-1

I'm having a hard time debugging the problem of my codes is there anybody I can contact and guide me of what should I do? Here is the code for the radio button.

<tbody class="tr-sortable">
     <?php 
      $sy = mysqli_query($conn, "SELECT * FROM acad_year WHERE sy_default=1");
      while ($syrow=$sy->fetch_assoc()): 

       $queryString = "SELECT * FROM questionnaire WHERE criteria = '".$crow['id_num']."' AND acad_id='".$syrow['id']."'";
       $questions = mysqli_query($conn,$queryString);
       while($row=$questions->fetch_assoc()):
       $q_arr[$row['id']] = $row;
     ?>
     <tr class="bg-white">
      <td class="p-1" width="40%">
       <?php echo $row['question'] ?>
        <input type="hidden" name="qid[]" value="<?php echo $row['id'] ?>">
      </td>
      <?php for($c=1;$c<=5;$c++): ?>
      <td class="text-center">
      <div class="icheck-success d-inline">
       <input type="radio" name="rate[<?php echo $row['id'] ?>]" <?php echo $c == 5 ? : '' ?> id="qradio<?php echo $row['id'].'_'.$c ?>" value="<?php echo $c ?>">
       <label for="qradio<?php echo $row['id'].'_'.$c ?>"></label>
      </div>
      </td>
      <?php endfor; ?>
     </tr>
    <?php endwhile; ?>
   <?php endwhile; ?>
</tbody>

and here is the script I created as well as the url and action it will go through.

<?php
ob_start();
date_default_timezone_set("Asia/Manila");

$action = $_GET['action'];
include 'evaluation_submit.php';
$crud = new Action();
if($action == 'save_evaluation'){
    $save = $crud->save_evaluation();
    if($save)
        echo $save;
}
ob_end_flush();
?>

this is the action that will happen when the form for evaluation is submitted but I don't know why it doesn't submit the answers to my database. Can someone or somebody enlighten me?

<?php
session_start();
ini_set('display_errors', 1);
Class Action {
    private $db;

    public function __construct() {
        ob_start();
    include '../includes/conn.php';
    
    $this->db = $conn;
    }
    function save_evaluation(){
        extract($_POST);
        if($save){
            $eid = $this->db->insert_id;
            foreach($qid as $k => $v){
                $data = " evaluation_id = $eid ";
                $data .= ", question_id = $v ";
                $data .= ", rate = {$rate[$v]} ";
                $ins[] = $this->db->query("INSERT INTO evaluation_answers set $data ");
            }
            if(isset($ins))
                return 1;
        }
    }
    function __destruct() {
        $this->db->close();
        ob_end_flush();
    }
}
?>
Chano Sgpo
  • 1
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman May 27 '22 at 10:15
  • Some Q's I have from your question, like is there any kind of change made to the database - even if it's not something you're expecting. And, what have you tried for troubleshooting? Clearly state what you are expecting to be inserted into your db (maybe include the relevant portion of your db schema). – Kingsolmn May 27 '22 at 23:45
  • I'm not clear on what is trying to be done here: `name="rate[]" ` ?? ... I would expect to only see `name=rate[]` without any other tampering. The `value` attribute would cover what should be set. – Paul T. May 29 '22 at 23:30

0 Answers0