Jump to content

Recommended Posts

Hello,

 

I posted earlier today and got the help I was looking for -- but I'm still having trouble with this.

 

I've removed addslashes/stripslashes from my code on a test site, and have updated the database to remove all slashes from the data.

 

The problem is that when this bit of code runs against an answer such as "answer" (contains quotes), I get the "You didn't select and answer" error.

 

$display = mysql_query("SELECT * FROM $table WHERE $table.video_id='$_SESSION[get]' ORDER BY id ASC",$db);

while ($row = mysql_fetch_array($display)) {

$question = $row["question"];
$answer = $row["answer"];
$q = $row["q"];
$myanswer = $_POST[$q];

echo "<tr><td><br>$question</td></tr>";

if ($myanswer == $answer) 
	echo "<tr><td>»you answered: $myanswer -- which is correct</td></tr>";

elseif ($myanswer == "")
	echo "<tr><td>»you didn't select an answer. The answer is: $answer</td></tr>";
else
	echo "<tr><td>»you answered: $myanswer. The answer is: $answer</td></tr>";

}

 

I thought the problem was that magic_quotes must be on and so I've emailed my host about how to turn it off. In the meantime I found this to add to the top of the page that should stripslashes from Post data:

 

if ( get_magic_quotes_gpc() ) {
$_GET = array_map('stripslashes',$_GET);
$_POST = array_map('stripslashes',$_POST);
$_COOKIE = array_map('stripslashes',$_COOKIE);
} 

 

Still however, the when the code runs against a $myanswer containing quotes, I get the "you didn't select an answer" error.

 

Any thoughts on why this would be happening and best way to trouble shoot?

 

Thanks in advance,

Ryan

 

Link to comment
https://forums.phpfreaks.com/topic/169820-solved-addslashes-magic_quotes-problem/
Share on other sites

if ( get_magic_quotes_gpc() )
{
  if ( !empty($_GET) )
   $_GET = array_map('stripslashes', $_GET);
  if ( !empty($_POST) )
   $_POST = array_map('stripslashes', $_POST);
  if ( !empty($_COOKIE) )
   $_COOKIE = array_map('stripslashes', $_COOKIE);
}

 

I don't think that addslashes is the problem tbh, have you tried echoing $myanswer?


$display = mysql_query("SELECT * FROM $table WHERE $table.video_id='" . $_SESSION['get'] . "' ORDER BY id ASC",$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL);

 

Try that?

Thanks guys,

 

Magic_quotes is now off in the php.ini file.

 

Yes -- the code generates the full error, as in this test question:

 

»you didn't select an answer. The answer is: "the"

 

When I echo $myanswer only the answers that don't have quotes in them are echoed.

 

Likewise, all answers that don't have quotes in them show up just fine and results are as they are supposed to be.

 

When $myanswer is something like, "the" -- the quotes seem to cause the POST data to be empty.

 

Any ideas?

 

Lastly, this did not generate any php error:

$display = mysql_query("SELECT * FROM $table WHERE $table.video_id='" . $_SESSION['get'] . "' ORDER BY id ASC",$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL);

 

Thank you for your help troubleshooting this.

That variable is set when the user clicks on the link to view this quiz activity.

 

Everything works perfectly -- until an answer has quotes in it.

 

Then it's as if the $myanswer variable for that particular answer is empty -- and the "you didn't select an answer" error is generated.

Thanks, Andy.

 

This test quiz has one question. The results echoed are:

 

Here are the answers:

 

Array

(

    [0] => 11070

    [id] => 11070

    [1] => 38

    [user_id] => 38

    [2] => 2653

    [video_id] => 2653

    [3] => q11070

    [q] => q11070

    [4] => Is this "working?"

    [question] => Is this "working?"

    [5] => "yes"

    [opt1] => "yes"

    [6] => no

    [opt2] => no

    [7] => yes

    [opt3] => yes

    [8] => "yes"

    [answer] => "yes"

)

 

Is this "working?"

»you didn't select an answer. The answer is: "yes"

Thanks, MadTechie.

 

What's frustrating now is that I've removed everything that has to do with addslashes/stripslashes, including the code at the top of the page that would strip slashes from POST data.

 

Magic_quotes_gpc is also turned off.

 

As far as I can tell, on this test site there is no sanitation of any sort happening to data inserted or retrieved from the database.

 

I'll keep at it. Thank you very much for your help with this -- if you have any other ideas please let me know.

 

Ryan

$SQL = sprintf("SELECT * FROM $table WHERE $table.video_id='%s' ORDER BY id ASC",mysql_real_escape_string($_SESSION['get']));
$display = mysql_query($SQL,$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL);

//-------
$myanswer = htmlentities($_POST[$q], ENT_QUOTES);

Thanks, MadTechie.

 

I added another question to  this text quiz -- one without quotation marks in the correct answer. Here are the results after adding the code above (the answer with quotes is still dropped).

