Doubts question and answer systems with $ _GET method

Question

Doubts question and answer systems with $ _GET method

Navigation

#1 by (1 votes)

1

I have a system that shows a question and the person responds, but I am with a failure, following: When the staff responds step I use the $ _GET method to pick up the response from it and insert the information into the bank, plus the failure and that if the person refreshes the page or something the information is inserted 2x into the bank, as it could do to do only an inclusion in the bank?

Form:

<form class="form-horizontal" action="comportamento.php?nro_pergunta=<?php  echo $nro_pergunta; ?>" method="GET">
  <fieldset>
      <legend><b>Pergunta <?php echo"$ordem";?> de <?php echo"$totalpergunta";?></b></legend>
    <?php
     $timestamp            = @mktime(date("H")-4, date("i"),date("s"),date("m"),date("d"),date("Y"),0);
     $data_cad              = gmdate("Y-m-d", $timestamp);
     echo"<input type='hidden' name='loja'         id='loja'         value='$loja'>";
     echo"<input type='hidden' name='id_usuario'   id='id_usuario'   value='$id_usuario'>";
     echo"<input type='hidden' name='questionario' id='questionario' value='$questionario'>";
     echo"<input type='hidden' name='area'         id='area'         value='$area'>";
     echo"<input type='hidden' name='nro_pergunta' id='nro_pergunta' value='$nro_pergunta'>";     
     echo"<input type='hidden' name='data_cad'     id='data_cad'     value='$data_cad'>";
     echo"<input type='hidden' name='pergunta'     id='pergunta'     value='$idpergunta'>";
    ?>
       <?php
        $sql_button = mysql_query("SELECT *  FROM respostas WHERE 
           resp_loja='$loja'
       AND resp_usuario='$id_usuario'
       AND resp_area ='$area'
       AND resp_pergunta_id ='$idpergunta'
       AND resp_subgrupo='100'
       AND resp_questionario='$questionario'");

     if(mysql_num_rows ($sql_button) == 0 )
      {
     echo"<div class='form-group'>";
      echo"<center><h4><label> $descpergunta</label></h4></center>";
      echo"<div class='col-lg-10'>";
        echo"<div class='radio'><label><input type='radio' name='resp' id='optionsRadios1' value='5'>OTIMO        </label></div>";
        echo"<div class='radio'><label><input type='radio' name='resp' id='optionsRadios2' value='3'>BOM      </label></div>";
        echo"<div class='radio'><label><input type='radio' name='resp' id='optionsRadios3' value='2'>REGULAR         </label></div>";
        echo"<div class='radio'><label><input type='radio' name='resp' id='optionsRadios3' value='1'>RUIM         </label></div>";
        echo"<div class='radio'><label><input type='radio' name='resp' id='optionsRadios4' value='0'>NAO APLICADO </label></div>";
        echo"</div>";
      echo"</div>";
     echo"<div class='form-group'>";
      echo"<div class='col-lg-10 col-lg-offset-2'>";
                echo"<button id='button' type='submit' name='submit' class='btn btn-danger'><span class='glyphicon glyphicon-ok'></span> Responder</button><br />";

       echo"</div>";
    echo"</div>";
    } else  {
    echo"<div class='form-group'>";
      echo"<div class='col-lg-10 col-lg-offset-2'>";
            echo"<button id='button' type='next' name='next' class='btn btn-danger'><span class='glyphicon glyphicon-circle-arrow-right'></span> Próxima</button><br />";
            echo"<br>";
            echo"<div class='alert alert-dismissible alert-danger'>";
            echo"<button type='button' class='close' data-dismiss='alert'></button>";
            echo"<strong>ATENÇÃO! </strong>Você já respondeu essa pergunta.";
            echo"</div>";  
       echo"</div>";
    echo"</div>";
    }
   ?> 


  </fieldset>
 </form>

Insert:

<?php
 include("conexao.php");
if(isset($_GET['submit'])){
    $loja         = $_GET ["loja"];
    $id_usuario   = $_GET ["id_usuario"]; 
    $questionario = $_GET ["questionario"];
    $area         = $_GET ["area"];
    $idpergunta   = $_GET ["pergunta"];   
    $resp         = $_GET ["resp"]; 
    $datacad      = $_GET ["data_cad"]; 

  $sql_insert = mysql_query("INSERT INTO respostas 
  (resp_id,resp_loja,resp_usuario,resp_questionario,resp_area,resp_subgrupo,resp_pergunta_id,resp_resposta,resp_data,resp_status)
  VALUES 
  ('','$loja','$id_usuario','$questionario','$area','100','$idpergunta','$resp','$datacad','1')") or die (mysql_error());
    mysql_query($sql_insert,$conexao); } 

if(isset($_GET['proxima'])){
$pergunta = (int)$_GET['proxima'];
header('location: comportamento.php?nro_pergunta='.$pergunta);  
}

NOTE: I've just added the part of the code for the question, but if you need any more information please return.

And to conclude, I do not know if you can put 2 questions together, but if you can answer, it's as follows: In the inclusion of the database is inserting only the date, and not the date as it is in the field, would the inclusion form be wrong?

No more a strong hug and even more.

php mysql get

asked by anonymous 13.04.2016 / 17:26

1 answer

Removing the index.php prefix on wampserver windows, is it possible? SQL data counts filtered by multiple tables

score 1 · Accepted Answer

Something very simple to solve this problem is to do the same verification that you did on the form inside the insert.

   <?php
    include("conexao.php");
                $loja         = $_GET ["loja"];
                $id_usuario   = $_GET ["id_usuario"]; 
                $questionario = $_GET ["questionario"];
                $area         = $_GET ["area"];
                $idpergunta   = $_GET ["pergunta"];   
                $resp         = $_GET ["resp"]; 
                $datacad      = $_GET ["data_cad"]; 

    $sql_button = mysql_query("SELECT *  FROM respostas WHERE 
       resp_loja='$loja'
   AND resp_usuario='$id_usuario'
   AND resp_area ='$area'
   AND resp_pergunta_id ='$idpergunta'
   AND resp_subgrupo='100'
   AND resp_questionario='$questionario'");

 if(mysql_num_rows ($sql_button) == 0 )

   {


            if(isset($_GET['submit'])){

              $sql_insert = mysql_query("INSERT INTO respostas 
              (resp_id,resp_loja,resp_usuario,resp_questionario,resp_area,resp_subgrupo,resp_pergunta_id,resp_resposta,resp_data,resp_status)
              VALUES 
              ('','$loja','$id_usuario','$questionario','$area','100','$idpergunta','$resp','$datacad','1')") or die (mysql_error());
                mysql_query($sql_insert,$conexao); } 

            if(isset($_GET['proxima'])){
            $pergunta = (int)$_GET['proxima'];
            header('location: comportamento.php?nro_pergunta='.$pergunta);  
            }

 } else {

     header("Location: vaParaAlgumLugar.php");

 }

?>

But honestly, this is not the best and safest way to do DB insertion. For this there is method="post" . Because with it you really know if the user clicked on <input type="submit"> . It also opens a huge doorway for hackers to 'use' this method to manipulate their query. Not to mention that you can retrieve some parameters via $_GET even using the $_POST method on the form.

Forms with $_GET method are good for searching the DB for example. And even then, you have to create security classes or functions.

A tip: Try not to use mysql_* , change to mysqli_* or PDO , since mysql_* is already out of date.

I hope I have helped you.

Hugs!