php mysql based on user input form

Question

I am having trouble using a checkbox to select one or multiple fields of data for PHP/AJAX to process and display. I have the PHP/AJAX working great on my <select>s but as soon as I try setting up the checkbox all hell breaks lose.

I also am very unsure on how to further prevent SQL injection on the site so if anyone could fill me in a little more about this I would GREATLY appreciate it! I read the link I was provided and just don't understand how bid_param or PDO works exactly.

The ajax script: (I can't seem to insert the ajax/js so I'll leave a link to the live site)

Link to Agent search page

My php page that displays the data:

<div id="bodyA">
    <h1>Find a Local OAHU Agent.</h1>
    <!-- This is where the data is placed. -->  
</div>
<div id="sideB">
    <div class="sideHeader">
        <em>Advanced Search</em>            
    </div>
    <form class="formC">
        <label for="last">Last Name</label><br />
        <select id="last" name="Last_Name" onChange="showUser(this.value)">
<?php 
    include 'datalogin.php';

    $result = mysqli_query($con, "SELECT DISTINCT Last_Name FROM `roster` ORDER BY Last_Name ASC;");
    echo '<option value="">' . 'Select an Agent' .'</option>';
    while ($row = mysqli_fetch_array($result)) {
        echo '<option value="'.$row['Last_Name'].'">'.$row['Last_Name'].'</option>';
    }
?>
        </select>
        <label for="company">Company</label><br />
        <select id="company" name="users" onChange="showUser(this.value)">
<?php 
    include 'datalogin.php';

    $result = mysqli_query($con, "SELECT DISTINCT Company FROM `roster` ORDER BY Company ASC;");
echo '<option value="">' . 'Select a Company' .'</option>';
    while ($row = mysqli_fetch_array($result)) {
        if ($row['Company'] == NULL) {
        } else {
            echo '<option value="'.$row['Company'].'">'.$row['Company'].'</option>';
        }
    }
?>
        </select>
        <label for="WorkCity">City</label><br />
        <select id="WorkCity" name="WorkCity" onChange="showUser(this.value)" value="city">
<?php 
    include 'datalogin.php';

    $result = mysqli_query($con, "SELECT DISTINCT WorkCity FROM `roster` ORDER BY WorkCity ASC;");
    echo '<option value="">' . 'Select a City' .'</option>';
    while ($row = mysqli_fetch_array($result)) {
        echo '<option value="'.$row['WorkCity'].'">'.$row['WorkCity'].'</option>';
    }
?>
        </select>
        <label for="WorkZipCode">Zip Code</label><br />
        <select id="WorkZipCode" name="WorkZipCode" onChange="showUser(this.value)">
<?php 
      include 'datalogin.php';

      $result = mysqli_query($con, "SELECT DISTINCT WorkZipCode FROM `roster` ORDER BY WorkZipCode + 0 ASC;");
      echo '<option value="">' . 'Select a Zip Code' .'</option>';
      while ($row = mysqli_fetch_array($result)) {
          echo '<option value="'.$row['WorkZipCode'].'">'.$row['WorkZipCode'].'</option>';
      }
?>
        </select>
        <label for="agent">Agent Expertise</label><br />
        <label for="ancillary"><input type="checkbox" value="Ancillary" name="Ancillary[]" id="ancillary" />Ancillary</label><br />
        <label for="smallgroup"><input type="checkbox" value="Smallgroup" name="Smallgroup[]" id="smallgroup" />Small Group</label><br />
        <label for="largegroup"><input type="checkbox" value="LargeGroup" name="LargeGroup[]" id="largegroup" />Large Group</label><br />
        <label for="medicare"><input type="checkbox" value="Medicare" name="Medicare[]" id="medicare" />Medicare</label><br />
        <label for="longterm"><input type="checkbox" value="LongTerm" name="LongTerm[]" id="longterm" />Long Term Care</label><br />
        <label for="individual"><input type="checkbox" value="Individual" name="Individual[]" id="individual" />Individual Plan</label><br />
        <label for="tpa"><input type="checkbox" value="TPASelfInsured" name="TPASelfInsured[]" id="tpa" />TPA Self Insured</label><br />
        <label for="ppaca"><input type="checkbox" value="CertifiedForPPACA" name="CertifiedForPPACA[]" id="ppaca" />Certified for PPACA</label><br />
    </form>
</div>

My php page that pulls the info and places it into a container on the page:

    $q = (isset($_GET['q'])) ? $_GET['q'] : false; // Returns results from user input

    include 'datalogin.php'; // PHP File to login credentials

    $sql="SELECT * FROM `roster` WHERE Company = '".$q."' OR Last_Name = '".$q."' OR WorkCity = '".$q."' OR WorkZipCode = '".$q."' ORDER BY Last_Name ASC";

