fetch_assoc Select Option value filter column

[parrishpc]

I have a form that i need to post to a database and send a email to user.

I have one page 

createmail.php 

Here is the the part of the code that works fine 

<select id="to" name="to" class="form-control">
	<?php 
	$sql = "SELECT * FROM apply_job_post INNER JOIN users ON apply_job_post.id_user=users.id_user WHERE apply_job_post.id_company='$_SESSION[id_company]' AND apply_job_post.status='2'";
	$result = $conn->query($sql);
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
			echo '<option value="'.$row['id_user'].' '.$row['email'].'">'.$row['firstname'].' '.$row['lastname'].'</option>';
		}
	}
	?>
</select>

I have another page

add-email.php

Here is the part of the code from that page that post both values from the form option select

$to .=  mysqli_real_escape_string($conn, $_POST['to']);

The problem is that the $_POST['to'] will post both $row['id_user'].' '.$row['email']. and i only need the $row['email']  but i have to have both in the string to update database with both values.

Any help would be greatly appreciated

Edited August 30, 2018 by cyberRobot
please use code tags when posting code; it's the <> button

[Barand]

Then remove the id_user from the option values.

[ginerjm]

You need to look up how an <option> tag is designed.  One sets the 'value' attribute of the tag to be the value(s) that you want returned to your script and the info that you want the user to actually see in between the start and end tags.  YOu are including a bunch of things as the 'value' when you probably only need one thing that will identify what record you want to update.

I don't know what you mean by having to have "both" in the string in order to update the database with both values. Your database should already have these things and if not then how are they going to get there when you don't give the user anything to look at to verify his proper selection?

In your case:

	   echo '<option value="(some key value)">(some user viewable information)</option>';
	

[mac_gyver]

your code should pass a minimum of information through the form, because you must validate ALL form/external data before using it.

your current method also exposes all the users email addresses and probably allows someone to submit any email address to your form processing code and it will get used as the email address to send to.

you should only pass the user_id through the form, then query for the corresponding email address in the form processing code. also, any data you store or update based on the form data only needs the user_id.

[ginerjm]

Oops - I see that I missed the closing > tag in my first review of this.  So - if you really need to include multiple values inside the 'value' attribute (which you shouldn't), you should separate them with some unique value.  Something like the pipe symbol perhaps ('|') and then do an explode on the 'to' value when your retrieve it from the POST array.

Care to explain why email and id are needed in the option tag?  Won't one get the other for you?  Afterall, something retrieved them both for you when you built the tag.

[parrishpc]

Ok here is what i tried on the 

createmail.php

	<select id="to" name="to" class="form-control">
		<?php 
		$sql = "SELECT * FROM apply_job_post INNER JOIN users ON apply_job_post.id_user=users.id_user WHERE apply_job_post.id_company='$_SESSION[id_company]' AND apply_job_post.status='2'";
		$result = $conn->query($sql);
		if($result->num_rows > 0) {
			while($row = $result->fetch_assoc()) {
				echo "<option value=\"".$row['id_user']."$".$row['email']."\">".$row['firstname'].' '.$row['lastname']."</option>\n  ";
	
			}
		}
		?>
	</select>
</div>
<div class="form-group">
	<input class="form-control" name="subject" placeholder="Subject:">

	<input type="hidden" name="user_email" id="user_email "value="<?php
	if (isset($_POST['to'])) {
		$option = explode("$", $_POST['to']);
		echo $option[1];
	}
	?>" />

	<button type="submit" name="create_mail" class="btn btn-primary"><i class="fa fa-envelope-o"></i> Send</button>

Then on the 

add-email.php

if(isset($_POST['create_mail']))

$to =  mysqli_real_escape_string($conn, $_POST['user_email']);

$subject = mysqli_real_escape_string($conn, $_POST['subject']);

This does not work either i created the input hidden name="user_email"  using the explode when the submit button name="create_mail" I wanted it to post $to =  mysqli_real_escape_string($conn, $_POST['user_email']); this is where i just want the email address from the option value.

Thanks

For all the help.

 

Edited August 31, 2018 by cyberRobot
added code tags / tweaked indents

[ginerjm]

I don't follow what you are doing nor what you did.  I see that you used a $ as a delimiter in your value clause so that should have solved your initial problem.  Dont' see what "does not work" now.

[cyberRobot]

@parrishpc - When posting code, please use the <> button in your editor so the code appears in code tags. It makes your post easier to read. ?

