='$member_id', group_status= '$status', group_captions='$captions', group_locations='$locations', group_yeartaken='$yeartaken' WHERE group_id='$id'";
$result = mysql_query($query) or die (mysql_error() );


 $i++;
} // End of while loop




}
else //middle of main If conditional
{
?>




  <p>Welcome <?php echo $_SESSION['first_name']; ?>,</p>
  <br />

<?php

// First part of page displays from below here
// Select all groups from the database and display them:
$query = "SELECT * FROM bb_groups WHERE member_id = $member_id";
	$result = mysql_query($query) or die(mysql_error());



if (!$result)	{
	echo "<p>You have no groups yet...</p>";
} else {

echo "<form method=\"POST\" class=\"form\" name=\"update\" action=\"{$_SERVER['PHP_SELF']}\">
<legend>Current groups:</legend>";

  while ($row = mysql_fetch_array($result)) {
  $num_rows = mysql_num_rows($result);
$group_id = $row[0];
$group_name = $row[1];
$group_status = $row[3];
$group_captions = $row[4];
$group_location = $row[5];
$group_yeartaken = $row[6];


if ($group_status == "Y")	{
$status = "Online";
$alt_status = "Offline";
$status_icon = "<span class=\"tick\">&#10003;</span>&emsp;";
}	elseif ($group_status == "N")	{
$status = "Offline";
$alt_status = "Online";
$status_icon = "<span class=\"cross\">&times;</span>&emsp;";
}

if($group_captions == "Y")	{
$captions = "Yes";
$alt_captions = "No";
$captions_option = "Y";
$captions_icon = "<span class=\"tick\">&#10003;</span>&emsp;";
} else {
$captions = "No";
$alt_captions = "Yes";
$captions_option = "N";
$captions_icon = "<span class=\"cross\">&times;</span>&emsp;";
}
if($group_location == "Y")	{
$locations = "Yes";
$alt_locations = "No";
$locations_option = "Y";
$locations_icon = "<span class=\"tick\">&#10003;</span>&emsp;";
} else	{
$locations = "No";
$alt_locations = "Yes";
$locations_option = "N";
$locations_icon = "<span class=\"cross\">&times;</span>&emsp;";
}
if($group_yeartaken == "Y")	{
$yeartaken = "Yes";
$alt_yeartaken = "No";
$yeartaken_option = "Y";
$yeartaken_icon = "<span class=\"tick\">&#10003;</span>&emsp;";
} else {
$yeartaken = "No";
$alt_yeartaken = "Yes";
$yeartaken_option = "N";
$yeartaken_icon = "<span class=\"cross\">&times;</span>&emsp;";
}



echo "<div id=\"divider\"><p>Group Name <span class=\"small\">(id #$group_id)</span>&nbsp;<input type=hidden name=group_id[] value=\"$group_id\">&nbsp;<input type=\"text\" id =\"edit_area\" name=\"group_name[]\"
value=\"$group_name\" size=\"24\" maxlength=\"48\"><p>$status_icon&emsp;&emsp;This group is:&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;<select name=\"group_status[]\" size=\"1\"> <option value=\"$status\" selected=\"$group_status\">$status</option>
<option value=\"$alt_status\">$alt_status</option></select></p>  <p>Group options are:</p>";

echo "<p>$captions_icon&emsp;&emsp;Caption display &emsp;= &emsp;<select name=\"group_captions[]\" size=\"1\"> <option value=\"$captions_option\" selected=\"$captions_option\">$captions</option>
<option value=\"$alt_captions\">$alt_captions</option></select>";
echo "<p>$locations_icon&emsp;&emsp;Location display = &emsp;<select name=\"group_location[]\" size=\"1\"> <option value=\"$locations_option\" selected=\"$locations_option\">$locations</option>
<option value=\"$alt_locations\">$alt_locations</option></select>";
echo "<p>$yeartaken_icon&emsp;&emsp;Year display &emsp;&emsp;&emsp;&emsp;&emsp;= &emsp;<select name=\"group_yeartaken[]\" size=\"1\"> <option value=\"$yeartaken_option\" selected=\"$yeartaken_option\">$yeartaken</option>
<option value=\"$alt_yeartaken\">$alt_yeartaken</option></select>";


