php/mysql database output to hidden form fields

[fluffels]

I'm having some issues with a PHP/MySQL function on one of my pages.

 

This is the code:

 

while($row = mysql_fetch_array($result, MYSQL_NUM))
{
  list($member_id, $firstname, $lastname) = $row;
  $content .= "<li>
<a href=\"list-users.php?uid=$member_id\">$firstname $lastname</a> 
<form action=\"exec-user-status.php\" method=\"post\">
<input type=\"hidden\" name=\"memact\" value=\"$member_id\" />
<input type=\"hidden\" name=\"action\" value=\"disable\" />
<a href=\"#\" onclick=\"document.forms[0].submit();\">Disable</a>
</form>
</li>\r\n";
}

 

The problem lies with the second instance of $member_id. It will output on the page without issue unless it's in the hidden input value shown above. That line again for clarity:

 

	<input type=\"hidden\" name=\"memact\" value=\"$member_id\" />

 

 

 

Anyone got any ideas? It is actually driving me nuts - I've never had any issues with this kind of thing before...

 

Comments and solutions appreciated

 

[eRott]

That code looks a little odd to me. Is this what you are trying to do?

 

$query = "SELECT field1, field2, field3 FROM table_name";
$result = mysql_query($query) or die(mysql_error());


while ($row = mysql_fetch_array($result))
{
$content .= '<li><a href="list-users.php?uid='.$row['field3'].'">'.$row['field1'].' '.$row['field2'].'</a>';
$content .= '<form action="exec-user-status.php" method="post">';
$content .= '<input type="hidden" name="memact" value="'.$row['field3'].'" />';
$content .= '<input type="hidden" name="action" value="disable" />';
$content .= '<a href="#" onclick="document.forms[0].submit();">Disable</a>;
$content .= '</form></li>';
}

[fluffels]

Yeah, in a nutshell 

 

The code is escaped \" for other reasons. It can prolly be removed now, however.

[eRott]

Well, if the problem is solved, please do not forget to click "Topic Solved" at the bottom left of the page.

 

Generally, you only need to escape the double quotes inside of double quotes if that makes sense.

[fluffels]

And you know what, the minute I post the thread, it begins outputting it  

 

However, while it's now putting the form out correctly, it's not sending it to the processing page:

 

This is what the code outputs to the page.

<div id="tablecontain">
<p><strong>List of Users</strong></p>
   <ol>
<li><a href="list-users.php?uid=1">User One</a>
 <form action="exec-user-status.php" method="post">
 <input type="hidden" name="memact" value="1" />
 <input type="hidden" name="action" value="disable" />
 <a href="#" onclick="document.forms[0].submit();">Disable</a>
 </form>
</li>
<li>
 <a href="list-users.php?uid=2">User Two</a>
 <form action="exec-user-status.php" method="post">
 <input type="hidden" name="memact" value="2" />
 <input type="hidden" name="action" value="disable" />
 <a href="#" onclick="document.forms[0].submit();">Disable</a>
 </form>
</li>
   </ol>
</div>

 

This is the code of exec-user-status.php:

<?php
//Start session
session_start();

//Include global vars
include('global.php');

//Connect to the DB Server and select the database
cmsdb();

//Get the ID of the user performing the operation
$userid = $_SESSION['SESS_MEMBER_ID'];

//TO DO
//Code the permissions checker


//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

//Sanitize the POST values

// Echoing them temporarily for debug
echo "member_id ";
echo $member_id = clean($_POST['memact']);
echo "<br />action ";
echo $action = clean($_POST['action']);

//rest of code snipped

 

What's confusing me is that if the page is outputting that form in list-users.php without issue, why isn't exec-user-status.php picking it up right?

 

No matter which user I click 'disable' next to, it'll come up with the following output on exec-user-status.php:

 

member_id 1
action disable

 

member_id 1. every single time.