Jump to content

can't figure out why this not working


desjardins2010

Recommended Posts

hello all, i can't get this to work; i'm able to echo both accts entered into the form via the _get but can't pull both balances using the $from_acct and $to_acct only the first query working do I have it formated wrong

 

<?php
//check for submit
$submit = $_GET['submit'];
//end looking for submit

//set varibles if submit is present
if (!$submit) {
echo "Sorry Mate I don't see you have submitted anything for me to process";
}
else {
//make the connecting and set some varibles from _get
$from_acct = $_GET['from_acct'];
$to_acct = $_GET['to_acct'];
$amount = $_GET['amount'];



$connect = mysql_connect("localhost","root","") or die (mysql_error());
mysql_select_db('users') or die ("no such database exisit");

$query = mysql_query("SELECT * from members WHERE bankaccount=$from_acct") or die ("Could not locate to account");
$query2 = mysql_query("SELECT * from members WHERE bankaccount=$to_acct") or die ("Could not locate to account");

while ($result = mysql_fetch_assoc($query) && $result2 = mysql_fetch_assoc($query2))
{
$fromb = $result['balance'];
$tob = $result2['balance'];
}
//make a check to see if the account that is sending has the money to send
if ($fromb<$amount) {
echo "Mate you don't have enough cash to transfer " .$amount. "to this account<br />";
echo "Your Current Balance available for transfer is " .$fromb;

}
else {
$newbalancefrom = $fromb - $amount;
$newbalanceto = $tob + $amount;
//make the transfer
$transfer = mysql_query("UPDATE 'users' . 'members' SET 'balance' = '$newblanceto' WHERE bankaccount='$to_acct'") or die ("could not write to profile");
$transfer2 = mysql_query("UPDATE 'users' . 'members' SET 'balance' = '$newblancefrom' WHERE bankaccount='$from_acct'") or die ("Could Not Write to From Account");

if ($transfer) {
echo "Transfer Complete Thanks!";
}
else {
echo "There was a error in the transfer process please try again";
}
}
}
echo $fromb . "<br />";
echo $tob . "<br />";
echo $from_acct . "<br />";
echo $to_acct . "<br />";
?>
<h2>Peer to Peer Transfer</h2><br><br>
<form action="testtrans.php" method="get">
Amount to Transfer: <input type="text" size="8" name="amount"><br>
From Account: <input type="text" size="15" name="from_acct"> To Account: <input type="text" size="15" name="to_acct" /><br />
<input type="submit" name="submit" value="transfer" />
</form>

Link to comment
Share on other sites

Did you try surrounding your select query items in single quotes? Also, you realize you are completely vulnerable to injection right? You aren't using escape string (which has its own flaws since you're using MySQL, and not prepared statements), whatever the user enters in the $_GET is being entered directly into your query. You could also try regex whitelisting, and only allow certain values or patterns into your GET values.

 

Have a look at http://www.learnphponline.com/security/sql-injection-prevention-mysql-php man, otherwise you're asking for an attack.

Link to comment
Share on other sites

if there should be only one account for an account number, there is no point in using a loop to get the results.

 

$query = mysql_query("SELECT * from members WHERE bankaccount=$from_acct") or die ("Could not locate to account");
$query2 = mysql_query("SELECT * from members WHERE bankaccount=$to_acct") or die ("Could not locate to account");

$result = mysql_fetch_assoc($query);
$result2 = mysql_fetch_assoc($query2);

$fromb = $result['balance'];
$tob = $result2['balance'];

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.