INSERTING values from one table into another table

Question

I have this code to select all the fields from the 'jobseeker' table and with it it's supposed to update the 'user' table by setting the userType to 'admin' where the userID = $userID (this userID is of a user in my database). The statement is then supposed to INSERT these values form the 'jobseeker' table into the 'admin' table and then delete that user from the 'jobseeker table. The sql tables are fine and my statements are changing the userType to admin and taking the user from the 'jobseeker' table...however, when I go into the database (via phpmyadmin) the admin has been added by none of the details have. Please can anyone shed any light onto this to why the $userData is not passing the user's details from 'jobseeker' table and inserting them into 'admin' table?

Here is the code:

<?php

include ('../database_conn.php');

$userID = $_GET['userID'];

$query = "SELECT * FROM jobseeker WHERE userID = '$userID'";
$result = mysql_query($query);
$userData = mysql_fetch_array ($result, MYSQL_ASSOC);
$forename = $userData ['forename'];
$surname = $userData ['surname'];
$salt = $userData ['salt'];
$password = $userData ['password'];
$profilePicture = $userData ['profilePicture'];

$sQuery = "UPDATE user SET userType = 'admin' WHERE userID = '$userID'";

$rQuery = "INSERT INTO admin (userID, forename, surname, salt, password, profilePicture) VALUES ('$userID', '$forename', '$surname', '$salt', '$password', '$profilePicture')";

$pQuery = "DELETE FROM jobseeker WHERE userID = '$userID'";


mysql_query($sQuery) or die (mysql_error());
$queryresult = mysql_query($sQuery) or die(mysql_error());


mysql_query($rQuery) or die (mysql_error());
$queryresult = mysql_query($rQuery) or die(mysql_error());

mysql_query($pQuery) or die (mysql_error());
$queryresult = mysql_query($pQuery) or die(mysql_error());


mysql_close($conn);


header ('location:     http://www.numyspace.co.uk/~unn_v002018/webCaseProject/index.php');

?>

add a debug print of $userID and $userData before the queries and see. — Nir Alfasi, Feb 14 '12 at 23:17
Why do you call each query twice, by the way (one with and without getting the result)? — Bruno, Feb 14 '12 at 23:59
Sure it does if you call `INSERT` twice: you end up with two rows or a conflict if there's a `UNIQUE`/`PRIMARY KEY` constraint. — Bruno, Feb 15 '12 at 00:03

score 5 · Accepted Answer · edited May 23 '17 at 12:06

Firstly, never use SELECT * in some code: it will bite you (or whoever has to maintain this application) if the table structure changes (never say never).

You could consider using an INSERT that takes its values from a SELECT directly:

"INSERT INTO admin(userID, forename, ..., `password`, ...)
    SELECT userID, forename, ..., `password`, ...
    FROM jobseeker WHERE userID = ..."

You don't have to go via PHP to do this.

(Apologies for using an example above that relied on mysql_real_escape_string in an earlier version of this answer. Using mysql_real_escape_string is not a good idea, although it's probably marginally better than putting the parameter directly into the query string.)

I'm not sure which MySQL engine you're using, but your should consider doing those statements within a single transaction too (you would need InnoDB instead of MyISAM).

In addition, I would suggest using mysqli and prepared statements to be able to bind parameters: this is a much cleaner way not to have to escape the input values (so as to avoid SQL injection attacks).

EDIT 2:

(You might want to turn off the magic quotes if they're on.)

$userID = $_GET['userID'];

// Put the right connection parameters
$mysqli = new mysqli("localhost", "user", "password", "db");

if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

// Use InnoDB for your MySQL DB for this, not MyISAM.
$mysqli->autocommit(FALSE);

$query = "INSERT INTO admin(`userID`, `forename`, `surname`, `salt`, `password`, `profilePicture`)"
    ." SELECT `userID`, `forename`, `surname`, `salt`, `password`, `profilePicture` "
    ." FROM jobseeker WHERE userID=?";

if ($stmt = $mysqli->prepare($query)) {
    $stmt->bind_param('i', (int) $userID);
    $stmt->execute();
    $stmt->close();
} else {
    die($mysqli->error);
}

$query = "UPDATE user SET userType = 'admin' WHERE userID=?";

if ($stmt = $mysqli->prepare($query)) {
    $stmt->bind_param('i', (int) $userID);
    $stmt->execute();
    $stmt->close();
} else {
    die($mysqli->error);
}

$query = "DELETE FROM jobseeker WHERE userID=?";

if ($stmt = $mysqli->prepare($query)) {
    $stmt->bind_param('i', (int) $userID);
    $stmt->execute();
    $stmt->close();
} else {
    die($mysqli->error);
}

$mysqli->commit();

$mysqli->close();

EDIT 3: I hadn't realised your userID was an int (but that's probably what it is since you've said it's auto-incremented in a comment): cast it to an int and/or don't use it as a string (i.e. with quotes) in WHERE userID = '$userID' (but again, don't ever insert your variable directly in a query, whether read from the DB or a request parameter).

Hehe I'm fully agree but opening in with "never" and closing with "never say never" — CBusBus, Feb 14 '12 at 23:21
@Bruno, sorry I have 3 statements. But yes, you are right, it does insert a new row regardless of whether it has values or not. My problem now seems to be getting the values however, im using $_GET['userID'] at the top of the code which should have the information from the jobseeker applied to it when this file is called from a form via . — Tim Johnstone, Feb 15 '12 at 00:16
(I've deleted some comments, perhaps we should delete more, it's getting long; I'll delete this one.) Anyway, is what you get from `$_GET['userID']` correct and does it have an entry in your database? Again, regardless, DO NOT put any value straight in like `'$someVar'`. Turn off the magic quotes in your PHP settings too. — Bruno, Feb 15 '12 at 00:20
the userID is an auto incremented number that is stored on the database, each table has a userID. user table contains the fields: userID, userType and username. 'admin' table contains: adminID, userID, forename, surname, password, salt and profilePicture. 'jobseeker' table contains: userID, jobseekerID, profilePicture, forename, surname, password, email, d.o.b, university and location I dont think im using magic quotes and for the time being (i know its bad practise) i am not fussed as towards sql attacks, im just wanting to get the query working correctly first. — Tim Johnstone, Feb 15 '12 at 00:36

score -1 · Answer 2 · answered Feb 14 '12 at 23:32

-1

There's nothing obviously wrong with your code (apart from it being insecure with using non-escaped values directly from $_GET).

I'd suggest you try the following in order to debug:

var_dump $userData to check that the values are as you expect
var_dump $rQuery and copy and paste it into phpMyAdmin to see if your query is not as you expect

If you don't find your problem then please post back your findings along with the structure of the tables you're dealing with

answered Feb 14 '12 at 23:32

user1207727

1,543
1
15
18

Thank you for answering my question. I have done a var_dump on both userData and rQuery and the output is: bool(false) string(308) "INSERT INTO admin (userID, forename, surname, salt, password, profilePicture) VALUES (' Notice: Undefined variable: userID in /var/www/vhosts/numyspace.co.uk/web_users/home/~unn_v002018/public_html/webCaseProject/includes/adminEditJS.php on line 107 ', '', '', '', '', '')" – Tim Johnstone Feb 14 '12 at 23:43

INSERTING values from one table into another table

2 Answers2

Linked