can a select statement return more than one value

[Gilbert]

Hi all,  I am populating the <options> of a <select> statement from a database using php.  I'm setting the value of the options to the 'workerID' and setting the innerHTML to the worker name, reading both of these values from the database table 'workers'.  The 'input' button runs the php and I have the workerID as a value, but then I have to access the table again matching the workerID in a where clause to get the first & last name of the worker.  It seems kind of redundant to do it this way - the question is, is there any way to pass along the worker name (which you just looked up) along with the worker ID, to the php function, or is this a normal way to do this.    I thought of making the 'value' attribute a combination of ID and name, and then separating it in the php function to use, but I was wondering if there was an easier way that I am missing.   I am just trying to cut down on traffic to the server.   It would seem like there would be a better way to do this.   Here is my code - thanks for your help!!

<div id="chooseWorker">
    
    <?php
        if ($_SERVER["REQUEST_METHOD"] == "POST") {
            $chosenWorker = ($_POST["mySelect"]);
            include "phpConnection.php";
            $sql = "SELECT firstName, lastName FROM workers WHERE workerID = '".$chosenWorker;
    	    $result = $conn->query($sql);
            if ($result->num_rows > 0) {
                while($row = $result->fetch_assoc()) {
                    $_SESSION["adminFirstName"] = $row["firstName"];
                    $_SESSION["adminLastName"] = $row["lastName"];
                }
            }
            } else {
                return "Worker not Found";
            }
        }
    ?>
    <h3>Please choose a Worker</h3>

    <form method="POST" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
        <select name="mySelect" size="12">
        <?php
	        include "phpConnection.php";
            $sql = "SELECT * FROM workers ORDER BY ranking";
	        $result = $conn->query($sql);
            if ($result->num_rows > 0) {
                while($row = $result->fetch_assoc()) {
                    $fullName=$row["firstName"] . " " . $row["lastName"];
        ?>
        <option value="<?php echo $row['workerID'];?>"><?php echo $fullName;?></option>
        <?php
           } // end while
        } // end if
        ?>
        </select>
        <input type="submit" value="Submit">
    </form>
    
    <div>
        <button>cancel</button>
    </div>
</div>

 

[justsomeguy]

If you want to include multiple values and then separate them, you can, but make sure you validate everything.  You wouldn't want someone to submit a combination that isn't actually in the database.  In other words, you still need another trip to the database for validation, so you're not saving anything by doing that.

[Gilbert]

Thanx justsomeguy - I think what you're basically saying is that I did it correctly - that I have the right idea.   I'm not sure I follow you on the 'validation' part because I'm getting the information from a database and asking the user to click on one of the options in the combo box list.   Where is the validation needed?  I think I'm missing where a user could inject malicious code.   Thanx....

[justsomeguy]

No one has to use your form, if you have a page that accepts input from $_GET or $_POST anyone can send anything they want to that page.  Make sure you validate your inputs.