Jump to content

Form to database issue


savagenoob

Recommended Posts

I have a form that allows a user to create and store quiz questions in the database for later use, I have ran across error messages on each question that has a ' . The tables are all set up as VARCHAR() so I dont know whats going on. Here is the code.

 

<?php
if(isset($_POST['submitquestion']))
{
	$testname = trim($_POST['testname']);
	echo $testname;
	$question = trim($_POST['question']);
	$option1 = trim($_POST['option1']);
	$option2 = trim($_POST['option2']);
	$option3 = trim($_POST['option3']);
	$option4 = trim($_POST['option4']);
	$answer = trim($_POST['correct']);

	$select = mysql_query("INSERT INTO pq_crtp_quiz SET question = '$question', option1 = '$option1', option2 = '$option2', option3 = '$option3', option4 = '$option4', answer = '$answer', testname = '$testname'");
	echo mysql_error();
	echo "Question Added Successfully";
	echo "<meta http-equiv=Refresh content=20;url=quizadd.php>";
?>
<table>
<tr><th>Add a question to a test</th></tr>
<form action="" method="post" name="Add Question">
<tr><td>Select a test <?php echo '<SELECT name="testname">';
foreach ($showtest as $key => $value) {
    echo '<OPTION value="' . $value . '"> ' . $value . '';
}
echo '</select>'; ?></td></tr>
<tr><td>Question</td><tr>
<tr><td><textarea name="question" cols="120" rows="20" wrap="virtual"></textarea></td></tr>
<tr><th>Input the answer options</th></tr>
<tr><td>Option 1 <input name="option1" type="text" size="40" maxlength="160" /></td></tr>
<tr><td>Option 2 <input name="option2" type="text" size="40" maxlength="160" /></td></tr>
<tr><td>Option 3 <input name="option3" type="text" size="40" maxlength="160" /></td></tr>
<tr><td>Option 4 <input name="option4" type="text" size="40" maxlength="160" /></td></tr>
<p>
<tr><th>Select the correct answer: </th></tr>
  <label>
    <tr><td><input type="radio" name="correct" value="Option 1" id="correct_0" />
    option1</label></td></tr>
  <br />
  <label>
   <tr><td> <input type="radio" name="correct" value="Option 2" id="correct_1" />
    option2</label></td></tr>
  <br />
  <label>
    <tr><td><input type="radio" name="correct" value="Option 3" id="correct_2" />
    option3</label></td></tr>
  <br />
  <label>
    <tr><td><input type="radio" name="correct" value="Option 4" id="correct_3" />
    option4</label></td></tr>
  <br />
</p>
<tr><td><input type="submit" name="submitquestion" value="Next"></td></tr>
</form>
</table>
<br />

Link to comment
https://forums.phpfreaks.com/topic/155645-form-to-database-issue/
Share on other sites

while you're trimming the input, you're not sanitizing it. there are a few ways to accomplish this. given your code, considering using:

 

http://www.php.net/mysql_real_escape_string

 

there are other mechanisms to accomplish this task, but somewhere along the way and before the database executes the statement, it has to be done.

 

jason

seems like it may be an encoding problem. here's a similar issue:

 

http://forums.mysql.com/read.php?103,154519,154519#msg-154519

 

there's a boat load of info if you google php utf8...

 

if you just want to remove quotes from a string, i see no reason why this wouldn't work:

 

http://www.php.net/manual/en/function.str-replace.php

 

jason

Does anyone have a reason why the table has a problem with a ' ? Also, I need help doing a preg_replace on all commas if I cant solve the problem. I have tried and failed, here is what I am trying.

 

<?php
$question1 = preg_replace("/'/", "", $question);
?>

BTW... the errors go away when I delete any ' in the questions or options

I am talking to myself I know this lol  ::) but this is bugging the hell out of me... I ran a test on my preg_replace() code and it works on a test page but with this code

<?php
if(isset($_POST['submitquestion']))
{
	$testname = trim($_POST['testname']);
	echo $testname;
	$question = mysql_escape_string($_POST['question']);
	$option1 = mysql_escape_string($_POST['option1']);
	$option2 = mysql_escape_string($_POST['option2']);
	$option3 = mysql_escape_string($_POST['option3']);
	$option4 = mysql_escape_string($_POST['option4']);
	$answer = mysql_escape_string($_POST['correct']);

$question1 = preg_replace("/'/", "", $question);
$option1a = preg_replace("/'/", "", $option1);
$option2a = preg_replace("/'/", "", $option2);
$option3a = preg_replace("/'/", "", $option3);
$option4a = preg_replace("/'/", "", $option4);
echo $question1;
echo $option1a;
echo $option2a;
echo $option3a;
echo $option4a;

	$select = mysql_query("INSERT INTO pq_crtp_quiz SET question = '$question1', option1 = '$option1a', option2 = '$option2a', option3 = '$option3a', option4 = '$option4a', answer = '$answer', testname = '$testname'");
	echo mysql_error();
	echo "Question Added Successfully";
	echo "<meta http-equiv=Refresh content=20;url=quizadd.php>";
?>

It is not removing the ' . I dont get it, I dont understand why the database is kicking back the strings and dont understand why my preg_replace is not working.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.