add a complex decision making rule in php

mattibutt
mattibutt used Ask the Experts™
on
hi
i have a quiz which is accessible via the code and user is logged in i have been facing one problem for a while now and i have tried few times to ressolve it but it always takes me to dead end i cant find a way to fix the problem.
problem
when user enter the code he is sent to the page where he must agree terms and condition once he agree T&C then this information is written to the database what i want to be able to do is basically allow user to skip T&C part if he has already accepted on previous occasions i cant use cookie to solve this problem because i am not talking about a limited time user can come back in couple of days and play again so it needs to be done on the backed.

// code for the place where user enter the code
<form action="Trivia.php?menu=set" method="post">
   
                                                <span>   Welcome, <br>
Enter Code To Play . &raquo;  
    <br />
                <input type="text" name="name_full" style="width:150" />
          <br />
                <input type="hidden" name="email_id" style="width:0" />
                
        <input type="hidden" name="total_question" value= "10" style="width:0" />
        
                <input type="hidden" name="time" value= "1" style="width:0" /> 
        <input type="image" src="images/start.jpg" />
                <input type="hidden" name="next_step" value="true" />
                </form>
//terms and condition page which i want to stop when user play for the 2nd time
<script language="javascript">
<!--            
function Submit(frm)
{
        if(!frm.accepted.checked){
                alert('Please check the terms and conditions box.\n\nThank you.');
        }
        return frm.accepted.checked;
}
//-->
</script>
<form action="Trivia.php?menu=start" method="post" onsubmit="return Submit(this);">
 
                
                <tr>
                <td width="30%" style="text-align:right"> </td>
                <td width="70%"><input type="hidden" name="total_question" value= "10" style="width:50" /></td>
                </tr>
                <tr>
                <td width="30%" style="text-align:right"> </td>
                <td width="70%"><input type="hidden" name="time" value= "1" style="width:50" /> 
                </td>
                </tr>
                <tr>
                <td width="30%" style="text-align:right"> </td>
                      <label>
I have read and accepts the terms &amp; conditions: <input type="checkbox" name="accepted" value="1" />
</label>
                </td>
                </tr>
                
                <input type="hidden" name="full_name" id="full_name" value="<?php echo $_SESSION['full_name'];  ?>"  /></td>
                                
                <tr><td></td><td><input type="image" src="images/start.jpg" />
                <input type="hidden" name="next_step" value="true" />
                </td></tr>
        
                </table>
        </form>
 
 
 
 
 
 
 
//
global $quiz_ready;
$quiz_ready = 'no';
if($_GET['menu']== 'set' && $quiz_ready=='no')
{
global $error,$total_question,$time_sec,$time_min,$cat1,$use_tedu,$total_rows,$correct,$wrong,$unanswered;
 
$query = "SELECT * FROM enter WHERE randomcode='{$_POST['name_full']}'  ";
$res = mysql_query($query);
$query = "SELECT distinct quiz   FROM enterused WHERE  type = 0 and randomcode='{$_POST['name_full']}'  ";
$ress = mysql_query($query);
 
$query = "SELECT distinct quiz   FROM enterused WHERE type = 1 and randomcode='{$_POST['name_full']}'  ";
$resp = mysql_query($query);
 
 
if (mysql_num_rows($res)){
  $access_granted = true;
} else {
 $access_granted = false;
 $quiz_ready = 'no';
 ($_GET['menu']== 'setup');
}
 
if (mysql_num_rows($ress )>= 3){
  $access_granted = false;
 $quiz_ready = 'no';
 ($_GET['menu']== 'setup');
}
 
if (mysql_num_rows($resp )>= 5){
  $access_granted = false;
 $quiz_ready = 'no';
 ($_GET['menu']== 'setup');
}
 
if ($access_granted){
        
                
 if(isset($_POST['next_step']) && isset($_POST['total_question']) && isset($_POST['time'])    )
 {
     
 
         // Get random questions
      $stamp = date('mdyHis');
      $_SESSION['quiz_date'] = date('d-M-y ,D');
      $_SESSION['quiz_time'] = date('H:i:s');
      $_SESSION['quiz_id'] = $stamp;
      $_SESSION['full_name'] = $_POST['name_full'];
      $_SESSION['quiz_term'] = $_POST['accepted'];
      $_SESSION['quiz_total_question'] = $_POST['total_question'];
      $_SESSION['quiz_time_sec'] = $_POST['time'] * 60 ;  // time in seconds
          $_SESSION['quiz_time_msec'] = $_POST['time'] * 60 ;
      $_SESSION['quiz_time_min'] = $_POST['time'];
      $_SESSION['quiz_cat1'] = $_POST['cat1'];
      $_SESSION['type'] = $_POST['type'];
        
      $query = "SELECT * FROM pq_crtp_quiz";
      $sql = mysql_query($query);
      $total_rows = mysql_num_rows($sql);
      $i=0;
      array($rand_arr);
      while($i < $_SESSION['quiz_total_question'])
      {
      $rand_num = rand(1,$total_rows - 1);
      if(!@array_search($rand_num,$rand_arr))
      {
      
      $rand_arr[$i] = $rand_num;
      $i++;
      }
      }
      global $quiz_data;
      for($i=0;$i < $_SESSION['quiz_total_question'];$i++)
      {
      $query = "SELECT distinct(id), question, option1, option2, option3, answer, category, counter FROM pq_crtp_quiz WHERE id = ".$rand_arr[$i];
      $sql = mysql_query($query);
      $quiz_data[$i] = mysql_fetch_array($sql);
      
