RyanSF07 Posted August 11, 2009 Share Posted August 11, 2009 Hello, I posted earlier today and got the help I was looking for -- but I'm still having trouble with this. I've removed addslashes/stripslashes from my code on a test site, and have updated the database to remove all slashes from the data. The problem is that when this bit of code runs against an answer such as "answer" (contains quotes), I get the "You didn't select and answer" error. $display = mysql_query("SELECT * FROM $table WHERE $table.video_id='$_SESSION[get]' ORDER BY id ASC",$db); while ($row = mysql_fetch_array($display)) { $question = $row["question"]; $answer = $row["answer"]; $q = $row["q"]; $myanswer = $_POST[$q]; echo "<tr><td><br>$question</td></tr>"; if ($myanswer == $answer) echo "<tr><td>»you answered: $myanswer -- which is correct</td></tr>"; elseif ($myanswer == "") echo "<tr><td>»you didn't select an answer. The answer is: $answer</td></tr>"; else echo "<tr><td>»you answered: $myanswer. The answer is: $answer</td></tr>"; } I thought the problem was that magic_quotes must be on and so I've emailed my host about how to turn it off. In the meantime I found this to add to the top of the page that should stripslashes from Post data: if ( get_magic_quotes_gpc() ) { $_GET = array_map('stripslashes',$_GET); $_POST = array_map('stripslashes',$_POST); $_COOKIE = array_map('stripslashes',$_COOKIE); } Still however, the when the code runs against a $myanswer containing quotes, I get the "you didn't select an answer" error. Any thoughts on why this would be happening and best way to trouble shoot? Thanks in advance, Ryan Quote Link to comment Share on other sites More sharing options...
MadTechie Posted August 12, 2009 Share Posted August 12, 2009 on the error are you getting the answer you posted ? ie you didn't select an answer. The answer is: BLAR Quote Link to comment Share on other sites More sharing options...
Andy-H Posted August 12, 2009 Share Posted August 12, 2009 if ( get_magic_quotes_gpc() ) { if ( !empty($_GET) ) $_GET = array_map('stripslashes', $_GET); if ( !empty($_POST) ) $_POST = array_map('stripslashes', $_POST); if ( !empty($_COOKIE) ) $_COOKIE = array_map('stripslashes', $_COOKIE); } I don't think that addslashes is the problem tbh, have you tried echoing $myanswer? $display = mysql_query("SELECT * FROM $table WHERE $table.video_id='" . $_SESSION['get'] . "' ORDER BY id ASC",$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL); Try that? Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 12, 2009 Author Share Posted August 12, 2009 Thanks guys, Magic_quotes is now off in the php.ini file. Yes -- the code generates the full error, as in this test question: »you didn't select an answer. The answer is: "the" When I echo $myanswer only the answers that don't have quotes in them are echoed. Likewise, all answers that don't have quotes in them show up just fine and results are as they are supposed to be. When $myanswer is something like, "the" -- the quotes seem to cause the POST data to be empty. Any ideas? Lastly, this did not generate any php error: $display = mysql_query("SELECT * FROM $table WHERE $table.video_id='" . $_SESSION['get'] . "' ORDER BY id ASC",$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL); Thank you for your help troubleshooting this. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted August 12, 2009 Share Posted August 12, 2009 Where is $_SESSION['get'] being set ? Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 12, 2009 Author Share Posted August 12, 2009 That variable is set when the user clicks on the link to view this quiz activity. Everything works perfectly -- until an answer has quotes in it. Then it's as if the $myanswer variable for that particular answer is empty -- and the "you didn't select an answer" error is generated. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted August 12, 2009 Share Posted August 12, 2009 do a var_dump($_SESSION['get']); and see what you get Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 12, 2009 Author Share Posted August 12, 2009 Thanks, MadTechie. I got this: string(4) "2653" I don't know what string(4) refers to, but 2653 is the id of this test quiz -- the session get variable. Quote Link to comment Share on other sites More sharing options...
