0

I was wondering if you could tell me what is wrong with my code or point out where I am going wrong, as I am not able to display any results. $_POST['checkbox'] is an array.

<?
   $get_id=$_POST['checkbox']; 

    if(empty($get_id)) {
        echo("<h3>You didn't select anything.</h3>");
   } else {  
        $where[]  = sprintf(" id='%s'",$_POST["checkbox"]);
   }

   $where_str = " WHERE ".implode(" AND ",$where);
   $sql = "SELECT * FROM products $where_str";
   $result = mysql_query($sql, $link);

    echo "<table>";
    echo "<tr> <th>Description</th> </tr>";
        while($row = mysql_fetch_array($result)) {
            echo "<tr><td>";     
            echo $row['description'];   
            echo "</td></tr>"; 
        }
   echo "</table>"; 
?>
Improve this question
6

2 Answers 2

Reset to default
3
  1. You should refrain from using short tags <? as they are not supported after PHP 5.4.
  2. You are not connecting to MySQL ($link undefined)
  3. You are using a deprecated API (mysql_). See comments for alternatives (mysqli_ or PDO)

  4. You should use the REQUEST_METHOD index of $_SERVER to determine whether your script has been posted.

    if( $_SERVER[REQUESTED_METHOD] == 'POST' && !empty($_POST['checkbox']) ) { ... }

  5. You need to use error handling to check for errors. If you echo $sql; you would see that the checkboxes aren't being populated:

    SELECT * FROM products WHERE id=''

  6. Your script is vulnerable to SQL injection. When you switch to current API, use binded parameters.

  7. Is $_POST[checkbox] an array?
  8. sprintf will not work as you intend it to because you are passing the entire $_POST[checkbox] array to it. You would need to iterate through it to format it. (See Ollie's answer)

Example

Assuming your HTML looks like this:

<form method="post" ...>
<input type="checkbox" name="checkbox[]" value="1" />
<input type="checkbox" name="checkbox[]" value="2" />
<input type="checkbox" name="checkbox[]" value="3" />
<input type="submit" name="submit" />
</form>

And all three boxes are checked; it will produce this array:

Array
(
    [0] => 1
    [1] => 2
    [2] => 3
)

Following Collie's loop:

foreach ($_POST['checkbox'] as $checkbox) {
    $where[]  = sprintf(" id='%s'",$checkbox);
}

$where will look like:

Array
(
    [0] =>  id='1'
    [1] =>  id='2'
    [2] =>  id='3'
)

The rest of your script should work. However, you should look into using the IN operator.

That will enable you to skip the loop and just use implode:

$where = "'" . implode("', '", $_POST[checkbox]) . "'";

Which produces:

'1', '2', '3'

And combined with IN:

$sql = "SELECT ... FROM WHERE id IN ($where)";

Be aware that this is not sanitized and you're still vulnerable to injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for you comments. Apologies for not being clear, but link was defined in header file. $POST_[checkbox] is an array and I have now edited the code accordingly as per Ollie's suggestion, but am still not getting results.
0

If $_POST["checkbox"] is an array like you say then you cannot use it as a string in the sprintf. Try using array_pop to return the last value of that array or similar.

You could foreach through each element in the array:

foreach ($_POST['checkbox'] as $checkbox) {
    $where[]  = sprintf(" id='%s'",$checkbox);
}

Although this will probably just create an invalid SQL statement if asking for ID to be equal to two different integers.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.