    $result = mysqli_query($con,$sql) // Connects to database or die("Error: ".mysqli_error($con));

    echo "<h1>" . "Find a Local OAHU Agent." . "</h1>";

    while ($row = mysqli_fetch_array($result)) { // Gets results from the database
                echo "<div class='agentcon'>" . "<span class='agentn'>" . "<strong>".$row['First_Name'] . "&nbsp;" .$row['Last_Name'] . "</strong>" . "</span>" . "<a href=mailto:".$row['Email'] . ">" . "<span class='email'>".$row['Email'] . "</span>" . "</a>" ."<div class='floathr'></div>";
                if ($row['Company'] == NULL) {
                    echo "<p>";
                }
                else {
                    echo "<p>" . "<strong>" .$row['Company'] . "</strong>" . "<br>";
                }
                echo $row['WorkAddress1'] . "&nbsp;" .$row['WorkCity'] . "," . "&nbsp;" .$row['WorkStateProvince'] . "&nbsp;" .$row['WorkZipCode'] . "<br>";
                if ($row['Work_Phone'] !== NULL) {
                    echo "<strong>" . "Work" . "&nbsp;" . "</strong>" .$row['Work_Phone'] . "<br>";
                }
                if ($row['Fax'] !== NULL) {
                    echo "<strong>" . "Fax" . "&nbsp;" . "</strong>" .$row['Fax'] . "<br>";
                }
                echo "<strong>" . "Agent Expertise:" . "</strong>";
                if ($row['Ancillary'] == 1) {
                        echo "&nbsp;" . "Ancillary" . "/";
                }
                if ($row['SmallGroup'] == 1) {
                        echo "&nbsp;" . "Small Group" . "/";
                }
                if ($row['IndividualPlans'] == 1) {
                        echo "&nbsp;" . "Individual Plans" . "/";
                }
                if ($row['LongTermCare'] == 1) {
                        echo "&nbsp;" . "Long Term Care" . "/";
                }
                if ($row['Medicare'] == 1) {
                        echo "&nbsp;" . "Medicare" . "/";
                }
                if ($row['LargeGroup'] == 1) {
                        echo "&nbsp;" . "LargeGroup" . "/";
                }
                if ($row['TPASelfInsured'] == 1) {
                        echo "&nbsp;" . "TPA Self Insured" . "/";
                }
                if ($row['CertifiedForPPACA'] == 1) {
                        echo "&nbsp;" . "Certified For PPACA";
                }
                echo "</p>" . "</div>";
    }
    mysqli_close($con);
?>

I appreciate any and all help on this topic! Any time I add the checkbox values to my php file it ends up displaying everyone in the database for all fields in the form.

I am also trying to prevent sql injection on this but how can a user do this if I don't have a field the user can input text into?

EDIT As of today I gave a try with using jQuery to activate the checkboxes and then call some AJAX. Here is the script I wrote and it is pulling an agent, just not everyone that has that "expertise".

$('input').click(function() {
        $.ajax({
            url: "process.php",
            data: { value: 1},
            success: function (data) {
                $('#bodyA').html(data);
            }
        });
    });

Answer 1

Here's a quick example of something I recently worked on in which I needed to loop through multiple checkboxes and pass those values into a SQL statement. Although this example happens on a button click, hopefully its something along the lines of what you are trying to accomplish, or at least at start... :)

<?php
$array = array();
if (isset($_POST['medicare'])) {
    foreach ($_POST['medicare'] as $value) {
        array_push($array, $value);
    }
}
// this will return the value of each selected checkbox, separating each with a comma
$result = implode(",", $array);

// if you want to loop through each individually (for example pass each into a SQL statement)
foreach ($_POST['medicare'] as $value) {
    // Do your SQL here 
    // $value will be the value of each selected checkbox (Smallgroup, Largegroup, etc.)
    $sql = "insert into tablename(fieldname) values ('$value')"; // just an example
}
?>

<input type="checkbox" name="medicare[]" id="smallgroup" value="Smallgroup" />
<label for="smallgroup">Small Group</label>
<br />
<input type="checkbox" name="medicare[]" id="largegroup" value="Largegroup" />
<label for="largegroup">Large Group</label>
<br />
<input type="checkbox" name="medicare[]" id="medicare" value="Medicare" />
<label for="medicare">Medicare</label>
<br />
<input type="checkbox" name="medicare[]" id="individualplan" value="IndividualPlan" />
<label for="individualplan">Individual Plan</label>
<br />
<input type="submit" value="Submit" id="btnSubmit" name="btnSubmit" />

UPDATE

Instead of setting one variable, try setting a variable for each select control and putting your SQL statement in a foreach loop. I just tested this with some dummy data and didn't have any issues with it.

<?php
$lastname = (isset($_GET['Last_Name'])) ? $_GET['Last_Name'] : false;
$users = (isset($_GET['users'])) ? $_GET['users'] : false;
$workCity = (isset($_GET['WorkCity'])) ? $_GET['WorkCity'] : false;
$WorkZipCode = (isset($_GET['WorkZipCode'])) ? $_GET['WorkZipCode'] : false;

foreach ($_GET['medicare'] as $value) {
    //echo $value;
    $sql="SELECT * FROM roster WHERE Company = '$users' OR Last_Name = '$lastname' OR WorkCity = '$workCity' OR WorkZipCode = '$WorkZipCode' OR Ancillary = '$value' ORDER BY Last_Name ASC";
}
...continue as you were...
?>