Score session

Tezread

So I have a form which creates a score $total_score in a session and is supposed to echo the variable $total_score in a results screen.
Here is my form:

<?php
include("include/session.php");
$_SESSION['formdata1']='';
$username = $_SESSION['username'];
$total_score = "0";
$_SESSION['totalscore'] = $total_score;
include("connect.php");
// query 
$sql = "SELECT * FROM qualityuser WHERE username = '".$username."'"; 
$result = mysql_query($sql); 
// if we have rows, fetch them & prepopulate the form
if(mysql_num_rows($result) > 0) { 
   $row = mysql_fetch_array($result); 
} else { 
   $row = array('firstname'=>'','secondname'=>'','organisation'=>'','telephone'=>'','address1'=>'','address2'=>'','town'=>''
   ,'postcode'=>'' ,'registeredcharity'=>'','incorporated'=>'','regionalassociation'=>'','regionalcharity'=>'','project'=>''
   ,'nature_selfhelp'=>'','nature_frontline'=>'','nature_intermediary'=>'','nature_infrastructure'=>'','nature_partnership'=>''
   ,'involved_commitee'=>'','involved_volunteers'=>'','involved_paid'=>'','funded_unrestrictedfunds'=>'','funded_localcouncil'=>''
   ,'funded_undercontract'=>'','funded_grants_fees'=>'','funded_socialenterprise'=>'','activity_care'=>'','activity_advice_individual'=>''
   ,'activity_advice_organisations'=>'','activity_specialist'=>'','activity_community'=>'','activity_awareness'=>'','activity_sport'=>''
   ,'activity_mutual_support'=>'','have_policies_procedures'=>'','have_management_structure'=>'','have_communication'=>'','have_supervision'=>''
   ,'have_strategy'=>'','have_aims'=>'','have_review'=>'');
} 
?> 
<input name="firstname" type="text" id="firstname" value="<?=$row['firstname']?>" size="40"></td>

/////etc////

the formhandler...

<?php 
include("include/session.php");
$_SESSION['totalscore'] = $total_score;
if(isset($_POST['submit'])){ 

include("connect.php"); 

$message = NULL;
$score = 0;
$score_pol_proc = 0;
//validate your form data 
   if (empty($_POST['firstname'])) { 

    $message .= '<p>You forgot to enter your first name!</p>'; 
} 

// Check for an second name. 
if (empty($_POST['secondname'])) { 

    $message .= '<p>You forgot to enter your second name</p>'; 
} 

   if (empty($_POST['organisation'])) { 

    $message .= '<p>You forgot to enter your organisation</p>'; 
} 

   if(count($message) > 0){ 
      //hold the error in session so you can display the error in your form page. 
      $_SESSION['message'] = $message; 

//redirect to the form 
header("Location: http://www.mindseyemidlands.co.uk/notts_quality/info_resource/selfassess_part1a_v1.php");        

} 

else { 
$query = "SELECT * FROM qualityuser WHERE username = '".$username."'";         

        $result = mysql_query($query); 
        $num = mysql_num_rows ($result); 
        if ($num == 1) { 

$title = $_POST['title']; 
$firstname = $_POST['firstname']; 
$secondname = $_POST['secondname']; 
$organisation = $_POST['organisation']; 
$telephone = $_POST['telephone']; 
$address1 = $_POST['address1']; 
$address2 = $_POST['address2']; 
$town = $_POST['town']; 
$postcode = $_POST['postcode']; 
$registeredcharity = $_POST['registeredcharity']; 
$incorporated = $_POST['incorporated']; 
$regionalassociation = $_POST['regionalassociation']; 
$regionalcharity = $_POST['regionalcharity']; 
$project = $_POST['project']; 
$nature_selfhelp = $_POST['nature_selfhelp']; 
$nature_frontline = $_POST['nature_frontline']; 
$nature_intermediary = $_POST['nature_intermediary']; 
$nature_infrastructure = $_POST['nature_infrastructure']; 
$nature_partnership = $_POST['nature_partnership']; 


$sql = "UPDATE qualityuser SET title = '$title',
firstname = '$firstname',
secondname = '$secondname',
organisation = '$organisation',
telephone = '$telephone',
address1 = '$address1',
address2 = '$address2',
town = '$town',
postcode = '$postcode',
registeredcharity = '$registeredcharity',
incorporated = '$incorporated',
regionalassociation = '$regionalassociation',
regionalcharity = '$regionalcharity',
project = '$project',
nature_selfhelp = '$nature_selfhelp',
nature_frontline = '$nature_frontline',
nature_intermediary = '$nature_intermediary',
nature_infrastructure = '$nature_infrastructure',
nature_partnership = '$nature_partnership',

WHERE username = '$username'";

mysql_query($sql, $connection) or die(mysql_error()); 


//set up an array for answers to 'organisation types' 
$orgtype = array(); 