} // End of while loop
echo "<div id=\"divider\">";
echo "<p><input type=\"image\" name=\"submit\" alt=\"Update\" src=\"../gfx/update.png\"  value=\"Update\">";
echo "</div >";
echo "</form>";

} // End of if statement




} // End of else 
?>

</div> <!-- centred content ends -->
</div> <!-- container ends-->
</body>

</html>

sneakyimp

The first thing I noticed is that you are missing an IF statement at the beginning...it just starts with else....

Try putting in a print_r statement to see what you are really getting. $_POST['submit'] is not even an array I'm guessing so there's no sense running count on it.

print_r($_POST);

Once you see what your $_POST array looks like, that should give you a better idea of how to alter your script.

jreid

Hi Sneaky,

The if prob got chopped when I cut some non-related code from the posting. I just fixed the script and you were right $POST['submit'] contained only one value. I changed it to $POST['group_id'] and it returns 2, so the while loop works and everything is great.

Any advice on the next step which is to add a way of deleting a record from the db, probably via checkbox? Something like:
<input name="delete[]" type="checkbox" id="delete" value="1" />

Then I'd have to if/else on the value of delete[] and run a seperate DELETE query ?

sneakyimp

Try adding the delete input to your form and viewing what shows up in $POST

print_r($_POST);

If you are smart about what value you supply in your delete checkbox, you can get some good PHP kung-fu going on. Try putting the primary key (the "id") of the record directly from the database into the delete input's value attribute:

echo '<input name="delete[]" type="checkbox" id="delete" value="$group_id" />'

Then when your form is submitted, $_POST['delete'] should be an array of ids that somebody wants to delete. Then you can make a query really easily like this:

$sql = "DELETE FROM table_x WHERE id IN (" . implode(',', $_POST['delete']) . ")";

sneakyimp

also, you should know that giving all your checkboxes the same id ("delete") is not good practice. Each form input should have a different id.

jreid

Kung-fu! I like it. I'll give it a whirl shortly...
Back now - Ok, it's working except that I'm getting an error "Notice: Undefined offset: 1 in /Users/jon/Sites/brokenbench.dev/web/adm1n/edit_groups.php on line 58"

I have to leave for work now but I think that means that I have to move the DELETE query outside the while loop......... Yep, that seems to have worked... will check it over thoroughly later (have run out of groups to delete :-) )

Thanks heaps for your help Sneakyimp I appreciate it...

sneakyimp

You should also check that $_POST['delete'] is actually an array with elements before running that query...otherwise you get SQL error.

jreid

I did. It is.

sneakyimp

Try submitting the form without checking any checkboxes and it probably won't be.

jreid

Ah, OK. Will try later, am away from my home comp now...

jreid

Back now sneaky,

No, there's a problem if no checkbox's are checked I get the following errors:

Notice: Undefined index: delete in /Users/jon/Sites/brokenbench.dev/web/adm1n/edit_groups.php on line 19

Warning: implode() [function.implode]: Bad arguments. in /Users/jon/Sites/brokenbench.dev/web/adm1n/edit_groups.php on line 19
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

jreid

Okay,
Sort of have the same problem...
Now I have the following inside my while loop

// Do delete id
 $delete_id = $_POST['delete'][$i];
 // if (isset($_POST['$delete_id'])) {
  if	($delete_id == NULL)	{
  echo 'delete was NOT checked<br />';
  } else {
echo 'Delete was checked.';
echo "Group to be deleted  = $delete_id<br />";
// Query for deleting a group
$sql = "DELETE FROM bb_groups WHERE group_id IN (" . implode(',', $_POST['delete']) . ")"; 
$result2 = mysql_query($sql) or die (mysql_error() );
}

and it is working to the point where it is deleting a group from the database.
The error this time is
Notice: Undefined offset: 1 in /Users/jon/Sites/brokenbench.dev/web/adm1n/edit_groups.php on line 57

