See the following example, that conditionally only uses and operates on the correct data for the current user’s role and in the case of an admin if they are editing their own record or not (database specific statements are commented out and ‘fake’ data is being set in the code for demonstration purposes) -
<?php
session_start();
// fake a user
$_SESSION['id'] = 123;
// require '../dbconnect.php';
// use defined constants instead of literal numbers in the code
define('ROLE_ADMIN', 1);
define('ROLE_OPER', 2);
define('STATUS_DISABLED', 0);
define('STATUS_ENABLED', 1);
// define the role choices - used when dynamically outputting the select/option menu
$role_choices = [ROLE_ADMIN=>'Administrator',ROLE_OPER=>'Operator'];
// define the status choices - used when dynamically outputting the select/option menu
$status_choices = [STATUS_DISABLED=>'Inactive',STATUS_ENABLED=>'Active'];
// you would query to get the current user's information and permissions here...
// fake the user's role
$role_id = ROLE_ADMIN;
$errors = []; // an array to hold user error messages
$post = []; // an array to hold a trimmed working copy of the submitted form data
// form processing, detect if a post method form was submitted
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
// if there is more than one possible form on this page, add logic here (switch/case) to detect which form was submitted
// save/update code -
// trim all the input data at once
$post = array_map('trim',$_POST); // if any of the fields can be arrays, use a recursive trim call-back function here instead of php's trim function
// use elements in $post in the rest of the code on this page
// validate all the inputs here, adding validation error messages in the $errors array, using the field name as the array index
// the existence of and validation for role_id, status, and id are dependent on the current user's role and if they are editing their own record
// validation of the conform_pwd and password/confirm_pwd match is depended on the password field being not empty
// if there are no errors, use the submitted data
if(empty($errors))
{
$params = []; // an array to hold the prepared query input values
$set_terms = []; // an array to hold the SET terms
// add the 'always' fields
$set_terms[] = "first_name = ?";
$set_terms[] = "last_name = ?";
$set_terms[] = "email = ?";
$set_terms[] = "username = ?";
$params[] = $post['first_name'];
$params[] = $post['last_name'];
$params[] = $post['email'];
$params[] = $post['username'];
// add the password field
if($post['password'] != '')
{
$set_terms[] = "password = ?";
$params[] = password_hash($post['password'], PASSWORD_DEFAULT);
}
// add the admin only fields (role_id, status, and WHERE id) if the current user is an admin and is not editing their own record
if($role_id == ROLE_ADMIN && $_SESSION['id'] != $post['id'])
{
$set_terms[] = "role_id = ?";
$set_terms[] = "status = ?";
$params[] = $post['role_id'];
$params[] = $post['status'];
// the WHERE id = ? value
$params[] = $post['id'];
}
else
{
// the WHERE id = ? value
$params[] = $_SESSION['id'];
}
// build and execute the sql query
$sql = "UPDATE users SET " . implode(',',$set_terms) . " WHERE id = ?";
//$stmt = $pdo->prepare($sql);
//$stmt->execute($params);
// examine the query/data
echo '<pre>';
echo $sql; echo '<br>';
print_r($params);
echo '</pre>';
// note: because the above query can produce duplicate errors for the username and email fields, you would need to detect that here using whatever query error handling method you are using
}
// if no errors at this point (the sql query logic can produce duplicate errors), success
if(empty($errors))
{
// redirect to the exact same url of this page to cause a get request - PRG Post, Redirect, Get.
die(header("Refresh:0"));
// note: if you want to display a one-time success message, store it in a session variable, then test, display, and clear that variable in the html document
}
}
// get method business logic - get/produce data needed to display the page
// condition and validate the input(s) - edit_id
$edit_id = isset($_GET['edit_id']) ? (int)trim($_GET['edit_id']) : 0;
if(!$edit_id)
{
$errors[] = 'A user has not been selected.';
}
// if the form has not been submitted and there is an edit_id, retrieve the initial data to edit, less the password hash, and store it in $post
if(empty($post) && $edit_id)
{
$sql = "SELECT id, first_name, last_name, email, username, role_id, status FROM users WHERE id = ?";
//$stmt->prepare($sql);
//$stmt->execute([$edit_id]);
//$post = $stmt->fetch();
// fake some data
$post = ['id'=>$edit_id,'first_name'=>'fn','last_name'=>'ln','email'=>'em','username'=>'un','role_id'=>2,'status'=>0];
}
// the html document starts here...
?>
<?php
// display any errors
if(!empty($errors))
{
echo implode('<br>',$errors);
}
// output the form
if(!empty($post))
{
?>
<form method='post'>
<label>First Name: <input type='text' name='first_name' value='<?php echo htmlentities($post['first_name'] ?? '',ENT_QUOTES); ?>'></label><br>
<label>Last Name: <input type='text' name='last_name' value='<?php echo htmlentities($post['last_name'] ?? '',ENT_QUOTES); ?>'></label><br>
<label>Email: <input type='text' name='email' value='<?php echo htmlentities($post['email'] ?? '',ENT_QUOTES); ?>'></label><br>
<label>Username: <input type='text' name='username' value='<?php echo htmlentities($post['username'] ?? '',ENT_QUOTES); ?>'></label><br>
<?php // note: depending on any errors in either/both the password and confirm_pwd fields, you would clear the values being output so that the user must reenter one/both values ?>
<label>Password: <input type='text' name='password' value='<?php echo htmlentities($post['password'] ?? '',ENT_QUOTES); ?>'></label><br>
<label>Confirm Password: <input type='text' name='confirm_pwd' value='<?php echo htmlentities($post['confirm_pwd'] ?? '',ENT_QUOTES); ?>'></label><br>
<?php
// add the admin only fields (role_id, status, id) if the current user is an admin and is not editing their own record
if($role_id == ROLE_ADMIN && $_SESSION['id'] != $post['id'])
{
// output the select/option menus for role_id and status, pre-selecting any existing option choice
?>
<select name='role_id'>
<option value=''>Select the role</option>
<?php
foreach($role_choices as $choice_id=>$choice)
{
$sel = isset($post['role_id']) && $post['role_id'] == $choice_id ? ' selected' : '';
echo "<option value='$choice_id'$sel>$choice</option>";
}
?>
</select><br>
<select name='status'>
<option value=''>Select the status</option>
<?php
foreach($status_choices as $choice_id=>$choice)
{
$sel = isset($post['status']) && $post['status'] == $choice_id ? ' selected' : '';
echo "<option value='$choice_id'$sel>$choice</option>";
}
?>
</select><br>
<input type='hidden' name='id' value='<?php echo htmlentities($post['id'] ?? '',ENT_QUOTES); ?>'>
<?php
}
?>
<input type='submit'>
</form>
<?php
}
?>