As for your question, it looks like your <select> tag is in the same form as the hidden input field for the email address. Assuming that's correct, you'll need to use JavaScript to pull the value selected in the drop down to populate the hidden input field.

However, it would be better to populate the drop down values with each person's user ID (as recommended by mac_gyver). Then when the form is submitted to add-email.php you can use the ID to retrieve the selected person's email address.

Edited August 31, 2018 by cyberRobot

[parrishpc]

Ok I will try to explain better after some trial and error here is what i am trying to do 

I have a form with a select option value on a page create-mail.php 

<select id="to" name="to" class="form-control">
                      <?php 
                    $sql = "SELECT * FROM apply_job_post INNER JOIN users ON apply_job_post.id_user=users.id_user WHERE apply_job_post.id_company='$_SESSION[id_company]' AND apply_job_post.status='2'";
                    $result = $conn->query($sql);
                    if($result->num_rows > 0) {
                      while($row = $result->fetch_assoc()) {
						echo "<option value=\"".$row['id_user']."$".$row['email']."\">".$row['firstname'].' '.$row['lastname']."</option>\n  ";
                      }
                    }
                    ?>
                    </select>
                  </div>
                  <div class="form-group">
                    <input class="form-control" name="subject" placeholder="Subject:">
                    <input type="hidden" name="co_name" id="co_name" value="<?php echo $_SESSION['name'];?>" />
                  </div>
                  <div class="form-group">
                    <textarea class="form-control input-lg" id="description" name="description" placeholder="Job Description"></textarea>
                  </div>
                </div>
                <!-- /.box-body -->
                <div class="box-footer">
                  <div class="pull-right">
                    <button type="submit" name="create_mail" class="btn btn-primary"><i class="fa fa-envelope-o"></i> Send</button>
                  </div>
                  <a href="mailbox.php" class="btn btn-default"><i class="fa fa-times"></i> Discard</a> </div>

The option value

<option value=\"".$row['id_user']."$".$row['email']."\">

has the two values the $row['id_user'] post to my database table that dose not have the email value in it

The other value $row['email'] I would like to post to another page that sends an email that page is add-email.php

i have the line 

$message .=  $_POST['to'];       the results like this  136$email@email.com which is from the select option.

I tried to post using in a input hidden value like this

<input type="text" name="user_email" id="user_email" value="<?php $option = explode("$", $_POST['to']);
echo $option[1]; ?>"/>

Then on the add-mail.php

$message .=  $_POST['ueser_email']; 

Which dose not anything

Hope all is clear 

Any help is greatly appreciated 

 

 

[ginerjm]

Nope - Can't follow what you are doing.  I do see this tho:

$message .=  $_POST['ueser_email']; 

Does that help?

[parrishpc]

Ok i am trying to get just $row['email'] from the form select option  see the line below

echo "<option value=\"".$row['id_user']."$".$row['email']."\">".$row['firstname'].' '.$row['lastname']."</option>\n  "; 

then i have another page that is used to send the email and I want the $message= $row['email']  results only not .$row['id_user']."$".$row['email'].

when the form is submitted. 

I know i could modify the line

echo "<option value=\"".$row['id_user']."$".$row['email']."\">".$row['firstname'].' '.$row['lastname']."</option>\n  "; 

to 

echo '<option value="'.$row['email'].'">'.$row['id_user'].' '.$row['firstname'].' '.$row['lastname'].'</option>';

And then use

$message .=  $_POST['to']; to just get $row['email'].

But I also am posting the data $row['id_user'] to a database table that does not include the $row['email'].

Here is the code from the page that the form post to

<?php

session_start();

if(empty($_SESSION['id_company'])) {
  header("Location: ../index.php");
  exit();
}

require_once("../db.php");

if(isset($_POST['create_mail']))
{
   $to =  'email@email.com';
   $subject = mysqli_real_escape_string($conn, $_POST['subject']);
			          
		     $message .=  $_POST['to'];//this is where I want to post email address from select option from the create-mail.php page

			 $headers[] = 'MIME-VERSION: 1.0';
			 $headers[] = 'Content-type: text/html; charset=iso-8859-1';
			 $headers[] = 'To: '.$to;

			 $result = mail($to, $subject, $message, implode("\r\n", $headers)); // \r\n will return new line. 

