0

I have a form having text field. When user submit data it checks whether the entered data is correct or not against a column "Answer" in a table.

But here is the problem - it is accepting anything without verifying the submitted text field against the correct answer.

I am new to php so please help. here is the code.

 $myuser = $_SESSION["myusername"]; $mypass = $_SESSION["mypassword"];
 $host="localhost"; // Host name 
 $username="f123"; // Mysql username
 $password="t"; // Mysql password 
 $db_name="f"; // Database name 
 $tbl_name="members"; // Table name 
 $tbl_name2="quiz"; // Table name 2


mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

if(isset($_POST['qno']))
{
$sql3="SELECT * FROM $tbl_name2 WHERE id='".$_POST['qno']."'";
$result3=mysql_query($sql3);

$disp3=mysql_fetch_assoc($result3);

$sql4="SELECT * FROM $tbl_name WHERE username='$myuser' and password='$mypass'";
$result4=mysql_query($sql4);

$disp4=mysql_fetch_assoc($result4);

if($disp3['Answer']==$_POST['Answer'])
{

$sql5="UPDATE $tbl_name SET level_crossed='".($disp4['level_crossed']+1)."',
Score='".($disp4 ['Score']+1)."' WHERE username='$myuser' and password='$mypass'";
 $result5=mysql_query($sql5);
}
else {
$sql5="UPDATE $tbl_name SET level_crossed='".($disp4['level_crossed']+1)."' 
WHERE    username='$myuser' and password='$mypass'";
$result5=mysql_query($sql5);

<form name="quizq" action="quiz.php" method="post" >
<input name="qno" type="hidden" value="<?php echo $disp['level_crossed']+1; ?>" />
<input type="text"  name="Answer"  />
<input type="submit" value="Submit Answer" /></p>
</form>
pallavi
  • 114
  • 1
  • 3
  • 9
  • 1
    The form you've given us has no `answer` field – What have you tried Apr 23 '13 at 14:56
  • 1
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Apr 23 '13 at 15:01
  • Your code is HORRIBLY vulnerable to SQL injection, and uses deprecated `mysql_*` functions. Please switch to using [MySQLi](http://php.net/manual/en/book.mysqli.php) with prepared statements immediately, and read up on [SQL injection](https://www.owasp.org/index.php/SQL_Injection) so that you're aware of the security problems. – Polynomial Apr 23 '13 at 15:01
  • please check the whole code again. Thanks and sorry for the inconvenience – pallavi Apr 23 '13 at 15:02
  • To be honest, you're not giving us nearly enough information to solve this problem. What does your database look like? What do `$result3` and `$result4` look like? Do you have any errors? – What have you tried Apr 23 '13 at 15:04
  • No errors.. it just move to next question without cheking if the answer is correct or not. Whether I type cx or cagkuhf or anything. It simply passes to next question – pallavi Apr 23 '13 at 15:05
  • @polynomial- it is just a college project to nothing to worry about sql- injection . Anyways thanks a lot – pallavi Apr 23 '13 at 15:06
  • Can you show us the database structure. Where do you set $tbl_name and $tbl_name2? – miah Apr 23 '13 at 15:07
  • $myuser = $_SESSION["myusername"]; $mypass = $_SESSION["mypassword"]; $host="localhost"; // Host name $username="f123"; // Mysql username $password="t"; // Mysql password $db_name="f"; // Database name $tbl_name="members"; // Table name $tbl_name2="quiz"; // Table name 2 – pallavi Apr 23 '13 at 15:09

1 Answers1

0

Just make own debug. Before $disp3['Answer']==$_POST['Answer'] add

var_dump($disp3);
var_dump($_POST);

Check if you have any Answer in both arrays. If you don't, check your database field name and your POST field/input (both are case-sensitive)

I will also add that you need to check the SQL-injection and escape your fields or, better, use PDO and prepared statements.

vectorialpx
  • 587
  • 2
  • 17
  • this worked but some other errors came up like the page is showing array(7) { ["id"]=> string(1) "1" ["Question"]=> string(339) " – pallavi Apr 23 '13 at 15:14
  • `var_dump` is just used for variables output. That is not an error! :) Check if your `array(7)` has the `Answer` key. Also, for the second dump, check the `Answer` key. That's how you debug. – vectorialpx Apr 24 '13 at 13:00