After looking through some sites (eg https://www.owasp.org/index.php/Main_Page) I found no EXPLICIT mention of what hazards the following process would open me up to;
A user answers a multiple choice question. Sending a form with the “answer” as a hidden field.
The .php page takes it (validates it to have less than 100 characters), then takes the Correct Answer from the database. It compares the two (using == comparison operator).
then sends
echo "Wrong! The correct answer is ".$correctAnswer; //a hack presumably will always be wrong!!!
Basically, what damage could there possibly be with letting userinput (up to 100 characters) get stuck into
$playersAnswer = $_POST['checkAnswer'];
and
if ($correctAnswer == $playersAnswer){ ....etc
The advantage for me is that I need not worry about any letters/symbols/characters in the user’s answer being stripped or converted. Therefore I can use questions with full punctuation, foreign languages and even questions about javascript wwithout fear!
If all you do is use the POST variable in a comparison:
there is no danger to this.
The danger begins where you use the variable – in HTML output, in a database query, in an
exec()oreval()command…..