}
if(isset($_POST)) {
	$to  = $_POST['to'];

	$subject = mysqli_real_escape_string($conn, $_POST['subject']);
	$message = mysqli_real_escape_string($conn, $_POST['description']);
	$message .=  $_POST['to'];//this is where I want to post $row['email']

	$sql = "INSERT INTO mailbox (id_fromuser, fromuser, id_touser, subject, message) VALUES ('$_SESSION[id_company]', 'company', '$to', '$subject', '$message')";

	if($conn->query($sql) == TRUE) {
		header("Location: create-mail.php");
		exit();
	} else {
		echo $conn->error;
	}
} else {
	header("Location: create-mail.php");
	exit();
}

Thanks

 

[mac_gyver]

i recommend that you review the replies you have received in the thread, particularly this one - https://forums.phpfreaks.com/topic/307650-fetch_assoc-select-option-value-filter-column/?tab=comments#comment-1560580

it lists two security holes with the way you are doing this now and suggests a simple and secure method of doing this so that it works.

 

[parrishpc]

Ok here is what I tried 

<?php

session_start();

if(empty($_SESSION['id_company'])) {
  header("Location: ../index.php");
  exit();
}

require_once("../db.php");

if(isset($_POST['create_mail']))
{
	
$searchUserID = $_POST['to'];
$sql = "SELECT id_user, email, firstname, lastname FROM users where id_user=$searchUserID";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    // output data of each row
    while($row = $result->fetch_assoc()) {
      $userEmail = $row["email"];
    }
} else {
    echo "No email address found";
}

   $to =  $_POST['userEmail'];
   $subject = mysqli_real_escape_string($conn, $_POST['subject']);
			          
          $message = "We at"." ". $_POST['co_name']." "."Thank You"."\r\n"; 
		 $message .= "Your user id is :"." ". mysqli_real_escape_string($conn, $_POST['to'])."\r\n";
         $message .= "Message:". "\r\n" . $_POST['description'];

			 $headers[] = 'MIME-VERSION: 1.0';
			 $headers[] = 'Content-type: text/html; charset=iso-8859-1';
			 $headers[] = 'To: '.$to;
			/$headers[] = 'Bcc: testbbc@testdoamin.com';
			 $headers[] = 'From: jobs@testdoamin.com';
			// //you add more headers like Cc, Bcc;

			 $result = mail($to, $subject, $message, implode("\r\n", $headers)); // \r\n will return new line. 

}
if(isset($_POST)) {
	$to  = $_POST['to'];

	$subject = mysqli_real_escape_string($conn, $_POST['subject']);
	$message = mysqli_real_escape_string($conn, $_POST['description']);

	$sql = "INSERT INTO mailbox (id_fromuser, fromuser, id_touser, subject, message) VALUES ('$_SESSION[id_company]', 'company', '$to', '$subject', '$message')";

	if($conn->query($sql) == TRUE) {
		header("Location: mailtest.php");
		exit();
	} else {
		echo $conn->error;
	}
} else {
	header("Location: mailtest.php");
	exit();
}

The line       $userEmail = $row["email"];

I would like the results in this line

   $to =  $_POST['userEmail'];

Basically what i am trying to do is from my form page I have the select option line

  echo '<option value="'.$row['id_user'].'">'.$row['firstname'].' '.$row['lastname'].'</option>';

I use the id_user to lookup the email in the database on the posttest.php with this

$searchUserID = $_POST['to'];
$sql = "SELECT id_user, email, firstname, lastname FROM users where id_user=$searchUserID";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    // output data of each row
    while($row = $result->fetch_assoc()) {
      $userEmail = $row["email"];
    }
} else {
    echo "No email address found";
}

This looks up the email fine when i try this

$searchUserID = $_POST['to'];
$sql = "SELECT id_user, email, firstname, lastname FROM users where id_user=$searchUserID";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    // output data of each row
    while($row = $result->fetch_assoc()) {
      echo $row["email"];
    }
} else {
    echo "No email address found";
}

But I need the value to post $to = 

Hope this will clarify more what I trying to do

Thanks again.

 

 

[cyberRobot]

Since you are no longer attempting to pass the email address through the online form, which is good, the $_POST['userEmail'] will always be blank. Instead, the email address comes from your database.

Try changing this

$userEmail = $row["email"];

to this

$to =  $row["email"];

Note that you will also need to remove the following line:

$to =  $_POST['userEmail'];

 

[parrishpc]

Thanks

That worked great.

one other question in the line message = i have "\r\n"; that only works on one line not sure what i am missing here I think it may be related to the content type.

Thanks Again

 

[parrishpc]

Ok i figured it out using "\n<br />"; fixed the issue.

Thanks 

[ginerjm]

The \r\n is a newline for a text format while the br tag is an html newline.