Arghhhh! I can't think of a way to stop it from finding an undefined offset when sometimes, usually, in the running of this script there will be undefined offsets! I realise I could just turn error reporting down as they are just notices but I'd like to find a solution. I checked some stuff on this page but...
http://www.spsu.edu/cs/faculty/bbrown/papers/php2.html

sneakyimp

Maybe try checking the value with isset first?

if (isset($_POST['delete'][$i])) {
    $delete_id = $_POST['delete'][$i];

// do delete here...
}

OR you could just leave the delete query OUTSIDE your loop which is where I had intended it to go. If it's inside your loop, you should probably change your query...it's deleting all those records over and over again each loop iteration so you have a lot of wasted effort probably. If you are just dying to have it in the loop, use this instead:

$sql = "DELETE FROM bb_groups WHERE group_id=" . $delete_id;

Also, as a matter of security, you should check all of your $delete_id values to make sure they don't permit sql injection. You either need to use [man]mysql_real_escape_string[/man] on every single value that comes from user input, or you need to make sure that every delete id supplied is just a simple number. A mean-spirited miscreant might supply a delete_id that already has a comma-separated list in it, effectively deleting ALL of your records. imagine that $_POST['delete'][1] had this in it:

1,2,3,4,5,6,7,8,9,10,11,12,13,14

And then you go and stick it right in your code and get this query:

DELETE FROM bb_groups WHERE group_id IN (1,2,3,4,5,6,7,8,9,10,11,12,13,14)

You should check each delete id to make sure it's a number with something like this:

if (!preg_match('/^\d+$/', $delete_id)) {
    die($delete_id . ' is not a valid id');
}

jreid

Thanks Sneakyimp,

I had used isset (see two posts above) but I think it's still inside my while loop. Am away from the code now.

Thanks also for the security tips. I intend to verify all data coming in from user input as an earlier iteration of this site suffered from an sql injection attack. Also my mail script got hijacked 😕

At this stage I'm just trying to get the mechanics how I want. I'll move the isset IF outside the while loop and see how it goes over the weekend. Thanks again for the help and maybe check back Monday?🙂

Jon

jreid

Success !

Hey Sneakyimp, thanks for all your help on this. I moved the (isset($POST['delete'] out of the while loop and made it into a foreach (my first one) to stop it complaining about unknown $i when the checkbox wasn't checked. Code below:

foreach ($_POST['delete'] as $key => $delete_id);
{
if	($delete_id == NULL)	{
 echo 'delete was NOT checked<br />';
} else {
  echo 'Delete was checked.';
echo "Group to be deleted  = $delete_id<br />";
// Query for deleting a group
$sql = "DELETE FROM bb_groups WHERE group_id ='$delete_id'"; 
$result2 = mysql_query($sql) or die (mysql_error() );

} //end of else
} // end of foreach

jreid

Also, with regard to security, apart from filtering the variables is it worth putting a LIMIT 1 into the DELETE query? Since it is in a foreach loop. only one should be deleted in any one query yeah?

Jon

laserlight

A mean-spirited miscreant might supply a delete_id that already has a comma-separated list in it, effectively deleting ALL of your records.

The problem is that merely preventing such a comma-separated list is of no use if this miscreant is able to delete records one by one. Instead of supplying delete_ids in a comma-separated list, he or she simply supplies a list of individual delete_ids.

Yes, one should avoid SQL injection by appropriately handling incoming input, but that is not enough: one must also check that the user is allowed to delete the records to begin with. How this is done depends on how you manage who has authority to delete what records. If only an authenticated administrator can reach this stage in the form processing, then you may not need to alter your SQL statement at all.

