Mysql Query在特定情况下不起作用

Question

Have a table with two columns 'ques' and 'ans'. After comparing through this query I calculate the number of rows fetched by mysql_nuum_rows($result). I am getting error in certain cases like if I am choosing same option (last option in each case ie D of radio button) for all questions. The rest is working perfectly.

What am I doing wrong?

//  (Values are coming from html form consisting of 4 sets of 4 radio buttons)
$q1=$_POST['q1'];
$q2=$_POST['q2'];
$q3=$_POST['q3'];
$q4=$_POST['q4'];
$result = mysql_query("SELECT * FROM Test  
               WHERE (ques='q1' AND ans='$q1') 
               OR (ques='q2' AND ans='$q2') 
               OR (ques='q3' AND ans='$q3') 
               OR (ques='q4' AND ans='$q4')");

Expected Output:
You got 3 right answers out of 4 (3 comes from mysql_num_rows() )

Error Coming:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'q2' AND ans='4') OR (ques='q3' AND ans='4') OR (ques='q4' AND ans='4')' at line 1

Answer 1

What you are doing wrong:

a) you're not using prepared statements. That means that user-supplied input will end up in your SQL statement, exposing you to unforseen risks (SQL injection). This might also be the cause for the SQL error. You could either assign the SQL statement to a variable and dump it somewhere so you can see what you actually are trying to do. Or (better) you could use prepared statements.

b) the SQL statement looks like you have a problem if your form will be extended to 25 questions plus answers. If not - why are you using an SQL back end for this?