-2

I have a form where 2 users can transfer funds to each other.

Here is my code

 $accountfrom=$_POST[accountfrom];
 $accountto=$_POST[accountto];
 $amount=$_POST[amount]; 

$result = mysql_query("UPDATE member
SET balance = IF(personID = $accountfrom, balance-$amount, balance+$amount)
WHERE personID IN ($accountfrom, $accountto)")
or die(mysql_error());

However if the user only has a balance of £10, this allows them to still trasfer more than they have available. Is there a way to stop this?

(the balance is stored in field named balance)

  • 3
    Using `MySQL_` instead of `MySQLi_` / PDO or prepared statements, now there's a LETHAL [injection](http://stackoverflow.com/q/60174/1415724) just waiting to happen and NO funds left in the poor working man's bank account, or woman's. Give me the URL so I WON'T sign up for this service. – Funk Forty Niner Nov 09 '13 at 18:18

1 Answers1

0

You need to query for available funds first. Then you check against the required funds and decide to update or not.

ApplePie
  • 8,814
  • 5
  • 39
  • 60
  • 1
    Do a SELECT on the table with a constraint on user account. – ApplePie Nov 09 '13 at 18:20
  • 1
    Voted to close. At this point what you need is an SQL tutorial. I'm not going to spoon feed you with code if you don't even know how to do a basic SELECT. – ApplePie Nov 09 '13 at 18:48
  • 2
    Not worth the effort for something like this. Way too much research in order to be done properly. The OP doesn't know what he/she is getting himself/herself into, as well as the (most likely) danger/risk is putting potential users. ***"Scary"*** – (j'en branle déjà dans mes culottes) @AlexandreP.Levasseur – Funk Forty Niner Nov 09 '13 at 18:59
  • @AlexandreP.Levasseur Can you explain further? See edited question – Shane Nov 10 '13 at 15:54
  • @Shane I don't see an edit so it was probably rejected. As I said I am not helping the community if I spoon feed you the answer. If you do not know how to perform a SELECT query then I suggest that you look for such a tutorial on the web. There are hundreds of them. You want to learn about the WHERE clause and then you should be ready to go. As a side note, as was already mentionned your project is looking very scary on the security side if you are not doing this is as an educational project that is not going to be live. It can be easily exploited by any PHP / SQL amateur. – ApplePie Nov 10 '13 at 17:04