2

I am building a php based quiz for website. I am a beginner. I coded for getting the questions and options from database and display them in the form in my page.when the user selects the option i want the the answers to be inserted to my database.I wrote some bsic code but its not working pls help. Here is my code The table for question is having 7rows(qid,question,optiona,optionb,optionc,optiond,answeroption),answers table is having simple2rows(qid,answer)

     if(isset($_POST['next']))
{
    $a=$_POST['a'];
}
if(!isset($a))
{
    $a=0;
}
include('connection.php');
mysql_query("INSERT INTO answers (username,qid, option)
VALUES ($username,a-1,'$_POST('option'))");

$sql1="SELECT * FROM exam1  LIMIT 1 OFFSET $a";
$result=mysql_query($sql1);
echo "<form method='post' action='quiz.php'>";
while ($row = mysql_fetch_array($result))
{
    echo $row['question']. "<br/>";
    echo "<input type='radio' value='optiona' name='option'>" .$row['optiona'];
    echo "<input type='radio' value='optionb' name='option'>" .$row['optionb'];
    echo "<input type='radio' value='optionc' name='option'>" .$row['optionc'];
    echo "<input type='radio' value='optiond' name='option'>" .$row['optiond']; "<br/>";
}
$c=$a-1;
$b=$a+1;
echo "<input type='hidden' value='$c' name='a'>";
echo "<input type='submit' name='previous' value='previous'> ";
echo "<input type='hidden' value='$b' name='a'>";
echo "<input type='submit' name='next' value='next'> ";
echo "<input type='reset' name='reset' value='Reset'>";
echo "</form>";

?>

user2094259
  • 21
  • 1
  • Can you be more specific as to where the error occurs? Though I see one in the fifth echo statement in the while-loop, where there is a semicolon (;) instead of a dot (.). You want to concatenate those strings you see :) Also I would recommend you don't use echo like this, but simply exit php like so: `?>`, type your html and then enter php again like so ` – MrHug Feb 22 '13 at 21:17

2 Answers2

2

You need to study up on basic PHP syntax. $_POST is not a function. It's an array. e.g.

$var = $_POST['var'];
             ^--   ^--- note the bracketing.

Even if the code DID work, you'd be wide open to SQL injection attacks.

Marc B
  • 356,200
  • 43
  • 426
  • 500
2

Big big atention! I hope this is just an test code note final one!

Your code is Inject Vulnerably here $a=$_POST['a'];

I recomend to replace with this one $a= filter_input(INPUT_POST, 'a', FILTER_SANITIZE_STRING); this is an escaped from attacks!

I hope it hepls you

Domuta Marcel
  • 509
  • 5
  • 16