PHP: form select box doesn't write changed selection to DB

Question

Okay, so I have this form that is set to preload a DB record for editing if you add a ?edit=1 to the url, it will load record #1 for editing into the form. I have a box that is like this-

<select class="field select addr">
  <option value="no"<?php if($row['has_amenities'] == "no") {echo ' selected=\"selected\"'; } ?>>No</option>
  <option value="yes"<?php if($row['has_amenities'] == "yes") {echo     'selected=\"selected\"'; } ?>>Yes</option>
</select>

Now, let's say that $row['has_amenities'] is "yes" so when the form loads, the select box is showing "Yes".

BUT, if I change the select box to "No" and click save, it doesn't write "no" to the DB, but it does wipe out that record's "yes" with nothing.

What am I doing wrong?

Here's the update code--

    $sql = "UPDATE venues SET microsite_title = '$_POST[microsite_title]', 
microsite_city_title = '$_POST[microsite_city_title]', logo = '$_POST[logo]', photo1 = 
'$_POST[photo1]', photo2 = '$_POST[photo2]', photo3 = '$_POST[photo3]', photo4 = 
'$_POST[photo4]', photo5 = '$_POST[photo5]', photo6 = '$_POST[photo6]', photo7 = 
'$_POST[photo7]', photo8 = '$_POST[photo8]', website_primary = '$_POST[website_primary]', 
website_secondary = '$_POST[website_secondary]', paragraph_1_title = 
'$_POST[paragraph_1_title]', paragraph_1 = '$_POST[paragraph_1]', paragraph_2_title = 
'$_POST[paragraph_2_title]', paragraph_2 = '$_POST[paragraph_2]', paragraph_3_title = 
'$_POST[paragraph_3_title]', paragraph_3 = '$_POST[paragraph_3]', paragraph_4_title = 
'$_POST[paragraph_4_title]', paragraph_4 = '$_POST[paragraph_4]', paragraph_5_title = 
'$_POST[paragraph_5_title]', paragraph_5 = '$_POST[paragraph_5]', paragraph_6_title = 
'$_POST[paragraph_6_title]', paragraph_6 = '$_POST[paragraph_6]', top10_1 = 
'$_POST[top10_1]', top10_2 = '$_POST[top10_2]', top10_3 = '$_POST[top10_3]', top10_4 = 
'$_POST[top10_4]', top10_5 = '$_POST[top10_5]', top10_6 = '$_POST[top10_6]', top10_7 = 
'$_POST[top10_7]', top10_8 = '$_POST[top10_8]', top10_9 = '$_POST[top10_9]', top10_10 = 
'$_POST[top10_10]', top10_locale = '$_POST[top10_locale]', contact_title = 
'$_POST[contact_title]', contact_street_addr = '$_POST[contact_street_addr]', 
contact_street_addr2 = '$_POST[contact_street_addr2]', contact_city = 
'$_POST[contact_city]', contact_state = '$_POST[contact_state]', contact_zip = 
'$_POST[contact_zip]', contact_phone = '$_POST[contact_phone]', contact_tollfree = 
'$_POST[contact_tollfree]', latitude = '$_POST[latitude]', longitude =     '$_POST[longitude]', 
testimonial = '$_POST[testimonial]', sidebar_title = '$_POST[sidebar_title]', 
sidebar_content = '$_POST[sidebar_content]', has_amenities = '$_POST[has_amenities]' 
WHERE id = '$_POST[query]'";

Also, I know it's not a good idea to write $_POST values without cleaning them first, but this is an internal form behind a firewall, etc. I'll clean it up later after it's working :o)

Thanks!

Answer 1

Try wrapping your array variables with curly braces like so:

'$_POST[paragraph_3]' = '{$_POST[paragraph_3]}'

Answer 2

It looks like the <select> element has no name or id--is that the case in your code? If so, I believe $_POST[has_amenities] won't be set--there would be no has_amenities value in $_POST. You'd get an empty string instead.

Answer 3

Wrap all of the instances of $_POST[] in {} (curly braces) so it looks like this

'{$_POST['key']}'

The curly braces are need to force PHP to evaluate $_POST as a variable when it's inside a double-quoted string.

Also, quote your $_POST array keys like this

$_POST['key']

You want to get in the habit of this even though $_POST[key] will usually work. PHP is treating key as an constant which, if it's undefined, is automatically turned into a the string "key" so you get the behavior you're expecting.

However, if key already exists as a constant (via the define()) function, you'll get the value of the key constant which is not what you want.

Take a look at the Array do's and don'ts section.

Answer 4

You'll need to specify a name for this select tag. I also see you're escaping your double-quotes with backslashes, which is unnecessary (it will literally use \" so the output would look like: selected=\"selected\" which is bad html).

Try using this:

<select name="has_amenities" class="field select addr">
  <option value="no"<?php if($row['has_amenities'] == "no") {echo ' selected="selected"'; } ?>>No</option>
  <option value="yes"<?php if($row['has_amenities'] == "yes") {echo     'selected="selected"'; } ?>>Yes</option>
</select>

Your SQL statement will work the way it is, but not that if a single quote is entered by the user, it will break the statement...possibly causing a huge security hole. Check out "SQL injection" on the google.