 

echo my answer variables: yep

 

You scored 1 out of 2

 

50%

 

Here are the answers:

 

Array

(

    [0] => 11071

    [id] => 11071

    [1] => 38

    [user_id] => 38

    [2] => 2654

    [video_id] => 2654

    [3] => q11071

    [q] => q11071

    [4] => test to see if this is "working."

    [question] => test to see if this is "working."

    [5] => "yes"

    [opt1] => "yes"

    [6] => no

    [opt2] => no

    [7] => yes

    [opt3] => yes

    [8] => "yes"

    [answer] => "yes"

)

 

 

yep

 

Array

(

    [0] => 11072

    [id] => 11072

    [1] => 38

    [user_id] => 38

    [2] => 2654

    [video_id] => 2654

    [3] => q11072

    [q] => q11072

    [4] => working

    [question] => working

    [5] => no way

    [opt1] => no way

    [6] => no

    [opt2] => no

    [7] => yep

    [opt3] => yep

    [8] => yep

    [answer] => yep

)

 

 

test to see if this is "working."

»you didn't select an answer. The answer is: "yes"

 

working

»you answered: yep -- which is correct

 

 

I really appreciate the help!

Ryan

Thanks, MadTechi and a.kitchin,

 

I don't know if I placed the query echo in the right spot -- It only echos: Array

 

Echoing the post data shows that only $myanswer variables without quotes are passed. The answer "yes" (with quotes) isn't being passed as POST data.

 

Does that help?

 

I placed the echos here:

 

$SQL = sprintf("SELECT * FROM $table WHERE $table.video_id='%s' ORDER BY id ASC",mysql_real_escape_string($_SESSION['get']));
$display = mysql_query($SQL,$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL);

while ($row = mysql_fetch_array($display)) {

$question = $row["question"];
$answer = $row["answer"];
$q = $row["q"];
$myanswer = htmlentities($_POST[$q], ENT_QUOTES);

echo '<pre>'.print_r($_POST, TRUE).'</pre>';
echo $myanswer;	
echo mysql_fetch_array($display);
echo '<pre>' . "\n" . print_r($row, true) . "\n" . '</pre>';

echo "<tr><td><br>$question</td></tr>";

if ($myanswer == $answer) 
	echo "<tr><td>»you answered: $myanswer -- which is correct</td></tr>";
elseif ($myanswer == "")
	echo "<tr><td>»you didn't select an answer. The answer is: $answer</td></tr>";
else
	echo "<tr><td>»you answered: $myanswer. The answer is: $answer</td></tr>";

}

 

Here are the results -- note the 2nd question was dropped (the question with the answer: yep, but that's probably because I didn't place the query echo in the right spot (?)

 

:Results:

 

Here are the answers:

 

Array

(

    [q11071] =>

    [q11072] => yep

    [submit] => See how you did

)

 

Array

 

Array

(

    [0] => 11071

    [id] => 11071

    [1] => 38

    [user_id] => 38

    [2] => 2654

    [video_id] => 2654

    [3] => q11071

    [q] => q11071

    [4] => test to see if this is "working."

    [question] => test to see if this is "working."

    [5] => "yes"

    [opt1] => "yes"

    [6] => no

    [opt2] => no

    [7] => yes

    [opt3] => yes

    [8] => "yes"

    [answer] => "yes"

)

 

test to see if this is "working."

»you didn't select an answer. The answer is: "yes"

Thank you a.kitchen,

 

Here is the form code,

 

$SQL = sprintf("SELECT * FROM $table WHERE $table.video_id='%s' ORDER BY id ASC",mysql_real_escape_string($_SESSION['get']));
$display = mysql_query($SQL,$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL);

if (!$_POST['submit']) {

echo "<form method=post action=$PHP_SELF>";
echo "<table border=0 width=100%>";

while ($row = mysql_fetch_array($display)) {

$id = $row["id"];
$question = $row["question"];
$opt1 = $row["opt1"];
$opt2 = $row["opt2"];
$opt3 = $row["opt3"];

    echo "<tr><br><b>$question</b></tr><br>";
echo "<tr><input type=radio name=q$id value=\"$opt1\"> $opt1<br>
<input type=radio name=q$id value=\"$opt2\"> $opt2<br>
<input type=radio name=q$id value=\"$opt3\"> $opt3<br></tr>";

}

echo "</table>";
echo "<br><input type='submit' name='submit' value='See how you did'>";
echo "</form><br><br>";

 

Do you see anything there that would prohibit quoted POST data from passing?

 

Thanks again,

Ryan

Thank you a.kitchen,

 

Here is the form code,

 

$SQL = sprintf("SELECT * FROM $table WHERE $table.video_id='%s' ORDER BY id ASC",mysql_real_escape_string($_SESSION['get']));
$display = mysql_query($SQL,$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL);

if (!$_POST['submit']) {

echo "<form method=post action=$PHP_SELF>";
echo "<table border=0 width=100%>";

while ($row = mysql_fetch_array($display)) {

$id = $row["id"];
$question = $row["question"];
$opt1 = $row["opt1"];
$opt2 = $row["opt2"];
$opt3 = $row["opt3"];

    echo "<tr><br><b>$question</b></tr><br>";
echo "<tr><input type=radio name=q$id value=\"$opt1\"> $opt1<br>
<input type=radio name=q$id value=\"$opt2\"> $opt2<br>
<input type=radio name=q$id value=\"$opt3\"> $opt3<br></tr>";

}

echo "</table>";
echo "<br><input type='submit' name='submit' value='See how you did'>";
echo "</form><br><br>";

 

Do you see anything there that would prohibit quoted POST data from passing?

