Make sure that no malicious code is injected in your form and call something like:
$enrols = $DB->get_records('enrol',['enrol' => 'self', 'courseid' => $course_id])
$plugin = \enrol_get_plugin('self');
for each ($enrols as $enrol) {
$plugin->enrol_user($enrol, $user_id, $role_id);
}