Im trying to allow users to transfer funds between accounts, but my database is not updating with the new numbers as I would like it to even though all the checks seem to be passing. Not sure if i have missed out any information that may be needed to answer the question, if i have i will update the question as soon as with the reinvent information.
Heres my code:
<?php
// If our submit is set...
if (isset($_POST['submit'])) {
// Get the balance for the from user
$fromBalance = $user->data()->money;
// Get the balance for the to user
$toBalance = DB::getInstance()->query("SELECT * FROM users WHERE username = '" . $_POST['touser'] . "'");
$toMoney = $toBalance->results();
$toMoney1 = isset($toMoney['money']);
// Get our new amounts, but don't do anything yet!
$newmoney1 = $toMoney1 + $_POST['amount'];
$newmoney2 = $fromBalance - $_POST['amount'];
// amount
$amount = $_POST['amount'];
// Check to make sure we have a valid amount
if(!($_POST['amount'] || $_POST['amount'] == 0 || $_POST['amount'] == '')) {
// Or error out!
echo '<center>ERROR: Bad amount Specified!</center>';
// Check to make sure we have two valid users
} elseif($user->data()->username == $_POST['touser']) {
// Or error out!
echo '<center>ERROR: Cannot transfer money to yourself!</center>';
// Check to make sure sufficient funds are available
} elseif($newmoney2 < 0) {
// Or error out!
echo '<center>ERROR: Insufficient funds!</center>';
// Check for default user selection...
} elseif($_POST['touser'] === 'null') {
// Or Error Out
echo '<center>ERROR: No username selected!</center>';
// Otherwise we are good...
} else {
// So we call our update functions.
$update = DB::getInstance()->query("UPDATE users SET `money` = '" . $newmoney2 . " WHERE username = '" . $user->data()->username . "'");
$update2 = DB::getInstance()->query("UPDATE users SET `money` = '" . $newmoney1 . " WHERE username = '" . $_POST['touser'] . "'");
// Send a success message
echo '<center>Transfer completed successfully, thank you!</center>';
}
}
?>
And the form is:
<form class="reg-page" role="form" action="" method="post">
<center>
Please note: Transfering funds is done at your own risk, please make sure you transfer the funds to the right person.
<br>
<br>
<div class='row'>
<div class='col-sm-6'>
<label>Transfer $ To<span class='color-red'> *</span></label>
<select name='touser' class='form-control margin-bottom-20'>
<option value="null">Select user:</option>
<?php
$query = DB::getInstance()->query("SELECT username FROM users");
// Loop over all our usernames...
foreach($query->results() as $row) {
if ($row->username != $user->data()->username) {
echo '<option value="' . $row->username . '" >' . $row->username . '</option>';
}
}
?>
</select>
</div>
<div class='col-sm-6'>
<label>Amount $<span class='color-red'> *</span></label>
<input type='number' step="any" name='amount' class='form-control margin-bottom-20'>
</div>
</div>
<button type="submit" class="btn-u" name="submit">Transfer</button>
</center>
Apologies if i have missed any information out that may be needed to help me. If I have i will update the question as soon as possible. Thank you for any help!
You have at least an extra ' in each of the UPDATEs. If should be SET money=".
Note that your implementation is subject to all sorts of concurrency and security issues. You should do SET money = money + ? / SET money = money - ? at the very least, and put at least these two in a transaction block. You should also test the result of the updates, and correctly escape everything you send to your SQL server.
quote in your sql update statements, it's not closed either.$toBalance has a result with "money" field, you're missing something.$toMoney, not $toMoney1 for the new balance, or you'll have some major issues.You may want your code something more like... (Code changes are surrounded by //CHANGE START and //CHANGE END)
<?php
// If our submit is set...
if (isset($_POST['submit'])) {
// Get the balance for the from user
$fromBalance = $user->data()->money;
// Get the balance for the to user
$toBalance = DB::getInstance()->query("SELECT * FROM users WHERE username = '" . $_POST['touser'] . "'");
$toMoney = $toBalance->results();
//CHANGE START
if (!isset($toMoney['money']))
{
echo '<center>ERROR: Target account unavailable!</center>';
exit();
}
// Get our new amounts, but don't do anything yet!
$newmoney1 = $toMoney + $_POST['amount'];
//CHANGE END
$newmoney2 = $fromBalance - $_POST['amount'];
// amount
$amount = $_POST['amount'];
// Check to make sure we have a valid amount
if(!($_POST['amount'] || $_POST['amount'] == 0 || $_POST['amount'] == '')) {
// Or error out!
echo '<center>ERROR: Bad amount Specified!</center>';
// Check to make sure we have two valid users
} elseif($user->data()->username == $_POST['touser']) {
// Or error out!
echo '<center>ERROR: Cannot transfer money to yourself!</center>';
// Check to make sure sufficient funds are available
} elseif($newmoney2 < 0) {
// Or error out!
echo '<center>ERROR: Insufficient funds!</center>';
// Check for default user selection...
} elseif($_POST['touser'] === 'null') {
// Or Error Out
echo '<center>ERROR: No username selected!</center>';
// Otherwise we are good...
} else {
// So we call our update functions.
//CHANGE START
$update = DB::getInstance()->query("UPDATE users SET `money` = " . $newmoney2 . " WHERE username = '" . $user->data()->username . "'");
$update2 = DB::getInstance()->query("UPDATE users SET `money` = " . $newmoney1 . " WHERE username = '" . $_POST['touser'] . "'");
//CHANGE END
// Send a success message
echo '<center>Transfer completed successfully, thank you!</center>';
}
}
?>