$_POST as $key => $value using checkboxes.

Question

I am having trouble getting a form to update the information passed from a check box. I was given this code.

$one = isset($_POST['one']) ? 'on' : 'off';

This works great as long as I call each check box separately. My problem is I have approximately 200 checkboxes in total.

Here is the code I am using to UPDATE with. Can anyone help me to figure out where to insert the code I was given into my present code? I've tried all sorts of variations.

if($_POST['submit']){
    if(!empty($applicant_id)){
     $sql = "UPDATE play SET ";
     foreach($_POST as $key => $value){
       if(($key != 'submit') && ($key != 'applicant_id')){
        $sql .=  $key. " = '$value',";
       }
     }
     $sql = substr($sql, 0, -1);
     $sql .= " WHERE ".$applicant_id." = $applicant_id";
     $result = mysql_query($sql,$db) or die(mysql_error(). "<br />SQL: $sql"); 
    } 
}

Answer 1

if($_POST['submit']){
    if(!empty($applicant_id)){
            $sql = "UPDATE play SET ";
            foreach($_POST as $key => $value){
                if(($key != 'submit') && ($key != 'applicant_id')){
                     $sql .=  $key . " = '" . ($value ? 'on' : 'off') . "',";
                }
            }
            $sql = substr($sql, 0, -1);
            $sql .= " WHERE ".$applicant_id." = $applicant_id";
            $result = mysql_query($sql,$db) or die(mysql_error(). "<br />SQL: $sql");   
    } 
}

The above assumes that all your inputs are checkboxes. If they aren't, you'll need to work out a convention to distinguish them.

Incidentally, your currently running UPDATE code is vulnerable to SQL injection because you aren't sanitizing your inputs with mysql_real_escape_string(). Cheers.

Answer 2

The solution is to start with your known list of possible checkboxes in an array() or similar. Can I assume you generate the form with such a list? If not, you probably should. Then you can use a loop over the same data to check for the existence of each checkbox.

Some other hints:

isset($array[$key]) is not recommended. Although it will be reliable most of the time, it will fail if $array[$key] is null. The correct call is array_key_exists($key, $array).

When assembling string fragments for SQL, like you're doing, it is more elegant to do the following:

 $sqlvalues = array();
 foreach( $options as $field ) {
    if( array_key_exists('checkbox_'.$field, $_POST) )
        $sqlvalues[] = $field.' = \'on\'';
    else
        $sqlvalues[] = $field.' = \'off\'';
 }
 mysql_query('UPDATE '.$table.' SET '.implode(', ', $sqlvalues).' WHERE applicant_id = '.$applicant_id);

Answer 3

You may be running to HTML checkbox behavior: Checkboxes are only sent to the server if they are on; if they are off, no name/value pair is sent. You are going to have trouble turning off values with the above code.

So you need to run through your known list of values and check for them in the $_POST parameters.

Answer 4

delete everything above :-) name all you checkboxes like and in foreach work with $_POST['out'] BUT! don't forget the golden rule: DOn't belive to the user. re-check every key=>value before writing to the datebase.

Answer 5

You should use an array name and it will be an array in PHP.

As ndp said, if a checkbox is unchecked, its value will not be transmitted. So you need to use a hidden input field with the same name before the checkbox input field, with the "off" value.

<label for="one">One</label> 
<input type="hidden" name="checkboxes[one]" value="off"/>
<input type="checkbox" name="checkboxes[one]" id="one" value="on"/>

Remember checked="checked" if it should be default to on.

You can now loop the checkboxes with POST or GET

foreach ($_POST['checkboxes'] as $key => $value) {
    //something
}