-1

I'm trying to insert data from existing variable and selected column from another table

here is my code 

$jobtitle=$_POST['jobtitle'];
$jobdescription=$_POST['jobdescription'];
$requirements=$_POST['requirements'];
$resume=$_POST['resume'];
$expyears=$_POST['expyears'];
$submit=$_POST['submit'];
$useremail=$_SESSION['email'];

$insert=mysql_query("INSERT INTO career (jobtitle, jobdescription, requirements, expyears, resume, useremail, resname) VALUES ('$jobtitle','$jobdescription','$requirements','$expyears','$resume','$useremail', SELECT resname FROM restaurant WHERE useremail='$useremail')");

but the above code does not give any result to my database

is there any solution for this problem?

thanks

newvie
  • 1
  • 1
  • Are you 110% sure that the values are actually set? You can never be sure without [checking](http://php.net/manual/en/function.isset.php). – Jonast92 Nov 04 '14 at 15:50
  • Did you use `mysql_connect` to connect to your database? Do you get any errors? – Jerodev Nov 04 '14 at 15:50
  • 4
    Please, [don't use `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php), They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://us1.php.net/pdo) or [MySQLi](http://us1.php.net/mysqli). [This article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide. – Jay Blanchard Nov 04 '14 at 15:51
  • You don't show a connection to the database or any error checking. – Jay Blanchard Nov 04 '14 at 15:51
  • 2
    Please don't dump code in comments @DarkBee. – Jay Blanchard Nov 04 '14 at 15:52
  • 4
    [generic SQL injection warning] – Sterling Archer Nov 04 '14 at 15:52
  • @Jay I don't want that comment treated as valid code cause it's plain bad coding – DarkBee Nov 04 '14 at 15:53
  • Then why post it without any qualification @DarkBee? Not sure I understand. – Jay Blanchard Nov 04 '14 at 15:55
  • George already did that now :) – DarkBee Nov 04 '14 at 15:57
  • I hope for your sake this code is nowhere near a production server. Please, stop writing SQL code this awful. This is completely reckless and full of severe [SQL injection bugs](http://bobby-tables.com/). – tadman Nov 04 '14 at 16:55

1 Answers1

3

Note that you shouldn't be using mysql_* functions since it is a deprecated library. Think about making the move to mysqli_* or PDO.

Having said that, your query is incorrect. You can't use VALUES() and a selection together in an INSERT statement. You should instead, select the string literals you are trying to insert along with the one value you'd like to select.

Try the following instead:

$query = "
    INSERT INTO career (jobtitle, jobdescription, requirements, expyears, resume, useremail, resname)
    SELECT '$jobtitle','$jobdescription','$requirements','$expyears','$resume','$useremail', resname
    FROM restaurant 
      WHERE useremail='$useremail'
";
Community
  • 1
  • 1
George
  • 36,413
  • 9
  • 66
  • 103
  • 3
    There is no `VALUES` keyword, just a selection. – George Nov 04 '14 at 15:55
  • 1
    So explain that, instead of just posting potentially correct (but vulnerable to SQL injection) code without telling teh OP why this is right. – Sterling Archer Nov 04 '14 at 15:58
  • That is totally wrong because INSERT does not accept WHERE. Check [here](http://dev.mysql.com/doc/refman/5.6/en/insert.html) –  Nov 04 '14 at 16:01
  • 1
    @Begueradj No, but `SELECT` does. – jeroen Nov 04 '14 at 16:07
  • 1
    @SterlingArcher I made a clear warning prior to answering, there's not a lot else for me to do as far as that is concerned. Since this issue is directly MySQL based and not actually anything to do with PHP, I see no reason not to continue answering. – George Nov 04 '14 at 16:10
  • @Begueradj That is totally wrong becuase this query is perfectly correct. – Strawberry Nov 04 '14 at 16:23
  • If you really want to encourage using placeholders, which is a great idea, provide answers using them. This has just weaponized a previously non-functional query. If the person asking the question insists on playing with fire, they can be responsible for adding the SQL injections themselves. – tadman Nov 04 '14 at 16:56