      }
      $_SESSION['quiz_data']=$quiz_data;
      //print_r($quiz_data);
 }
 elseif(isset($_POST['next_step']))
 {
       $error = "Some of the fields are left empty !";
      header('Location: Trivia.php?menu=set');
 }
} else {
 
 
header('Location: Trivia.php?menu=set');
 
 
 
$smarty->assign('errors', $errors);
 
                                $smarty->display('quiz.tpl');
                        
 exit();
}
}
 
//this is the code block which is inserting the T&C reference with user id when he plays for the first time and i think it needs to be used to create this new logic
 $query = "insert into terms  VALUES ('','". $_SESSION['quiz_term']."','".$userdata['username']. "','".$_SESSION['quiz_id']."')"; 
                                        $sql = mysql_query($query);

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011
Top Expert 2016

Commented:
You need to use some kind of "sign-in" logic that tests the data base for the indicator that the client has accepted the T&C.  You can use a password challenge/response or a cookie to establish the client identity.  Then once you know the identity, you check the data base.

Does that make sense? ~Ray

Commented:
Yup! something like this in your login script:-

$sql="SELECT * FROM allowed_users WHERE login_name='".mysql_real_escape_string($_POST['login_name'])."' AND password='".mysql_real_escape_string($_POST['password'])."'";
$result = mysql_query($sql);
if (mysql_num_rows($result)==1)
{
   $user=mysql_fetch_assoc($result);
   $_SESSION['name']=$user['name'];
   $_SESSION['userID']=$user['userID'];
   $_SESSION['TaC']=$user['accepted_term_and_conditions'];
}


then later
if(!$_SESSION['TaC'])
{
  // show Terms and Conditions
}

and also save the result if they accepted them
$sql="UPDATE allowed_users SET accepted_term_and_conditions=1 WHERE user_id=".$_SESSION['userID'];
Most Valuable Expert 2011
Top Expert 2016

Commented:
I might also suggest that acceptance of terms and conditions should be a separate table, since the T&C would change over time.  Each row would be the date of the last acceptance.  Then you can tie features of the web site to the minimum T&C acceptance date.  If a new feature requires a new acceptance, you can easily prompt the client to acknowledge the most recent T&C.  It may be a little more complex this way, but your legal protection will be much stronger.  HTH, ~Ray
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Author

Commented:
hi guys
thanks for the replies. i get the idea you describing but the problem of incorporating into the current application.
quiz has four stages
1:user must be logged in
2:user must enter the valid code
3 if code is valid then show T&C else show the error
4 load the quiz

as clearly the fundamental problem i have is "how to"
first form post the code to the set
<form action="Trivia.php?menu=set" method="post">

2nd form verify the code is correct and it shows the T&C or the error
<form action="Trivia.php?menu=start" method="post" onsubmit="return Submit(this);">
this is where i believe i need to make the modifications
$quiz_ready = 'no';
if($_GET['menu']== 'set' && $quiz_ready=='no')
{
global $error,$total_question,$time_sec,$time_min,$cat1,$use_tedu,$total_rows,$correct,$wrong,$unanswered;
 
$query = "SELECT * FROM enter WHERE randomcode='{$_POST['name_full']}'  ";

 or here but i cant come up with the idea of how to do just that
if(isset($_POST['next_step']) && isset($_POST['total_question']) && isset($_POST['time'])    )


 {

this line may not telling the correct story as it is my fault because of not making it clear it means for entering the code
$_POST['name_full

i am already witting the user response to T&C in the database table as you can see from my first post the very last lines of codes manipulating or making decision based on this data is not coming to me.



//this is the code block which is inserting the T&C reference with user id when he plays for the first time and i think it needs to be used to create this new logic
 $query = "insert into terms  VALUES ('','". $_SESSION['quiz_term']."','".$userdata['username']. "','".$_SESSION['quiz_id']."')";
                                        $sql = mysql_query($query);

Most Valuable Expert 2011
Top Expert 2016

Commented:
mattibutt: I think you may want to redesign this application a bit.  Here is why.  

You MUST NEVER depend on the contents of the URL GET string for anything  more than an unvalidated indicator of which "view" to provide of your web site.  If you carry anything else, you are at risk of (an inevitable) attack.  

And if you receive information from the GET string, you must ensure that it is valid and acceptable.  For example, if it is expected to be a record id number, you must check to be sure it does not contain something like "1; DROP TABLE terms" or that is does not request a record that is for a different user other than the one who is signed in.  These basic protection schemes are critical, and are part of the inherent rules of the WWW.

You should have the stateful information set in the $_SESSION array, and not carried in the URL.

Redesigning the application is beyond the scope of what we can do in a Q-n-A dialog here at EE, but hopefully you will be inspired to move information out of the action="Trivia.php?menu=set" string and into the session vars.

best regards, ~Ray

Author

Commented:
hi Ray
thanks for your detail response as you know i greatly value your opinion but i am sure you know i have been working with this application for a while now i came to the stage where re-writing doesnt seem an option in a short run when i will have more time then i will do just that  although i do agree with you its a stupid design from your view what i am trying achieve based on current design is it not possible?
all i want to do is simply either redirect the page or skip the page but keeping the code feature intact
Most Valuable Expert 2011
Top Expert 2016
Commented:
Sorry, I don't really keep track of individual applications - just questions.  When you need to carry information from one page to another, instead of putting information into the URL get string, I am suggesting you move it between pages by putting it into the session.  You cannot move resources - only variables.

While I understand that it may not seem to make sense for you to rewrite or redesign, you have to ask yourself if it makes sense to put up an application that is easily attacked.  As I see it, those are your choices and neither one is very good.  But one is safe and the other is not.  Good luck,...

HTH, ~Ray

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial