DesignerSeries the data in the post array is from the database, the user has no form to edit the data
I'm not sure what that means. How are the 'users' for the report being selected?
In any case, all external data that gets submitted to a web site can be set to anything by a user/bot and cannot be trusted. You must protect against sql special characters in data values from breaking the sql query syntax, which is how sql injection is accomplished.
Yes you do. You have the column holding the data and the list of value(s) (hopefully supplied via a prepared query place-holder) you want to match against that column.
You should end up with code that looks like the following -
<?php
$errors = []; // array to hold error messages
if(isset($_POST['header']))
{
// validate the input data
if(empty($_POST['user_result']))
{
$errors['users'] = 'You must select one or more users.';
}
// perform any other validation here...
// if no errors, use the submitted data
if(empty($errors))
{
$sql = "SELECT first_name, last_name FROM names WHERE FIND_IN_SET(id,?)"; // note: per the forum reply, you should be matching specific users via their id, not via a first name match which would give you all users with the same first name(s)
$stmt = $DB_con3->prepare($sql); // not sure why you are up to '3' for a connection variable name. Your application should have one database connection.
$stmt->execute([implode(',',$_POST['user_result'])]);
$rows = $stmt->fetchAll(); // you should set the default fetch mode to PDO::FETCH_ASSOC when you make the connection, so that you don't have to specify it in every fetch statement
// if no matching data, set up an error message
if(empty($rows))
{
$errors['users'] = 'No user data was found.'; // since you are (probably) selecting from existing users, this error would indicate a programming mistake or someone is submitting nonexistent ids.
}
// if no errors, use the result from the query
if(empty($errors))
{
//Set header values
$headers = array("First Name", "Last Name");
//Insert header values to $output
$output = implode(',',$headers) . "\n";
//Iterate through results
foreach($rows as $row)
{
$output .= implode(',',$row) . "\n"; // note: the original code was missing the concatenation dot . when adding to $output
}
//Set headers
header('Content-Type: text/csv');
header('Content-Disposition: attachment; filename="ORA_ASE_FUNCTIONAL_SECURITY_CUSTOM_ROLES.csv"');
//Output
echo $output;
exit;
} else {
// output any errors
echo 'The following error(s) occurred:<br>';
echo implode('<br>',$errors);
}
}
}