How to prevent sending when the student number is not filled in?

Beginners - Learning PHP
#1

I have a long webpage, an exam for a friend. Sometimes, in the heat of the moment, a student will forget to enter the student number, which is very important.

<form action="php/getcweap1sW18.php" method="POST" name="myForm" onsubmit="return checkForExpiration();" > 
<div id="div-sn">
<label for="sn"> Please enter your student number here:  <input TYPE="phone" pattern="\d{10}" NAME="sn" maxlength="10" size="10"> </label><br>
<label for="sname"> Please enter your name here:  <input type="Text" NAME="sname" maxlength="10" size="10"> </label>
</div><br>

I thought I should get an error, and get taken back to the student number field. But it sends anyway!

What is the best way to prevent this?

#2

Only logged in students should be able to take an exam. The student id would be gotten from the login session variable, not a form field.

#3

Not quite right:

I have a secure pdo login working now. It uses an email and a password unknown to me.

Each student’s answers are saved by php to my webpage, as a simple text file.

The student number from the form is the name of the file.

I get the files with rsync and mark them on my laptop using my little Python program, which writes all the scores to an excel in about 2 seconds.

Without the student number, no marking!

If you know how to prevent sending without a student number, you may share, if you wish. maybe a javascript??

#4

Somehow, you are making this harder than necessary.

Your login system should control what a visitor can see or do on each web page. If a non-logged in user visits a web page that requires knowing who the user is, the login form should be displayed. Once the user is logged in and they visit the exam page, any exam(s) that user is authorized to take would be displayed. When the exam is submitted, you would get the user’s id from the login session variable and store that with the exam data.

This is the equivalent to a teacher seeing and identifying the students in his/her class before giving them an exam paper.

#5

As phdr said, the simplest way to solve this is to have the student number next to their login in the database. Then when you get a submission you can pull the number from there.

The alternative is you don’t allow a submission without a student number. But then how are you going to check if the student number is a valid student number? Or the correct student number for the logged in user? What are you going to do if they don’t match? Is a student allowed to submit work for another student?

That gets complicated; the simpler alternative is to add the student numbers to your system, so you know who each user is.

#6

Well, 2 points I would make:

  1. I was advised not to use a student number as a password here, so, when I finally got the pdo login system working, I left student numbers out of the equation entirely. Just an email and a password of which I have no knowledge. I don’t know who owns that email.

  2. If I collect the student number in the registration process and the student enters a wrong student number, as skawid suggests might happen, that student will never get a score! My Python looks down the numbers column in the results table and writes the score corresponding to that number!

My students still use an ‘unsafe’ login, using their student number, but then, it is only homework, not bank accounts. (I’ll change the login system for next term.) They login with their student number and write their student number on each homework. Just like my mobile phone, every 72 hours it requires me to enter my password instead of my fingerprint. I remember my password!

The students have a vested interest in writing the correct student number: their score!

" Is a student allowed to submit work for another student?"

Theoretically not, but if you give me your login and password for your bank, I can login, transfer your millions to me! The bank won’t know it is not you! I don’t think that can be controlled.

For me, with my limited computing skills, I still think a simple javascript can check whether student number is filled in before sending. I’ll work on that.

Unless you know a better way to check that!

#7

OMG! Anyone has this problem, this fixes it.

That was much easier than I thought: just add

required=“required”

in the input:

<label for="sn"> Please enter your student number here: <input TYPE="phone" pattern="\d{10}" NAME="sn" maxlength="10" size="10" required="required"> </label><br>

#8

Yeah, if they use YOUR form. Nothing says a request has to come from your form, let alone your site. NEVER trust user input.

#9

Thanks for your reply! That’s very interesting!

My very primitive webpages are all forms, with multi-choice radio buttons, checkboxes, textboxes, even whole textareas.

Even the login form is a form.

Sometimes I ask students to upload a short sound file or an essay.

Could you give me an example of something nasty you could put in my form to make my webhost meltdown, or when I fetch the answers text files, could crash my Linux laptop?

The only thing I’ve had so far is some bot finding my contact page and offering to help me deal with credit card payments on my webpage.

Sponsor our Newsletter | Privacy Policy | Terms of Service