Okay hang on. This is going to go badly very quickly.
You’re cycling a form without passing an identifier, and updating without validating or sanitizing…
So lets crack at this a bit.
while($row = mysql_fetch_array( $result)) {
//Print out the contents of each row into a table
echo "<tr><td>";
echo $row['nid'];
echo $row['sid'];
$projid = $row['nid'].$row['sid'];
echo "</td><td>";
echo $row['data'];
echo "</td><td>";
echo $row['approval_status'];
echo "</td><td>";
// Dropdown menu options and save button query
echo "<form id=form1 method='POST'>
<select id='apprrovalstat' name='apprrovalstat'>
<option value='-select-'>-Select-</option>
<option value='Approved'>Approved</option>
<option value='Declined'>Declined</option>
<option value='Pending'>Pending</option>
</select>
<input id='sub' type='submit' value='Save'>";
if (isset($_POST['apprrovalstat'])) {
mysql_query("UPDATE webform_submitted_data SET approval_status = '". $_POST['apprrovalstat'] ."'
WHERE CONCAT(nid, sid) = '".$projid."' AND '". $_POST['apprrovalstat'] ."' != '-select-';" );
echo "Rows updated";
}
else {
echo "Update error";
}
echo "</form>";
echo "</td></tr>";
}
echo "</table>";
I’m gonna slice out a few lines and see what i can make sense of…
$projid = $row['nid'].$row['sid'];
I shudder every time i see this. What happens when you have a project with nid 11, and sid 1, and another with nid 1, and sid 11? Both project "id"s would be 111.
If NID and SID are a unique identifier (duple), they should be the key. So lets assume they are.
Your form has no way of identifying which project you’re trying to modify. The only field you’re passing atm is “approvalstat”. Approval stat for… what?
Let’s add some hidden values.
echo "<form id=form1 method='POST'>
<select id='apprrovalstat' name='apprrovalstat'>
<option value='-select-'>-Select-</option>
<option value='Approved'>Approved</option>
<option value='Declined'>Declined</option>
<option value='Pending'>Pending</option>
</select>
<input type='hidden' value='".$row['nid']." name='nid'>
<input type='hidden' value='".$row['sid']." name='sid'>
<input id='sub' type='submit' value='Save'>";
So now the form handler knows that this approval state is for nid X and sid Y.
Now, the update query: because we’re not passing a combined key anymore, the query doesnt need to do concatenation.
if (isset($_POST['apprrovalstat']) && in_array($_POST['apprrovalstat'],$allowed)) {
mysql_query("UPDATE webform_submitted_data SET approval_status = '". mysql_real_escape_string($_POST['apprrovalstat']) ."'
WHERE nid = ".intval($_POST['nid'])." AND sid = ".intval($_POST['sid']));
echo "Rows updated";
Notes here:
1: i’ve shifted the “is not -select-” check into the IF. Saves a bit of time by not querying the database server unnecessarily.
2: Are nid and sid integers? or strings? I’ve assumed integers above.
3: Somewhere before your loop, define $allowed
$allowed = array("Approved","Declined","Pending");
4: I would remove the “else” from the IF entirely. the else will show up every time you dont submit data (IE: When you first view the page…)