0

I have been putting a quiz together with jQuiz: http://www.fatihacet.com/lab/jQuiz/

If you take the test you will see it shows your score at the end in the format of 90/100 (it only has four questions).

How would you pass the score the user got to a variable to then perform a sql and IF statement?

in the jQuiz.js file it has the following code at the bottom:

 $('.btnShowResult').click(function(){
            $('#progress').width(300);
            $('#progressKeeper').hide();
            var results = jQuiz.checkAnswers();
            var resultSet = '';
            var trueCount = 0;
            for (var i = 0, ii = results.length; i < ii; i++){
                if (results[i] == true) trueCount++;
                resultSet += '<div> Question ' + (i + 1) + ' is ' + results[i] + '</div>'
            }
            resultSet += '<div class="totalScore">Your total score is ' + trueCount * 20 + ' / 100</div>'
            $('#resultKeeper').html(resultSet).show();
        })

I tried 

$Count = var results;

if($Count >= "90")
{
   $award = $db->exec("UPDATE users SET test='passed' WHERE username='$username'");
}

I feel I have the right idea but am just missing something crucial as it is not working or doing anything. Thanks for any direction or help you can give me.

Miura-shi
  • 3,810
  • 3
  • 28
  • 53
  • Looking at that, couldn't you do something like `$Count = trueCount*20`? As that seems to be what is actually giving the total mark, not `results` – Joshua M Nov 15 '12 at 18:09
  • 2
    so all I have to do to pass a test is fake an ajax request and pass count=91 to the server? – Marc B Nov 15 '12 at 18:09

1 Answers1

1

You're coming at this from the wrong angle.

  1. It's easy for someone to fake passing your quiz if they are technically minded. All they need to do is fire up the browser's developer tools and edit the data on the page. You're better off using something that doesn't rely on trusting data from the client. Of course, this might just a be a frivolous quiz where it doesn't really matter if the user passed or not.
  2. JavaScript runs on the client while PHP runs on the server. They cannot share variables in this way. You will need to send the score to the server in some way. This question might be a good place to start.

Please also make sure that $username is coming from a source that you trust (i.e. not the client). Otherwise you need to worry about SQL injection. Even if you trust it you'd need to make sure that it didn't contain apostrophes. You should really be using prepared statements/parameterised queries.

Community
  • 1
  • 1
alnorth29
  • 3,325
  • 2
  • 29
  • 48