Updating database column with checkbox

Question

echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"POST\">";
    if ($isAdmin === '1'){
        echo "<input id=\"checkbox\" name=\"checkbox\" type=\"checkbox\" checked=\"checked\" value=\"1\" />";
    } else {
        echo "<input id=\"checkbox\" name=\"checkbox\" type=\"checkbox\" value=\"0\" />";
    }
    echo "<input type=\"submit\" name=\"formSubmit\" value=\"X\" />";
echo "</form>";

The above code is inside a while loop so it makes a form for each user. My php code looks like this:

$status = '0';
if (isset($_POST['checkbox']) && $_POST['checkbox'] == '1') {
    $status = $_POST['checkbox'];
}

$stmt = $mysqli->prepare("UPDATE members SET isAdmin = ? WHERE id = \"$id\"");
$stmt->bind_param('s', $status);

$stmt->execute();

$stmt->close();
$mysqli->close();

Without actually submitting the form to the server, why does the admin user become a non-admin user just by refreshing the page?

---

UPDATED CODE:

?>

<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" method="POST">
    <input type="checkbox" id="checkbox" name="checkbox" value="<?php echo ($checked)? '1' : '0'; ?>"<?php if($checked) echo ' checked="checked"'; ?> />
    <input type="hidden" id="userid" name="userid" value="<? echo $members_row['id']; ?>" />
    <input type="submit" id="submit" name="submit" value=">>" />
</form>

<?

$status = '0';
if (isset($_POST['checkbox']) && $_POST['checkbox'] == '1') {
    $status = $_POST['checkbox'];
    $id = $_POST['id'];

    $stmt = $mysqli->prepare("UPDATE members SET isAdmin = ? WHERE id = \"$id\"");
    $stmt->bind_param('s', $status);

    $stmt->execute();

    $stmt->close();
    $mysqli->close();
}

Answer 1

Couple things, move your bracket to the end of the php snippet, and just check that the post is set but not that it equals anything. $status will be used to update it at the time of post. Side note, since the form is in a loop, id="checkbox" is going to be a problem when/if you use javascript. id="*" should to be unique in order to provide value. Finally, the origin of $id is unknown from the script provided, you will want to make sure you bind_param on that value as well (perhaps it should be provided by the post?). Not sure on the origin of that variable so hard to comment on that.

$checked = ($isAdmin == '1');
?>
<form action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" method="POST">
    <input id="checkbox" name="checkbox" type="checkbox" value="<?php echo ($checked)? '1' : '0'; ?>"<?php if($checked) echo ' checked="checked"'; ?> />
    <input type="submit" name="formSubmit" value="X" />
</form>
<?php //continue with loop

Presumably this is at the top since your forms reference PHP_SELF :

<?php
if (isset($_POST['checkbox'])) {
    $status = $_POST['checkbox'];
    // The $id variable is suspect here. Probably should be provided by the post?
    $stmt = $mysqli->prepare("UPDATE members SET isAdmin = ? WHERE id = '$id'");
    $stmt->bind_param('s', $status);
    $stmt->execute();
    $stmt->close();
    $mysqli->close();
}

If I were doing this, I would either use a function or a class/method to make it more human-readable and reusable:

function updateUserRole($id,$status,$mysqli)
    {
        $stmt = $mysqli->prepare("UPDATE members SET isAdmin = ? WHERE id = ?");
        $stmt->bind_param('si', $status,$id);
        $stmt->execute();
        $stmt->close();
    }

// To execute, include the function
// then run the "if" condition
if (isset($_POST['checkbox']))
    updateUserRole($_POST['id'],$_POST['checkbox'],$mysqli);