// add values, if they exist 
if(isset($_POST['registeredcharity'])) { $orgtype[1] = $_POST['registeredcharity']; } 
if(isset($_POST['incorporated'])) { $orgtype[2] = $_POST['incorporated']; } 
if(isset($_POST['regionalassociation'])) { $orgtype[3] = $_POST['regionalassociation']; } 
if(isset($_POST['regionalcharity'])) { $orgtype[4] = $_POST['regionalcharity']; } 
if(isset($_POST['project'])) { $orgtype[5] = $_POST['project']; } 

//score for organisation type
foreach($orgtype as $key=>$value) 
{ 
    if($value == "1") 
    { 
        $score = $score + 5; 
    } 
    else 
    { 
        $score = $score + 0; 
    } 
} 
//scores for nature of organisation
$orgnature = array();

if(isset($_POST['nature_selfhelp'])) { $orgnature[1] = $_POST['nature_selfhelp']; } 
if(isset($_POST['nature_frontline'])) { $orgnature[2] = $_POST['nature_frontline']; } 
if(isset($_POST['nature_intermediary'])) { $orgnature[3] = $_POST['nature_intermediary']; } 
if(isset($_POST['nature_infrastructure'])) { $orgnature[4] = $_POST['nature_infrastructure']; } 
if(isset($_POST['nature_partnership'])) { $orgnature[5] = $_POST['nature_partnership']; } 

if($orgnature[1] == "1") 
    { 
        $score = $score + 5; 
    } 
	if($orgnature[2] == "1") 
    { 
        $score = $score + 5; 
    } 
	if($orgnature[3] == "1") 
    { 
        $score = $score + 10; 
    } 
	if($orgnature[4] == "1") 
    { 
        $score = $score + 10; 
    } 
	if($orgnature[5] == "1") 
    { 
        $score = $score + 15; 
    } 
$pol_proc = array();

if(isset($_POST['have_policies_procedures'])) { $pol_proc[1] = $_POST['have_policies_procedures']; }
if(isset($_POST['have_management_structure'])) { $pol_proc[2] = $_POST['have_management_structure']; }
if(isset($_POST['have_communication'])) { $pol_proc[3] = $_POST['have_communication']; }
if(isset($_POST['have_supervision'])) { $pol_proc[4] = $_POST['have_supervision']; }
if(isset($_POST['have_strategy'])) { $pol_proc[5] = $_POST['have_strategy']; }
if(isset($_POST['have_aims'])) { $pol_proc[6] = $_POST['have_aims']; }
if(isset($_POST['have_review'])) { $pol_proc[7] = $_POST['have_review']; }

if ($pol_proc[1] =="1") 
	$score_pol_proc = $score_pol_proc + 15;
	if ($pol_proc[2] || $pol_proc[3] || $pol_proc[4] =="1") 
	$score_pol_proc = $score_pol_proc + 10;
	if ($pol_proc[5] || $pol_proc[6] || $pol_proc[7] =="1") 
	$score_pol_proc = $score_pol_proc + 5;
	}

// Create a grand total by taking $pol_proc_score away from $scorePrint the number of points: 
$total_score = $score - $score_pol_proc;

//redirect to result display page 
header("Location: http://www.mindseyemidlands.co.uk/notts_quality/info_resource/selfassess_part1b_v1.php");   

//define variables

}

?>

the results page.

<?php
include("include/session.php");
$username = $_SESSION['username'];
$total_score =  $_SESSION['totalscore'];
echo 'You scored <strong>'. $total_score . '</strong> points!'; 
echo '<br><br>';

if ($total_score >= 26) echo 'xxxx';

else if ($total_score >= 9 && $total_score <= 25) echo 'yyyyy';
?>

But the $total_score is not echoed. This is very annoying as yesterday this worked but this morning it doesn't. I get no error message just that feedback in the results page is incorrect asmit should echo the $total_score

here it is in action (resigter and see for yourdself)

http://www.mindseyemidlands.co.uk/notts_quality/info_resource/main.php

Houdini

In order to use SESSION data you must FIRST start a session by using session_start() try using this first in your scripts to see the difference.
an example;

<?php
//the first php statement to use sessions effectively is below
session_start();
//the rest of your php script goes after the above
...
?>

bradgrafelman

He's including session.php, so I just assumed that he's starting the session. Perhaps not, though.

Also, why is this:

$_SESSION['totalscore'] = $total_score;

the third line of the script? $total_score hasn't even been defined...

EDIT: And then at the end of the script, you finally calculate what $total_score should be, but then you never add it to your session.

Also, your script is vulnerable to MySQL injection attacks. Might want to run all POST'ed data through a function like [man]mysql_real_escape_string/man (or, if you know that you're expecting an integer as a value, use [man]intval/man) before you put it in a SQL query.

