I am new to PHP, so please bear with me. I set up Xampp since I'm working on a project to create a CSRF vulnerable site. This will simulate a bank transfer that is vulnerable to it. I need to create a php page for the transfer. I already have the code mapped out, since it's a nearly ended project. I populated the database and made sure everything was fine in that part. But there seems to be some kind of a problem, as instead of adding to the value of the transfer, to the receiver , the database gets changed to the exact same value +1 for some reason. And I cannot figure this out.
$target = $_GET['TransferTarget'];
$amount = $_GET['TransferAmount'];
$target_query = "SELECT * FROM accounts acc WHERE (acc.AccountNumber = '$target')";
$target_result = mysqli_query($connection, $target_query);
$target_balance = mysqli_data_seek($target_result, 0);
$target_balance = $target_balance + $amount;
$source_balance = $source_balance - $amount;
$update_target_query = "UPDATE accounts SET accounts.Amount = '$target_balance' WHERE accounts.AccountNumber = '$target'";
$update_source_query = "UPDATE accounts SET accounts.Amount = '$source_balance' WHERE accounts.AccountNumber = '$source_account'";
$update_target_result = mysqli_query($connection, $update_target_query);
$update_source_result = mysqli_query($connection, $update_source_query);
Desired outcome would be for example if I transferred 100 dollars to an acc that already had 1000, to be 1100. The result I get for the same example, is 101 dollars in the end account. So, the targets account gets updated to 101 dollars. I can't seem to understand why this happens.
The mysqli_data_seek only returns true or false, based on whether the operation was a success.
The loose nature of php lets you add $amount to true, and figures that 100 + true = 101.
Instead of mysqli_data_seek, you probably want to use one of the fetch methods instead.
Inside your code
$target_balance = mysqli_data_seek($target_result, 0);
$target_balance will initialize as true or false because mysqli_data_seek() method return true or false that means 1 and 0 respectively.
That's why you are getting 101 if your transaction amount is 100.
Solution:
$target_details = mysqli_data_seek($target_result, 0);
$target_balance= $target_details['target_balance'];
$source_balance= $target_details['source_balance'];
and Then use both variable as you are doing...
Warning: Your code is not protected it's velnerable using sql_injection. Read more about how to protect your code.
[Update]
$target_result = mysqli_data_seek($target_result, 0);
///New line
$target_result=mysqli_fetch_assoc($target_result);
//End new line
$target_balance= $target_details['target_balance'];
$source_balance= $target_details['source_balance'];