 

Thanks again,

Ryan

 

first off, you should be using quotes to surround your attributes in the HTML form:

 

	echo "<form method='post' action='$PHP_SELF'>";
echo "<table border='0' width='100%'>";

 

second, in order for the htmlentities() to work, you will need to run it against both your POSTed data and the answer that you select from the database. try running it on both variables and comparing them to see what you get. otherwise, it could be that you still have backslashes in your database.

Thank you very much MadTechie, a.kitchin, and Andy-H!

I think this is working now!

 

Can you please look at this insert code and retrieval code and let me know if you see any red flags (I've double checked that all backslashes have been removed the from the test database -- and all new, test quizzes I've created with single and double quotes throughout have worked perfectly. Do I have this right?)

 

Insert:

$question = trim(strip_tags(mysql_real_escape_string(htmlentities($_POST['question'], ENT_QUOTES))));
$opt1 = trim(strip_tags(mysql_real_escape_string(htmlentities($_POST['opt1'], ENT_QUOTES))));
$opt2 = trim(strip_tags(mysql_real_escape_string(htmlentities($_POST['opt2'], ENT_QUOTES))));
$opt3 = trim(strip_tags(mysql_real_escape_string(htmlentities($_POST['opt3'], ENT_QUOTES))));
$answer  = trim(strip_tags(mysql_real_escape_string(htmlentities($_POST['answer'], ENT_QUOTES))));

 

Retrieval: Shows the questions

while ($row = mysql_fetch_array($display)) {
$id = $row["id"];
$question = $row["question"];
$opt1 = $row["opt1"];
$opt2 = $row["opt2"];
$opt3 = $row["opt3"];

 

Retrieval: On submit, checks to see if answers match the correct answers

while ($row = mysql_fetch_array($display)) {

$question = $row["question"];

$answer = html_entity_decode($row["answer"], ENT_QUOTES);

$q = $row["q"];

$myanswer = html_entity_decode($_POST[$q], ENT_QUOTES);	

echo "<tr><td><br>$question</td></tr>";

if ($myanswer == $answer) 
	echo "<tr><td>»you answered: $myanswer -- which is correct</td></tr>";
elseif ($myanswer == "")
	echo "<tr><td>»you didn't select an answer. The answer is: $answer</td></tr>";
else
	echo "<tr><td>»you answered: $myanswer. The answer is: $answer</td></tr>";
}

 

i have to be honest and say that i think those functions are overkill. there must be a simple discrepancy here, and my suspicion is that it's in the radio button's element code that holds the answer. i would guess it comes back empty because the answer has double-quotes in it and that they're forcing the value attribute to end early. for example:

 

$answer = 'this is "the" answer.';
<input type="radio" name="q1289" value="<?php echo $answer; ?>" />

 

this will output:

 

<input type="radio" name="q1289" value="this is "the" answer." />

 

obviously that will cause the value attribute to be cut short to "this is". in the case of your "yes" example, there aren't any characters between the opening double-quote for the value attribute, and the first double-quote in the answer.

 

if you're certain all the escaping backslashes are eliminated from the database, you should only need to do two things:

 

1. use addslashes() on POST data BEFORE inserting into the database if magic_quotes are OFF. otherwise escaping backslashes are already inserted by PHP. optionally, you may choose to use mysql_real_escape_string(), but be certain that you've used stripslashes() if magic quotes is on (otherwise mysql_real_escape_string() will escape the backslashes added by magic_quotes, as well as the characters magic_quotes was trying to escape). for example, with magic_quotes on, the variable:

 

"yes"

 

would become

 

\"yes\"

 

if you then use mysql_real_escape_string() on that, you will end up with:

 

\\\"yes\\\"

 

because that function will escape the backslashes as well as the quotes. this is why we use stripslashes() if magic_quotes is on and we're using mysql_real_escape_string() to escape the data.

 

2. now that you've inserted the information into the database correctly, it should only contain quotes. when you retrieve it to place it into the value attribute of a radio button, use addslashes() before echoing so that it escapes any quotes that would otherwise interfere with the value's delimiter.

 

doing only these two things should allow you to compare $_POST answers directly to the answers retrieved from the database. i fear using all the functions that you are using above will not help you learn about how escaping is done in PHP.

Thanks a.kitchin,

 

I did finally get it all to work. No errors, no blanks, all comparisons working -- Thanks to your and MadTechie and Andy-H's help.

 

The site is now off addslashes/stripslashes and ALL data is at least passed through mysql_real_escape_string.

 

Cheers,

Ryan

 

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.