0

This question is about a quiz and I wish to prevent the user from submitting the same question and receiving points several times for a single correct answer.

I have a db where I store the user's correct questions and a select statement,

but it is only inserting and not reading the argument for a user that is already in that db.

The score is added corectly, bubt the only issue it's not validating user_corect_question db, the code just keeps adding new lines to the db and points to the user.

tnx!


//if corect answer
if($corect_choise == $selected_choise){


//check if user answered corect and recieved points for this question before
$query = "SELECT corect FROM user_corect_question WHERE location_id=$location_id and userid=$userid and corect=1";
//get result
$result = $mysqli->query($query) or die ($mysqli->error.__LINE__);

//get row
$row = $result->fetch_assoc();


     // if did not recive points for this question insert to user corect questions db 
     if($row != 0){
        
        //get user score
        $query="SELECT score FROM `members` WHERE userid = $userid";


        //get result
        $result = $mysqli->query($query) or die ($mysqli->error.__LINE__);
        $row = mysqli_fetch_array($result);
        //echo $row['score'];


        //points for corect answer
        $score = 1;
        //user score+ new points
        $_SESSION['score'] = $score + $row['score'];
        //save new score
        $new_score= $_SESSION['score'];
        $query = "UPDATE `members` SET score='$new_score' WHERE userid=$userid ";
        //get result
        $result = $mysqli->query($query) or die ($mysqli->error.__LINE__);
        //redirect to score
        header("Location: ../final2.php") ;

     }

else{

        $corect = 1;
        $query = "INSERT INTO user_corect_question (location_id,userid,corect) VALUES ('$location_id','$userid','$corect')";
        // save to db
        $DB = new Database();
        $DB->save($query);

      
                  //get user score
          $query="SELECT score FROM `members` WHERE userid = $userid";
          //get result
          $result = $mysqli->query($query) or die ($mysqli->error.__LINE__);
          $row = mysqli_fetch_array($result);
          //echo $row['score'];

          //points for corect answer
          $score = 25;
          //user score+ new points
          $_SESSION['score'] = $score + $row['score'];
          //save new score
          $new_score= $_SESSION['score'];
          $query = "UPDATE `members` SET score='$new_score' WHERE userid=$userid ";
          //get result
          $result = $mysqli->query($query) or die ($mysqli->error.__LINE__);
          //redirect to score
          header("Location: ../final.php") ;

               
    }


}

else{
header ("Location: ../try_again.php"."Try again");
}
Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175
taray
  • 21
  • 3
  • try using `$row = mysqli_num_rows($result); ` for checking count of returned row. – Dark Knight Sep 26 '20 at 05:07
  • i did as u offer but no change , tnx though – taray Sep 26 '20 at 07:49
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Sep 26 '20 at 12:33
  • It is a very bad idea to use `die(mysqli_error($conn));` in your code, because it could potentially leak sensitive information. See this post for more explanation: [mysqli or die, does it have to die?](https://stackoverflow.com/a/15320411/1839439) – Dharman Sep 26 '20 at 12:33
  • tnx this is a first project in php and sql, for now i am to far along to change anything, i will implement your segesstions in my next project. – taray Sep 27 '20 at 04:41

1 Answers1

0

If the user already has a record there, then the program lands in the if branch.

    //points for corect answer
    $score = 1;
    //user score+ new points
    $_SESSION['score'] = $score + $row['score'];
    //save new score
    $new_score= $_SESSION['score'];
    $query = "UPDATE `members` SET score='$new_score' WHERE userid=$userid ";

This adds some points to the user. You don't need this in the if branch.

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175