Andy-H Posted August 12, 2009 Share Posted August 12, 2009 echo '<pre>' . "\n" . print_r($row, true) . "\n" . '</pre>'; Can you try that please?and paste back the results. Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 12, 2009 Author Share Posted August 12, 2009 Thanks, Andy. This test quiz has one question. The results echoed are: Here are the answers: Array ( [0] => 11070 [id] => 11070 [1] => 38 [user_id] => 38 [2] => 2653 [video_id] => 2653 [3] => q11070 [q] => q11070 [4] => Is this "working?" [question] => Is this "working?" [5] => "yes" [opt1] => "yes" [6] => no [opt2] => no [7] => yes [opt3] => yes [8] => "yes" [answer] => "yes" ) Is this "working?" »you didn't select an answer. The answer is: "yes" Quote Link to comment Share on other sites More sharing options...
MadTechie Posted August 12, 2009 Share Posted August 12, 2009 Well the database has the quotes in, so striping them out vii stripslashes will make the answer invalid Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 12, 2009 Author Share Posted August 12, 2009 Thanks, MadTechie. What's frustrating now is that I've removed everything that has to do with addslashes/stripslashes, including the code at the top of the page that would strip slashes from POST data. Magic_quotes_gpc is also turned off. As far as I can tell, on this test site there is no sanitation of any sort happening to data inserted or retrieved from the database. I'll keep at it. Thank you very much for your help with this -- if you have any other ideas please let me know. Ryan Quote Link to comment Share on other sites More sharing options...
MadTechie Posted August 12, 2009 Share Posted August 12, 2009 $SQL = sprintf("SELECT * FROM $table WHERE $table.video_id='%s' ORDER BY id ASC",mysql_real_escape_string($_SESSION['get'])); $display = mysql_query($SQL,$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL); //------- $myanswer = htmlentities($_POST[$q], ENT_QUOTES); Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 12, 2009 Author Share Posted August 12, 2009 Thanks, MadTechie. I added another question to this text quiz -- one without quotation marks in the correct answer. Here are the results after adding the code above (the answer with quotes is still dropped). echo my answer variables: yep You scored 1 out of 2 50% Here are the answers: Array ( [0] => 11071 [id] => 11071 [1] => 38 [user_id] => 38 [2] => 2654 [video_id] => 2654 [3] => q11071 [q] => q11071 [4] => test to see if this is "working." [question] => test to see if this is "working." [5] => "yes" [opt1] => "yes" [6] => no [opt2] => no [7] => yes [opt3] => yes [8] => "yes" [answer] => "yes" ) yep Array ( [0] => 11072 [id] => 11072 [1] => 38 [user_id] => 38 [2] => 2654 [video_id] => 2654 [3] => q11072 [q] => q11072 [4] => working [question] => working [5] => no way [opt1] => no way [6] => no [opt2] => no [7] => yep [opt3] => yep [8] => yep [answer] => yep ) test to see if this is "working." »you didn't select an answer. The answer is: "yes" working »you answered: yep -- which is correct I really appreciate the help! Ryan Quote Link to comment Share on other sites More sharing options...
MadTechie Posted August 12, 2009 Share Posted August 12, 2009 echo the query to check it Quote Link to comment Share on other sites More sharing options...
akitchin Posted August 12, 2009 Share Posted August 12, 2009 i'm surprised nobody has asked you this, but have you tried echoing the contents of POST? echo '<pre>'.print_r($_POST, TRUE).'</pre>'; Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 12, 2009 Author Share Posted August 12, 2009 Thanks, MadTechi and a.kitchin, I don't know if I placed the query echo in the right spot -- It only echos: Array Echoing the post data shows that only $myanswer variables without quotes are passed. The answer "yes" (with quotes) isn't being passed as POST data. Does that help? I placed the echos here: $SQL = sprintf("SELECT * FROM $table WHERE $table.video_id='%s' ORDER BY id ASC",mysql_real_escape_string($_SESSION['get'])); $display = mysql_query($SQL,$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL); while ($row = mysql_fetch_array($display)) { $question = $row["question"]; $answer = $row["answer"]; $q = $row["q"]; $myanswer = htmlentities($_POST[$q], ENT_QUOTES); echo '<pre>'.print_r($_POST, TRUE).'</pre>'; echo $myanswer; echo mysql_fetch_array($display); echo '<pre>' . "\n" . print_r($row, true) . "\n" . '</pre>'; echo "<tr><td><br>$question</td></tr>"; if ($myanswer == $answer) echo "<tr><td>»you answered: $myanswer -- which is correct</td></tr>"; elseif ($myanswer == "") echo "<tr><td>»you didn't select an answer. The answer is: $answer</td></tr>"; else echo "<tr><td>»you answered: $myanswer. The answer is: $answer</td></tr>"; } Here are the results -- note the 2nd question was dropped (the question with the answer: yep, but that's probably because I didn't place the query echo in the right spot (?) :Results: Here are the answers: Array ( [q11071] => [q11072] => yep [submit] => See how you did ) Array Array ( [0] => 11071 [id] => 11071 [1] => 38 [user_id] => 38 [2] => 2654 [video_id] => 2654 [3] => q11071 [q] => q11071 [4] => test to see if this is "working." [question] => test to see if this is "working." [5] => "yes" [opt1] => "yes" [6] => no [opt2] => no [7] => yes [opt3] => yes [8] => "yes" [answer] => "yes" ) test to see if this is "working." »you didn't select an answer. The answer is: "yes" Quote Link to comment Share on other sites More sharing options...
