Doubt question and answer systems with $_GET method

Asked

Viewed 275 times

1

I have a system that shows a question and the person replies, When the staff responds step I use the $_GET method to pick up his answer and insert the information in the bank,plus the failure and that if the person update the page or thing so the information is inserted 2x in the bank,how could I do to make only one inclusion in the bank ?

Form:

<form class="form-horizontal" action="comportamento.php?nro_pergunta=<?php  echo $nro_pergunta; ?>" method="GET">
  <fieldset>
      <legend><b>Pergunta <?php echo"$ordem";?> de <?php echo"$totalpergunta";?></b></legend>
    <?php
     $timestamp            = @mktime(date("H")-4, date("i"),date("s"),date("m"),date("d"),date("Y"),0);
     $data_cad              = gmdate("Y-m-d", $timestamp);
     echo"<input type='hidden' name='loja'         id='loja'         value='$loja'>";
     echo"<input type='hidden' name='id_usuario'   id='id_usuario'   value='$id_usuario'>";
     echo"<input type='hidden' name='questionario' id='questionario' value='$questionario'>";
     echo"<input type='hidden' name='area'         id='area'         value='$area'>";
     echo"<input type='hidden' name='nro_pergunta' id='nro_pergunta' value='$nro_pergunta'>";     
     echo"<input type='hidden' name='data_cad'     id='data_cad'     value='$data_cad'>";
     echo"<input type='hidden' name='pergunta'     id='pergunta'     value='$idpergunta'>";
    ?>
       <?php
        $sql_button = mysql_query("SELECT *  FROM respostas WHERE 
           resp_loja='$loja'
       AND resp_usuario='$id_usuario'
       AND resp_area ='$area'
       AND resp_pergunta_id ='$idpergunta'
       AND resp_subgrupo='100'
       AND resp_questionario='$questionario'");

     if(mysql_num_rows ($sql_button) == 0 )
      {
     echo"<div class='form-group'>";
      echo"<center><h4><label> $descpergunta</label></h4></center>";
      echo"<div class='col-lg-10'>";
        echo"<div class='radio'><label><input type='radio' name='resp' id='optionsRadios1' value='5'>OTIMO        </label></div>";
        echo"<div class='radio'><label><input type='radio' name='resp' id='optionsRadios2' value='3'>BOM      </label></div>";
        echo"<div class='radio'><label><input type='radio' name='resp' id='optionsRadios3' value='2'>REGULAR         </label></div>";
        echo"<div class='radio'><label><input type='radio' name='resp' id='optionsRadios3' value='1'>RUIM         </label></div>";
        echo"<div class='radio'><label><input type='radio' name='resp' id='optionsRadios4' value='0'>NAO APLICADO </label></div>";
        echo"</div>";
      echo"</div>";
     echo"<div class='form-group'>";
      echo"<div class='col-lg-10 col-lg-offset-2'>";
                echo"<button id='button' type='submit' name='submit' class='btn btn-danger'><span class='glyphicon glyphicon-ok'></span> Responder</button><br />";

       echo"</div>";
    echo"</div>";
    } else  {
    echo"<div class='form-group'>";
      echo"<div class='col-lg-10 col-lg-offset-2'>";
            echo"<button id='button' type='next' name='next' class='btn btn-danger'><span class='glyphicon glyphicon-circle-arrow-right'></span> Próxima</button><br />";
            echo"<br>";
            echo"<div class='alert alert-dismissible alert-danger'>";
            echo"<button type='button' class='close' data-dismiss='alert'></button>";
            echo"<strong>ATENÇÃO! </strong>Você já respondeu essa pergunta.";
            echo"</div>";  
       echo"</div>";
    echo"</div>";
    }
   ?> 


  </fieldset>
 </form>

Insert:

<?php
 include("conexao.php");
if(isset($_GET['submit'])){
    $loja         = $_GET ["loja"];
    $id_usuario   = $_GET ["id_usuario"]; 
    $questionario = $_GET ["questionario"];
    $area         = $_GET ["area"];
    $idpergunta   = $_GET ["pergunta"];   
    $resp         = $_GET ["resp"]; 
    $datacad      = $_GET ["data_cad"]; 

  $sql_insert = mysql_query("INSERT INTO respostas 
  (resp_id,resp_loja,resp_usuario,resp_questionario,resp_area,resp_subgrupo,resp_pergunta_id,resp_resposta,resp_data,resp_status)
  VALUES 
  ('','$loja','$id_usuario','$questionario','$area','100','$idpergunta','$resp','$datacad','1')") or die (mysql_error());
    mysql_query($sql_insert,$conexao); } 

if(isset($_GET['proxima'])){
$pergunta = (int)$_GET['proxima'];
header('location: comportamento.php?nro_pergunta='.$pergunta);  
}

NOTE: I posted only the part of the code referring to the question, more if you need more information please return.

And to conclude, In the inclusion of the bank inserting only the date, and not date time as it is in the field,?

In the strongest embrace and even more.

php mysql get

1 answer

1


Something very simple to solve this problem is to do the same check you did in the form within the Insert.

   <?php
    include("conexao.php");
                $loja         = $_GET ["loja"];
                $id_usuario   = $_GET ["id_usuario"]; 
                $questionario = $_GET ["questionario"];
                $area         = $_GET ["area"];
                $idpergunta   = $_GET ["pergunta"];   
                $resp         = $_GET ["resp"]; 
                $datacad      = $_GET ["data_cad"]; 

    $sql_button = mysql_query("SELECT *  FROM respostas WHERE 
       resp_loja='$loja'
   AND resp_usuario='$id_usuario'
   AND resp_area ='$area'
   AND resp_pergunta_id ='$idpergunta'
   AND resp_subgrupo='100'
   AND resp_questionario='$questionario'");

 if(mysql_num_rows ($sql_button) == 0 )

   {


            if(isset($_GET['submit'])){

              $sql_insert = mysql_query("INSERT INTO respostas 
              (resp_id,resp_loja,resp_usuario,resp_questionario,resp_area,resp_subgrupo,resp_pergunta_id,resp_resposta,resp_data,resp_status)
              VALUES 
              ('','$loja','$id_usuario','$questionario','$area','100','$idpergunta','$resp','$datacad','1')") or die (mysql_error());
                mysql_query($sql_insert,$conexao); } 

            if(isset($_GET['proxima'])){
            $pergunta = (int)$_GET['proxima'];
            header('location: comportamento.php?nro_pergunta='.$pergunta);  
            }

 } else {

     header("Location: vaParaAlgumLugar.php");

 }

?>

But, honestly, this is not the best way and not the safest to insert in DB. For this there is the method="post". Because with it you really know if the user clicked on <input type="submit">. It also opens a huge port for hacker 'ligeirão' to use this method to manipulate your query. Not to mention that you can rescue some parameters via $_GET even using the method $_POST on the form.

Forms with methods $_GET are good to do a DB search for example. And even so, you have to create security classes or functions.

A hint: try not to use anymore mysql_*, change to mysqli_* or PDO, for the mysql_* is already out of date.

I hope I helped you.

Hug!

  • I had posted that the error continued, more actually I was passing the parameter of the wrong query,I already hit and it worked,exactly the way you passed me,.

  • Tranquil @otacio! Good luck!

Browser other questions tagged php mysql get

You are not signed in. Login or sign up in order to post.