Incidentally, a more realistic SQL injection would result in:

DELETE FROM bb_groups WHERE group_id=1 OR group_id IN (2,3,4,5,6,7,8,9,10,11,12,13,14)

The attacker cannot delete the "=", so he or she would have to complete that part, then add the OR clause. As demonstrated, you could use preg_match() to check, but more akin to mysql_real_escape_string() is a cast to int. Often one can have a round of validation where you check that the input is of a correct format and feedback to the user if it is not, but even then just before executing the SQL statement another round of data sanitisation takes place just in case.

Also, with regard to security, apart from filtering the variables is it worth putting a LIMIT 1 into the DELETE query? Since it is in a foreach loop. only one should be deleted in any one query yeah?

As mentioned, executing an SQL statement to delete records one by one is inefficient. The very same example of an attacker supplying a comma-separated list can be turned to your advantage: instead of executing an SQL statement on each iteration, join the group_ids together into a comma-separated list. If this list is not empty at the end, execute the resulting SQL statement. For example:

$delete_ids = array();
foreach ($_POST['delete'] as $delete_id) {
    $delete_ids[] = (int)$delete_id; // Cast to int to prevent SQL injection.
}

if (!empty($delete_ids)) {
    $delete_ids = implode(',', $delete_ids);
    $sql = "DELETE FROM bb_groups WHERE group_id IN ($delete_ids)";
    mysql_query($sql) or die(mysql_error());
} else {
    // Nothing selected.
}

jreid

Hi Laserlight,

Thanks for the post.

one must also check that the user is allowed to delete the records to begin with

. I'm in a partnership with all the other users, and they'll only be able to delete records that pertain to information about themselves, so I'm happy with the level of authentication on a per-user basis.

Thanks for your tips re security. I was going to look into mysql_real_escape_string() as Sneakyimp suggested, now that I have the page working as desired. I have also cast variables as INT in a previous script, so I understand that concept too. I also like your suggestion about joining the id's to use in one query, much more efficient. I don't doubt that my code is inefficient as I often break it down into a lot of chunks to understand how it is working/broken... but then I see code on the net or as you have suggested and realise there are often others ways of coding things with far fewer lines...

TThanks again, I'll try out your suggestions, and Sneakyimps, over the next few days.

Cheers,

Jon

jreid

UPDATE
Sorry Sneakyimp, I worked on some other stuff for a while and just came back to find out that this code is only deleting one group at a time. If more than one are checked it just deletes one...

foreach ($_POST['delete'] as $key => $delete_id);
{
if	($delete_id == NULL)	{
 echo 'delete was NOT checked<br />';
} else {
  echo 'Delete was checked.';
echo "Group to be deleted  = $delete_id<br />";
// Query for deleting a group
$sql = "DELETE FROM bb_groups WHERE group_id ='$delete_id'"; 
$result2 = mysql_query($sql) or die (mysql_error() );

} //end of else
} // end of foreach

Any ideas why the foreach isn't working properly?

Jon

sneakyimp

I'm not sure, but I'm guessing that all of the inputs for your delete checkboxes have the exact same NAME attribute:

<input type="checkbox" name="delete" value="<?=$delete_id_1 ?>">
<input type="checkbox" name="delete" value="<?=$delete_id_2 ?>">
<input type="checkbox" name="delete" value="<?=$delete_id_3 ?>">

This results in the last delete_id value being the only value passed in via $_POST. In order to get more than one value, you should put brackets in the NAME attribute:

<input type="checkbox" name="delete[]" value="<?=$delete_id_1 ?>">
<input type="checkbox" name="delete[]" value="<?=$delete_id_2 ?>">
<input type="checkbox" name="delete[]" value="<?=$delete_id_3 ?>">

You are going to have to learn some tricks to see what sort of input is being passed by your form. Try this in your submit handling code:

print_r($_POST);

That will let you see exactly what information is being passed by your form.