akitchin Posted August 12, 2009 Share Posted August 12, 2009 alright, at this point it's worth looking at the form code. are you using select boxes, or are you using text inputs? Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 12, 2009 Author Share Posted August 12, 2009 Thank you a.kitchen, Here is the form code, $SQL = sprintf("SELECT * FROM $table WHERE $table.video_id='%s' ORDER BY id ASC",mysql_real_escape_string($_SESSION['get'])); $display = mysql_query($SQL,$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL); if (!$_POST['submit']) { echo "<form method=post action=$PHP_SELF>"; echo "<table border=0 width=100%>"; while ($row = mysql_fetch_array($display)) { $id = $row["id"]; $question = $row["question"]; $opt1 = $row["opt1"]; $opt2 = $row["opt2"]; $opt3 = $row["opt3"]; echo "<tr><br><b>$question</b></tr><br>"; echo "<tr><input type=radio name=q$id value=\"$opt1\"> $opt1<br> <input type=radio name=q$id value=\"$opt2\"> $opt2<br> <input type=radio name=q$id value=\"$opt3\"> $opt3<br></tr>"; } echo "</table>"; echo "<br><input type='submit' name='submit' value='See how you did'>"; echo "</form><br><br>"; Do you see anything there that would prohibit quoted POST data from passing? Thanks again, Ryan Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 12, 2009 Author Share Posted August 12, 2009 After some googling, I don't understand why this didn't work: $myanswer = htmlentities($_POST[$q], ENT_QUOTES); Seems like that should have fixed the problem. ..... Quote Link to comment Share on other sites More sharing options...
akitchin Posted August 12, 2009 Share Posted August 12, 2009 Thank you a.kitchen, Here is the form code, $SQL = sprintf("SELECT * FROM $table WHERE $table.video_id='%s' ORDER BY id ASC",mysql_real_escape_string($_SESSION['get'])); $display = mysql_query($SQL,$db)or trigger_error("Query failed: " . mysql_error() . PHP_EOL); if (!$_POST['submit']) { echo "<form method=post action=$PHP_SELF>"; echo "<table border=0 width=100%>"; while ($row = mysql_fetch_array($display)) { $id = $row["id"]; $question = $row["question"]; $opt1 = $row["opt1"]; $opt2 = $row["opt2"]; $opt3 = $row["opt3"]; echo "<tr><br><b>$question</b></tr><br>"; echo "<tr><input type=radio name=q$id value=\"$opt1\"> $opt1<br> <input type=radio name=q$id value=\"$opt2\"> $opt2<br> <input type=radio name=q$id value=\"$opt3\"> $opt3<br></tr>"; } echo "</table>"; echo "<br><input type='submit' name='submit' value='See how you did'>"; echo "</form><br><br>"; Do you see anything there that would prohibit quoted POST data from passing? Thanks again, Ryan first off, you should be using quotes to surround your attributes in the HTML form: echo "<form method='post' action='$PHP_SELF'>"; echo "<table border='0' width='100%'>"; second, in order for the htmlentities() to work, you will need to run it against both your POSTed data and the answer that you select from the database. try running it on both variables and comparing them to see what you get. otherwise, it could be that you still have backslashes in your database. Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 13, 2009 Author Share Posted August 13, 2009 Thank you very much MadTechie, a.kitchin, and Andy-H! I think this is working now! Can you please look at this insert code and retrieval code and let me know if you see any red flags (I've double checked that all backslashes have been removed the from the test database -- and all new, test quizzes I've created with single and double quotes throughout have worked perfectly. Do I have this right?) Insert: $question = trim(strip_tags(mysql_real_escape_string(htmlentities($_POST['question'], ENT_QUOTES)))); $opt1 = trim(strip_tags(mysql_real_escape_string(htmlentities($_POST['opt1'], ENT_QUOTES)))); $opt2 = trim(strip_tags(mysql_real_escape_string(htmlentities($_POST['opt2'], ENT_QUOTES)))); $opt3 = trim(strip_tags(mysql_real_escape_string(htmlentities($_POST['opt3'], ENT_QUOTES)))); $answer = trim(strip_tags(mysql_real_escape_string(htmlentities($_POST['answer'], ENT_QUOTES)))); Retrieval: Shows the questions while ($row = mysql_fetch_array($display)) { $id = $row["id"]; $question = $row["question"]; $opt1 = $row["opt1"]; $opt2 = $row["opt2"]; $opt3 = $row["opt3"]; Retrieval: On submit, checks to see if answers match the correct answers while ($row = mysql_fetch_array($display)) { $question = $row["question"]; $answer = html_entity_decode($row["answer"], ENT_QUOTES); $q = $row["q"]; $myanswer = html_entity_decode($_POST[$q], ENT_QUOTES); echo "<tr><td><br>$question</td></tr>"; if ($myanswer == $answer) echo "<tr><td>»you answered: $myanswer -- which is correct</td></tr>"; elseif ($myanswer == "") echo "<tr><td>»you didn't select an answer. The answer is: $answer</td></tr>"; else echo "<tr><td>»you answered: $myanswer. The answer is: $answer</td></tr>"; } Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 13, 2009 Author Share Posted August 13, 2009 one bump before clicking solved.. Quote Link to comment Share on other sites More sharing options...
akitchin Posted August 13, 2009 Share Posted August 13, 2009 i have to be honest and say that i think those functions are overkill. there must be a simple discrepancy here, and my suspicion is that it's in the radio button's element code that holds the answer. i would guess it comes back empty because the answer has double-quotes in it and that they're forcing the value attribute to end early. for example: $answer = 'this is "the" answer.'; <input type="radio" name="q1289" value="<?php echo $answer; ?>" /> this will output: <input type="radio" name="q1289" value="this is "the" answer." /> obviously that will cause the value attribute to be cut short to "this is". in the case of your "yes" example, there aren't any characters between the opening double-quote for the value attribute, and the first double-quote in the answer. if you're certain all the escaping backslashes are eliminated from the database, you should only need to do two things: 1. use addslashes() on POST data BEFORE inserting into the database if magic_quotes are OFF. otherwise escaping backslashes are already inserted by PHP. optionally, you may choose to use mysql_real_escape_string(), but be certain that you've used stripslashes() if magic quotes is on (otherwise mysql_real_escape_string() will escape the backslashes added by magic_quotes, as well as the characters magic_quotes was trying to escape). for example, with magic_quotes on, the variable: "yes" would become \"yes\" if you then use mysql_real_escape_string() on that, you will end up with: \\\"yes\\\" because that function will escape the backslashes as well as the quotes. this is why we use stripslashes() if magic_quotes is on and we're using mysql_real_escape_string() to escape the data. 2. now that you've inserted the information into the database correctly, it should only contain quotes. when you retrieve it to place it into the value attribute of a radio button, use addslashes() before echoing so that it escapes any quotes that would otherwise interfere with the value's delimiter. doing only these two things should allow you to compare $_POST answers directly to the answers retrieved from the database. i fear using all the functions that you are using above will not help you learn about how escaping is done in PHP. Quote Link to comment Share on other sites More sharing options...
RyanSF07 Posted August 13, 2009 Author Share Posted August 13, 2009 Thanks a.kitchin, I did finally get it all to work. No errors, no blanks, all comparisons working -- Thanks to your and MadTechie and Andy-H's help. The site is now off addslashes/stripslashes and ALL data is at least passed through mysql_real_escape_string. Cheers, Ryan Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.