View Issue Details

IDProjectCategoryView StatusLast Update
02982User patchesTokenspublic2013-02-04 18:33
Reporterjanokary Assigned To 
Status confirmedResolutionopen 
Product Version1.85 
Target VersionFixed in Version 
Summary02982: Create token on the fly and Edit completed survey

When having a close token survey
you can create a token on the fly by giving as parameters sid and token
In addition if someone has already complete a survey he can review his answers and correct them

Just put this script in limesurveys root directory


  1. Anonymous answers? No (This survey is NOT anonymous.)
  2. Enable Token-based answers persistence? Yes
  3. Switch to closed-acces mode
Additional Information


Survey id = 98761 your survey's id
token=12345 a token (any token actually)

  1. the first time the token will be created and you you will redirect to anwser the surrvey
  2. If you wont complete the survey and call the script with the same parameters you will be redirect to the same case in order to finish the survey
  3. If you finish the survey and call the script with the same parameters you will see restart the survey with your previews answers prefiled so you can change them
  4. Back to 3

this is valid for all survey in the installation but you can make a filter so it wont be valid for every survey.

TagsNo tags attached.
Complete LimeSurvey version number (& build)



2009-07-10 10:32


If a token has a hyphen (-) in it, the token is created fine but the survey reports that the token is invalid or has already been used.



2009-07-31 15:09

reporter   ~09000

Last edited: 2010-03-13 16:22

View 2 revisions

@comclusive I will look into your issue.
Meanwhile use only latin characters



2009-11-14 05:36

reporter   ~10090

he following edit to newtoken.php re-enables the ability to prepopulate answers from the url:


// get variables from address bar
if (isset($_GET['sid'])) { $sid = $_GET['sid']; }
if (isset($_GET['token'])) { $token = $_GET['token']; }
if (isset($_GET['n1'])) { $n1 = urldecode($_GET['n1']); }
if (isset($_GET['n2'])) { $n2 = urldecode($_GET['n2']); }

// short things are better
$tokentable = $dbprefix."tokens_".$sid;
$location = $rooturl.'?sid='.$sid.'?=gr&newtest=Y&token='.$token.'&66666X31X97='.$n1.'&66666X31X98='.$n2.'&66666X31X99='.$token;

url e.g.: newtoken.php?sid=66666&token=$invoiceid&n1=$n1&n2=$n2;

Obviously edit to match your SGQA identifiers

Hope this helps!



2010-02-24 12:51

developer   ~11164

I have an issue, first everythings works fine.. Only one thing, if you have a tokenbased survey with different groups (display: group by group) and you stop complete the survey in one group (after pressed next) (Pos. Group2).
In this case, if you log in again to complete, you will throw to the previous group -> Group1 . No big think but maybe it could solved.
My survey is looking simplfied like that:
-Q1 Singlechoice
-Q2 Boilerplate/Information
-Q3 Singlechoice



2010-03-13 16:24

administrator   ~11324

This patch won't be incorporated to core because of security implications.
Keeping it as a workaround though.



2010-05-19 21:21

reporter   ~11878

This is going to help us out a lot, thanks!

I haven't looked into the limesurvey code yet, but I'm curious what the ?=gr is for on the url it's passing?

Also, we need to prepopulate answers, so kmm2908's code will help. But if you have several different surveys, you would need a different newtoken.php for each survey since the questions are hardcoded. I modified it using this code to work for multiple surveys:

// get variables from address bar
if (isset($_GET['sid'])) { $sid = $_GET['sid']; }
if (isset($_GET['myname'])) { $myname=urldecode($_GET['myname']); }
if (isset($_GET['token'])) { $token = $_GET['token']; }

// get answers passed through
if (isset($_GET['params'])) {
$parmlist = explode("&params", $_SERVER["QUERY_STRING"]);
$prefill = $parmlist[1];

// short things are better
$tokentable = $dbprefix."tokens_".$sid;

$location = $rooturl.'?sid='.$sid.'&newtest=Y&token='.$token.$prefill;

In this case you would just pass "&params" on the URL before passing the answers, since that is used to separate the query string and get the answers. Might not be the cleanest solution, but I thought it might help someone else.


