Is There Anything Wrong With This Fulltext Search Query?

[ximenao]

Hello

First of all I hope I have my question in the correct forum.

I really need help with this problem! I'm sorry if the the solution is rather simple but I'm still kinda new to all this.

 

I'm coding an online quiz for a client. The person must enter the correct answers into the input textboxes coded below:

 

 

<li><input type="text" name="uno" size="25" maxlength="25" align="baseline" /><br /><br /></li>
                           <li><input type="text" name="dos" size="25" maxlength="25" align="baseline" /><br /><br /></li>
                           <li><input type="text" name="tres" size="25" maxlength="25" align="baseline" /><br /><br /></li>

 

 

Once they submit the answers they are sent to the processing script shown below:

 

 

<?php
 $uno = $_POST['uno'];
 $dos = $_POST['dos'];
 $tres = $_POST['tres'];

$query="SELECT 
MATCH (q1) AGAINST ('$uno' IN BOOLEAN MODE) as ans1,
MATCH (q2) AGAINST ('$dos' IN BOOLEAN MODE) as ans2,
MATCH (q3) AGAINST ('$tres' IN BOOLEAN MODE) as ans3,
FROM db_4_test";
$data=@mysql_query($query) or die(mysql_error()); 

echo "<p align=\"justify\">2. In the passage you have just read there are seven Spanish Speaking countries. List them in the spaces provided.</p>";
if($data["ans1"]!='0' && $data["ans1"]!='') {
       $a = 1;
echo "<p><font color=\"#7E4B01\" size=\"+1\">\"<b>$uno</b> is correct!\"</font></p>";
} else {
       $a = 0;
echo "<p><font color=\"#F00\" size=\"+1\">\"<b>$uno</b> is NOT a Spanish Speaking country found in the passage you have just read!</font></p>";
}

if($data["ans2"]!='0' && $data["ans2"]!='') {
       $b = 1;
echo "<p><font color=\"#7E4B01\" size=\"+1\">\"<b>$dos</b> is correct!\"</font></p>";
} else {
       $b = 0;
echo "<p><font color=\"#F00\" size=\"+1\">\"<b>$dos</b> is NOT a Spanish Speaking country found in the passage you have just read!</font></p>";
}

if($data["ans3"]!='0' && $data["ans3"]!='') {
       $c = 1;
echo "<p><font color=\"#7E4B01\" size=\"+1\">\"<b>$tres</b> is correct!\"</font></p>";
} else {
       $c = 0;
echo "<p><font color=\"#F00\" size=\"+1\">\"<b>$tres</b> is NOT a Spanish Speaking country found in the passage you have just read!</font></p>";
}


$ex1sum = $a + $b + $c;
$ex1percent = ($ex1sum/3)*100;

echo "<p>You scored <b>$ex1sum</b> out of 13 total marks in Exercise IV.</p>";

if ($ex1percent >= 0 && $ex1percent <= 50)
 echo "<p><img src=\"images/exam_sorry_01.jpg\" width=\"287\" height=\"25\" alt=\"\" border=\"0\"><a href=\"quiz.php\"><img src=\"images/exam_sorry_02.jpg\" width=\"63\" height=\"25\" alt=\"\" border=\"0\"></a></p>";  


if ($ex1percent >= 51 && $ex1percent <= 84)
 echo "<p><img src=\"images/exam_tryagain_01.jpg\" width=\"210\" height=\"25\" alt=\"\" border=\"0\"><a href=\"quiz.php\"><img src=\"images/exam_tryagain_02.jpg\" width=\"68\" height=\"25\" alt=\"\" border=\"0\"></a></p>";

if ($ex1percent >= 85 && $ex1percent <= 100)
 echo "<p><img src=\"images/exam_muybueno.jpg\" width=\"80\" height=\"25\" alt=\"\" border=\"0\"></p>";


?>

 

 

The script is a fulltext search which searches a series of columns in a database table and is supposed to find the correct answer. For example if the student enters "Cuba" it is supposed to return the answer as correct in other words display "Cuba is correct!". If the person enters say England it is supposed print "England is NOT a Spanish Speaking country found in the passage you have just read!"

However no matter what the answer is it always gives the answer wrong even if it is present in the database. If I use just one argument (e.g.: if($data["ans1"]!='0' ) ) it gives every answer correct even it is not in database.

Can someone please help me? Is there anything wrong with this script that I am missing?

 

Thanks in advance

ximenao

[Christian F.]

The problem isn't with your MySQL query, but with your (PHP code) logic: You haven't actually fetched the returned row from the result, just executed the query. You'll need to use mysql_fetch_array () to get the (first) row of results.

 

Also, you should never use @ to suppress errors, and the use of "or die (mysql_error ())" must be limited to debugging purposes only. Once you've fixed the script, you should handle errors in a more proper manner. So that you yourself gets all the details about the error, but your users only get told what part of their operation went wrong (such as "could not validate against database").

This'll help you make sure your scripts work as they should, without giving any malicious users any information they could potentially use in an attack on your site.