OK, hopefully this will give you an idea:
Quote.php // Query (note: there are 2 more tables linked together as part of a UNION query, which I have removed for simplicity)
Code: Select all
<?php
$colname_rsInvQuote = "-1";
if (isset($_GET['id'])) {
$colname_rsInvQuote = $_GET['id'];
}
$colname_rsInvQuote2 = "-1";
if (isset($_GET['proj'])) {
$colname_rsInvQuote2 = $_GET['proj'];
}
mysql_select_db($database_conndb2, $conndb2);
$query_rsInvQuote = sprintf("
SELECT tbl_projects.projid,
tbl_projects.projtitle,
tbl_projects.projdue,
DATE_FORMAT(tbl_projects.projdue, '%%d/%%m/%%Y') as projdue_format,
tbl_projects.projtype,
tbl_projects.projcat,
tbl_projects.FK_custid,
tbl_languaget.langtname,
tbl_doctype.doctypename,
tbl_jobs.jobid,
tbl_jobs.FK_projid,
tbl_jobs.jobname,
tbl_jobs.FK_langid,
tbl_jobs.jobpages,
tbl_jobs.jobshipped,
tbl_jobs.jobinvsent,
tbl_jobs.jobquote,
tbl_customers.custid,
tbl_costs.costcat,
tbl_costs.costbase,
tbl_costs.costnm_84,
tbl_costs.cost85_99,
tbl_costs.cost100,
tbl_costs.costrep,
tbl_jobs.wordsgross,
(tbl_jobs.wordsgross * costbase as translationcost,
(tbl_jobs.wordsgross) * costproof_en as proofreadingcost,
tbl_jobs.jobquotecomplete,
'tbl_jobs' as fromtable
FROM tbl_projects
INNER JOIN tbl_jobs
ON tbl_projects.projid=tbl_jobs.FK_projid
INNER JOIN tbl_languaget
ON tbl_languaget.langtid=tbl_jobs.FK_langid
INNER JOIN tbl_customers
ON tbl_customers.custid=tbl_projects.FK_custid
INNER JOIN tbl_costs
ON tbl_costs.FK_custid=tbl_customers.custid
INNER JOIN tbl_doctype
ON tbl_doctype.doctypeid=tbl_jobs.FK_doctypeid
WHERE tbl_projects.FK_custid = %s
AND tbl_projects.projid = %s
AND tbl_costs.costcat = %s
ORDER BY tbl_projects.projid ASC",
GetSQLValueString($colname_rsInvQuote, "int"), GetSQLValueString($colname_rsInvQuote2, "int"), GetSQLValueString($colname_rsCosts2, "text"));
$rsInvQuote = mysql_query($query_rsInvQuote, $conndb2) or die(mysql_error());
$row_rsInvQuote = mysql_fetch_assoc($rsInvQuote);
$totalRows_rsInvQuote = mysql_num_rows($rsInvQuote);
?>
Quote.php // Table
Code: Select all
<form action="../../admin/scripts/CompleteQuoteSingle.php" method="post" enctype="multipart/form-data"><table border="0" cellpadding="0" cellspacing="0" id="tblreport_invoice"> <caption> <input type="submit" id="button" value="Submit" /> </caption> <tr> <th>Project No.</th> <th>Project Title</th> <th>Job Title</th> <th>Type</th> <th>Language</th> <th>Deadline</th> <th>Document Format</th> <th>Pages</th> <th>Word Count></th> <th>Net Total</th> <th>EN Proofreading Cost</th> <th>Total</th> </tr> <?php if ($totalRows_rsInvQuote > 0) { // Show if recordset not empty ?> <?php do { ?> <tr> <td><?php echo $row_rsInvQuote['projid']; ?></td> <td><?php echo $row_rsInvQuote['projtitle']; ?></td> <td><?php echo $row_rsInvQuote['jobname']; ?></td> <td><?php echo $row_rsInvQuote['projtype']; ?></td> <td><?php echo $row_rsInvQuote['langtname']; ?></td> <td><?php echo $row_rsInvQuote['projdue_format']; ?></td> <td><?php echo $row_rsInvQuote['doctypename']; ?></td> <td><?php echo $row_rsInvQuote['jobpages']; ?></td> <td><?php echo $row_rsInvQuote['wordsgross']; ?></td> <td><?php echo number_format($row_rsInvQuote['translationcost'], 1, '.', '').'0'; ?></td> <td><?php echo number_format($row_rsInvQuote['proofreadingcost'], 1, '.', '').'0'; ?></td> <td><?php $price_total = ($row_rsInvQuote['translationcost']+$row_rsInvQuote['proofreadingcost']); ?> <input type='text' name='jobquote[]' value="<?php echo number_format($price_total, 1, '.', '').'0'; ?>"/> <input type='hidden' name='original_jobquote[]' value="<?php echo number_format($price_total, 1, '.', '').'0'; ?>"/> <?php if ($_POST['original_jobquote'] != $_POST['jobquote']) { ?> <span id="spryradio1"> <input type="radio" name="jobquoteadmin" value="y" id="radio" />Confirm<br /> <span class="radioRequiredMsg">Please confirm Admin Override</span></span> <?php }; ?> </td> </tr> <?php $table_name = $row_rsInvQuote['fromtable']; $item_id = $row_rsInvQuote['jobid']; $proj_id = $row_rsInvQuote['projid']; ?> <input type="hidden" name="quote[]" value="<?php echo $table_name; ?>:<?php echo $item_id; ?>:<?php echo $proj_id; ?>" /> <?php } while ($row_rsInvQuote = mysql_fetch_assoc($rsInvQuote)); ?> <?php } // Show if recordset not empty ?> </table>
CompleteQuoteSingle.php
Code: Select all
<?php
$allowed_tables = Array('tbl_jobs','tbl_jobtransline','tbl_jobxml'); // to prevent SQL injection
$i = 0;
foreach($_POST['quote'] as $var) {
$arr = explode(':', $var);
if(in_array($arr[0], $allowed_tables)) {
$table = $arr[0];
$rowid = $arr[1];
$projid = $arr[2];
$setprice = $_POST['jobquote'][$i];
$i++;
if(is_numeric($rowid)) {
// run your SQL query here to update $table where row matches $rowid
$query = sprintf("
UPDATE $table
SET jobquote='$setprice', jobquotecomplete='y'
WHERE jobid=$rowid");
$result = mysql_query($query, $conndb2) or die(mysql_error());
$mess = $ref = $_SERVER['HTTP_REFERER']; header( 'refresh: 0; url=../../projects/project_details.php?id='.$projid);
}
else {
$mess = "<p>There was a problem</p>";
}
}
}
?>
So the problem I'm having is that the info is posted to the CompleteQuoteSingle.php script file before any validation on whether the 'original_quote' different to the value posted in the 'jobquote' input