I figured I'd get better responses here rather than in the Computer Tech Support forum (feel free to move this if you think otherwise mods).

I know very little about php/mysql but I'm undertaking a project using previous programming experience and google to lead the way.

I'm having trouble performing a task which is probably simple.

Here's the situation:

I have 2 databases, we'll name them as:
database_TO
database_FROM

Each database has a field named "pid". This ID is linked to a user's profile ID (unique key).

What I'm trying to do is copy a a selected column from _FROM to _TO. The selection state is being made through checkboxes in a form.

Variables are being passed through _POST.

ie.

etc..

So, in my copy routine I have this going on...

Nothing fancy really, I'm passing the database name/pid in a hidden form field.

Then we have our standard loop.

Inside the loop I check to see if the column is to be copied by getting the checkbox value.

(Before this if statement I am setting both str_set and str_select to "" to define/clear them btw).

Anyways I think this works. The last field is hard coded (the date) so it's ok if all of my "is checked or not?" strings end in a comma.

Onto the problem area...

After a bit of googling + experimenting I came up with this:

The end result is if I have 4 rows in the database then it echos it 4 times (as expected) and there are no errors when I execute the query. It just does nothing at all.

Any ideas why?

Here's the echo:

Btw excuse any obvious errors like variable/field names not matching up. I manually changed them by hand in this post. The variable/field names are 99.9% guaranteed to be matching (NotePad++ has a neat little feature to easily make sure variables are the exactly the same through highlighting).

Side note... I think a limitation of this is that both databases need the same amount of rows for this to work but I'm ok with that. Actually it would be a problem if they didn't match due to the information being copied.

Programming questions just as good in here than CTH is my guess.

It confuses me you seen to be using database_TO / database_FROM as table names...

The echo is messed up here: "WHERE pid='3' = (SELECT " (I think, dunno if MySQL has some weirdnedd to accept such syntax) - my guess ids you need at least "WHERE pid='3' AND something = (SELECT ", although I can't see why you'd be doing a select on the end of an update command anyhow if the PIDs are unique.


post the whole code?

They are different tables not databases. Sorry about that. Just re-read my original post thinking "table_TO" and table_FROM" rather than database_TO/_FROM.

The "weirdness" came from googling on how to copy a column from 1 table to another table. I have no idea what the real syntax is.

I basically took this dude's response: (chazzy, the last post in the thread)
http://www.webdeveloper.com/forum/ar...p/t-83585.html

... and tried to rig it to work without the column B/D stuff (because in the original poster's question he needed to do this only if B=D, where as I do not need this).

The logic of the site works like this:

1. A user is created.

2. A user can create 1 or more "data profiles" (each data profile they create has a unique ID which is defined as the PID).
[There's a data_profile table that has the following fields: id/userid/datecreated/etc]
[This ID is unique and this is the actual PID]

3. Upon creating this data profile I fill up a bunch of tables with predefined data using the PID as a unique identifier (to see who it belongs to).

Now they have the option to add/edit/etc the data in those tables. Each table has a PID field of course.

So now let's say you're browsing around and want to copy some data from another data profile. You only want to copy ColumnX rather than every column (every column is easy because then you can just empty all the entries by PID(x) and re-add them).

I am trying to get it to do this...

"Ok, you're browsing data which belongs to PID 3 [a data profile made by someone] and you want to copy ColumnX from PID 3 to PID 5 [the data profile you've selected to copy to]".

I hope this is clear.

Edit:
I'm passing the to/from PIDs in hidden text boxes and they are getting set properly, etc.. It's just the syntax for doing a column copy across 2 tables that's giving me trouble.

Rule #1: Always validate your input. If someone hacked the html request and made toPID = "a' or 't'='t", the table you are updating would be completely overwritten. Just because it's hidden doesn't mean it can be trusted.

Not tested, but I think it should work.

I've been validating with htmlspecialchars($x, ENT_QUOTES) and mysql_real_escape_string() whenever I set a variable to get the POST/GET properties. This should be good enough I hope?

2 cans of Pepsi later... and it works heh. Thanks for the help.

Only 2?

I'm usually more aggressive than just doing escape characters. I use regexes and is_* functions to ensure that the data is actually the type I expect. Escape characters can protect against injection, but your sql command is still going to fail when the user manages to pass characters when you expect a number.

Oh, I have protection vs non-numbers in that sense. I just want to make sure I'm safe vs any type of injection/bs.

Before I run any queries on it I compare the PID to all of the PIDs for that specific UserID for both the TO/FROM queries. If the PID ends up being something other than a PID that exists for that UserID then I display an error page and nothing gets executed.

On a semi-related topic, getting -any- type of value from a GET property is giving me slight headaches too. I have a few pages where I'm passing around GET properties. If the page is missing any it should throw an error otherwise it does the PID check+displays.

Between doing isset() on the GET property and checking if the variable is "", null, or "undefined" it still doesn't fail when it's missing the full property. I have no idea why.

Ex.

index.php?name=dude&pid=3

This works...

...but If I check the name and pid (using isset(), ""/null/undefined) it still tries to load the non-error page if someone enters:

index.php?name=dude

I guess you could do the php equiv. of indexOf on everything past the "?" to make sure it's there but that seemed a little clumsy.

I'm not sure if I'm reading it right, but maybe you could try empty() instead of isset().

Post the code that does the checking so we can spot any obvious errors you might've missed.

MakeSafe() is just a function I put together that returns the result of htmlspecialchars and mysql_real_escape_string on the string.

echo returns all of the vars correctly.

This is the trimmed down version without comparing it to != "" || != null || != "undefined".

I think it is a problem with what isset() actually does. I guess all of them return true here because they are set even though they are set to empty, but not null. I just assumed if the GET/POST property didn't exist it would return null by default rather than empty.

empty() is a good idea. I'll change it to that.

Edit:
Confirmed !empty() works perfect.