Tezread

Thanks for the replies guys- I took it on board and had something working yesterday but I have changed it buy mistake and i have no backup
This is what I have so far. I still get the wrong feedback - it says "you scored 0 points" when really it should a high number

my form

<?php
include("include/session.php"); 
$_SESSION['formdata1']=''; 
$username = $_SESSION['username']; 
$total_score = $_SESSION['totalscore'];
include("connect.php"); 

// query 
$sql = "SELECT * FROM qualityuser WHERE username = '".$username."'"; 
$result = mysql_query($sql); 
// if we have rows, fetch them & prepopulate the form
if(mysql_num_rows($result) > 0) { 
   $row = mysql_fetch_array($result); 
} else {

my formhandler

<?php 
include("include/session.php"); 
$total_score = $_SESSION['totalscore'];
if(isset($_POST['submit'])){ 

include("connect.php"); 

$message = NULL; 
$score = 0; 
$score_pol_proc = 0; 
//validate your form data 

   if (empty($_POST['firstname'])) { 

    $message .= '<p>You forgot to enter your first name!</p>'; 
} 


   if(count($message) > 0){ 
      //hold the error in session so you can display the error in your form page. 
      $_SESSION['message'] = $message; 

//redirect to the form 
header("Location: http://www.mindseyemidlands.co.uk/notts_quality/info_resource/selfassess_part1a_v1.php");        

} 

else { 
$query = "SELECT * FROM qualityuser WHERE username = '".$username."'";         

        $result = mysql_query($query); 
        $num = mysql_num_rows ($result); 
        if ($num == 1) { 

$registeredcharity = $_POST['registeredcharity']; 
$incorporated = $_POST['incorporated']; 
$regionalassociation = $_POST['regionalassociation']; 
$regionalcharity = $_POST['regionalcharity']; 
////etc


$sql = "UPDATE qualityuser SET registeredcharity = '$registeredcharity',
incorporated = '$incorporated',
regionalassociation = '$regionalassociation',
regionalcharity = '$regionalcharity',

WHERE username = '$username'";

mysql_query($sql, $connection) or die(mysql_error()); 


//set up an array for answers to 'organisation types' 
$orgtype = array(); 

// add values, if they exist 
if(isset($_POST['registeredcharity'])) { $orgtype[1] = $_POST['registeredcharity']; } 
if(isset($_POST['incorporated'])) { $orgtype[2] = $_POST['incorporated']; } 
if(isset($_POST['regionalassociation'])) { $orgtype[3] = $_POST['regionalassociation']; } 
if(isset($_POST['regionalcharity'])) { $orgtype[4] = $_POST['regionalcharity']; } 
if(isset($_POST['project'])) { $orgtype[5] = $_POST['project']; } 

//score for organisation type
foreach($orgtype as $key=>$value) 
{ 
    if($value == "1") 
    { 
        $score = $score + 5; 
    } 

////etc.........
$pol_proc = array();

if(isset($_POST['have_policies_procedures'])) { $pol_proc[1] = $_POST['have_policies_procedures']; }
if(isset($_POST['have_management_structure'])) { $pol_proc[2] = $_POST['have_management_structure']; }
if(isset($_POST['have_communication'])) { $pol_proc[3] = $_POST['have_communication']; }
if(isset($_POST['have_supervision'])) { $pol_proc[4] = $_POST['have_supervision']; }
if(isset($_POST['have_strategy'])) { $pol_proc[5] = $_POST['have_strategy']; }
if(isset($_POST['have_aims'])) { $pol_proc[6] = $_POST['have_aims']; }
if(isset($_POST['have_review'])) { $pol_proc[7] = $_POST['have_review']; }

if ($pol_proc[1] =="1") 
	$score_pol_proc = $score_pol_proc + 15;
	if ($pol_proc[2] || $pol_proc[3] || $pol_proc[4] =="1") 
	$score_pol_proc = $score_pol_proc + 10;
	if ($pol_proc[5] || $pol_proc[6] || $pol_proc[7] =="1") 
	$score_pol_proc = $score_pol_proc + 5;
	}

// Create a grand total by taking $pol_proc_score away from $scorePrint the number of points: 
$total_score = $score - $score_pol_proc;
$total_score = $_SESSION['totalscore'];


//redirect to result display page 
header("Location: http://www.mindseyemidlands.co.uk/notts_quality/info_resource/selfassess_part1b_v1.php");   


}
   }

results page

include("include/session.php"); 
$username = $_SESSION['username']; 
$total_score =  $_SESSION['totalscore']; 

echo 'You scored <strong>'. $total_score . '</strong> points!'; 
echo '<br><br>';

if ($total_score >= 26) echo 'xxxx';

else if ($total_score >= 9 && $total_score <= 25) echo 'yyyy';
else if ($total_score <= 8) echo 'zzzzzzz';
?>

Can i just clarify that you should always have $var = $session['var']; as oppose to $session['var'] = $var;

bradgrafelman

There's a couple of places in your formhandler where you modify session data and then immediately redirect the user with a header() call. Try putting a [man]session_write_close/man call before the header() call so that PHP has the chance to write the data to disk before the user requests it again.

Tezread

I did try this but now there is no score displayed at all- it says you have scored points

Tezread

Dohh! (slap on forehead) I have not been consistently naming my vars e.g. $total_score was $totalscore
BTW I didn't use the session close function. I can understand why you suggested it though. Now i need to work on those potential injection attacks. Like you said i can make use of the mysql_escape_string function somehow

bradgrafelman

Don't forget to mark this thread resolved.