2010-12-29 09:47


Last edited: 2010-12-29 09:47

View 2 revisions

It workes only with mysql database

can you make it more generic ,



2011-03-10 19:55

reporter   ~14393

Thanks so much for the script!
There is a small bug in the location construction. $rooturl has no trailing slash. Thus you have to use:
$location = $rooturl.'/?sid='.$sid.'&newtest=Y&token='.$token;
and not
$location = $rooturl.'?sid='.$sid.'&newtest=Y&token='.$token;

And, I think one doesn't need the "?=gr" in location at all, it looks like an editing typo. I removed it and haben't seen an ill effect.



2011-03-10 21:09

reporter   ~14394

code for passing passthru variable:

if (isset($_GET['passthru'])) { $passthru = "&passthru=$_GET[passthru]&$_GET[passthru]=".$_GET[$_GET[passthru]]; }

$location = $rooturl.'/?sid='.$sid.'&newtest=Y&token='."$token$passthru";



2011-03-10 21:10

reporter   ~14395

nice thanks


2011-04-08 11:58


Thanks for this patch,
I have a few questions, please apologies if they seem dummy:

  • Is the file newtoken.7z [^] (1,503 bytes) 2009-07-31 15:07 the last available version?
  • Why are we retrieving these variables: $loadname, $loadpass, $scid, $move, $clienttoken ? Are they needed?
    Why are we not sanitizing the variables $sid and $token before sending them in an SQL statement (protection against SQL injections)?

Thanks again for this code and for any answer that might help me



2011-12-19 11:11


newtoken.php.7z (1,891 bytes)


2011-12-19 11:17

reporter   ~16753

Hi all.
I did some modifications for security reasons seens I want to use this for internet and not intranet like I did before.
So, what I do is that I now check that the token that will be created is a "valid one", be doing some passwords checks.
Please check it out and tell me your opinion.



2012-02-28 16:56

reporter   ~17679

I'm currently running 1.91 (Build 12416) and want to download this patch, but it doesn't seem to be working for us. I'm sure it's user error, but I'm trying to pinpoint exactly where the error is! We've saved the newest version of newtoken.php file in the root directory and modified the 'dirname(FILE)' in newtoken.php to point to the root directory. Is that the only change needed in this file? Is modification to any other files necessary? I've already followed all the survey pre-requisites of not having anonymous answers, enabling token-based answers persistence, and switching to closed-access mode.

Also, I assume that we are able to use the original url that contains ‘index.php’ and not a url that contains ‘newtoken.php’, is that correct? I see comments about a url with ‘newtoken.php’, but I think that this is what the patch will create and direct participants to after they click on the original url?

Issue History

Date Modified Username Field Change
2009-03-20 14:59 janokary New Issue
2009-03-20 14:59 janokary File Added:
2009-03-20 15:25 user372 Status new => acknowledged
2009-07-10 10:32 user4164 Note Added: 08816
2009-07-31 15:07 janokary File Added: newtoken.7z
2009-07-31 15:09 janokary Note Added: 09000
2009-11-14 05:36 kmm2908 Note Added: 10090
2010-02-24 12:51 ResearchOnBlogs Note Added: 11164
2010-03-13 16:19 c_schmitz File Deleted:
2010-03-13 16:21 c_schmitz Severity feature => trivial
2010-03-13 16:21 c_schmitz Product Version 1.80 => 1.85
2010-03-13 16:22 c_schmitz Note Edited: 09000 View Revisions
2010-03-13 16:24 c_schmitz Note Added: 11324
2010-03-13 16:24 c_schmitz Status acknowledged => confirmed
2010-05-19 21:21 Spydre13 Note Added: 11878
2010-12-29 09:47 user11332 Note Added: 13833
2010-12-29 09:47 user11332 Note Edited: 13833 View Revisions
2011-03-10 19:55 bolero Note Added: 14393
2011-03-10 21:09 bolero Note Added: 14394
2011-03-10 21:10 janokary Note Added: 14395
2011-04-08 11:58 user6308 Note Added: 14736
2011-12-19 11:11 janokary File Added: newtoken.php.7z
2011-12-19 11:17 janokary Note Added: 16753
2012-02-28 16:27 c_schmitz File Deleted: newtoken.7z
2012-02-28 16:56 JHN Note Added: 17679