On Sun, 04 May 2008 21:31:03 -0400, Jerry Stuckle
<jstucklex@attglobal.net> wrote:

>> @require(dirname(__FILE__) . '/../../../config/config.php');
>>
>> $result1 = $_GET['answer1'];
>> $result2 = $_GET['answer2'];
>> $result3 = $_GET['answer3'];
>> $result4 = $_GET['answer4'];
>>
>> mysql_connect($conf['sql']['host'], $conf['sql']['user'],
>> $conf['sql']['pass']) or die(mysql_error());
>> mysql_select_db($conf['sql']['db']) or die(mysql_error());
>>
>> mysql_query("INSERT INTO mytable (answer1,answer2,answer3,answer4)
>> VALUES ('$result1','$result2','$result3','$result4')");
>>
>
>Impossible to tell from what you have. But it looks like you have done
>absolutely no validation of the input data. The result can be a
>complete destruction of your database - or worse. Google for "SQL
>injection.

Jerry,

I have perhaps over simplified above - in fact only in one case is the
user asked to type in data - in the other cases it's a matter of
clicking on one of two images to give a response.

The box one does check for a number between 0 and 8

var number_check = number_given;
if ( (number_check >7) || (number_check < 1) ) {
alert("Tthe number must be in the range 1 to 7!");
} else
if (isNaN(number_check)) {
alert("Please enter a valid number");
} else {
sendGroup1Lab1(number_check);
}

is any further validation needed?

Cheers

Geoff