0

My site works like this: User has a balance stored in a database under column named currency. He earns currency then after earning enough he goes to another page to get accounts in exchange of these currencies. I set up everything but something is bugging me since an hour. If user has enough currencies and he retrieve an account, he can refresh and retrieve another account and even though he doesn't have enough currencies my system is still giving him his account on firefox but not on chrome (There are the browser I have tested until now) I'm handling this with session, ajax, and php to handle the delivery and here is the codes: 1. In the file below: I check how much the user has currencies and assign an ability session which will then be checked when retrieving the accounts. User can either get an account with currency amount of 250 or 1000 or 2500 and I am checking how much currency he can have on account:

<?php session_start();

unset($_SESSION["ability"]);
$unames = $_SESSION['username'];
$link = mysql_connect( "localhost", "database-username", "database-password");
mysql_select_db("database-name", $link);
$currencyquery = mysql_query("SELECT currency FROM users WHERE username = '$unames'", $link);
while ($row = mysql_fetch_array($currencyquery)) {
    $currencyamount = $row['currency'];  
}
if ($currencyamount<250){
    $_SESSION["ability"]= 'zero';
    echo $_SESSION["ability"];
}
elseif ($currencyamount<1000) {
    $_SESSION["ability"]= 'one';
    echo $_SESSION["ability"];
}
elseif ($currencyamount<2500) {
    $_SESSION["ability"]= 'two';
    echo $_SESSION["ability"];
} 
else {
    $_SESSION["ability"]= 'three';
    echo $_SESSION["ability"];
}
 ?>

I then have the jquery file listening to this php file, for its echos, which will if the user has an ability of 1 allow him to get an account with 250 currencies, if he has an ability of 2: 1000 currencies, if he has an ability of 3: 2500 currencies. If he has ability 0, he won't get any account if he tries, it alerts him to refresh and if he tries to get two accounts or more without refreshing (Did this because I wanted to unset the session when the page loads again then set them because the abilities may change) The script also deletes each account the user got from the database.

$(document).ready(function () {
var ability = 'zero';
var click = 0;
$.ajax({url: "ability.php"}).done(function( html ) {
    ability = html
    });
    $('#currency2500').click(function(){
        if (click==0){
            if (ability != 'zero') {
                function show_account() {
            $.ajax({
                type: "POST",
                url: "select1.php",
                data:{action:"showroom"},
                success: function (data) {
                    $('#accountinfo').html(data);
                }
            });
        }

        show_account();
        click = click + 1;
            }
        } else if(ability == 'zero') {
            alert("You dont have the required amount of currencies.");
            } else {
                alert('Refresh the page');
                }

    });
    $('#currency250').click(function(){
        if(click==0){
            if (ability != 'zero') {
                var id=$(this).data("id3");

            $.ajax({
                url:"delete1.php",
                method:"POST",
                data:{id:id},
                dataType:"text",
                success:function(data){
                    show_account();
                }
            });
            }
        } else if(ability == 'zero') {
            alert("You dont have the required amount of currencies.");
            }
    });
    $('#currency1000').click(function(){
        if(click==0){
            if (ability != 'zero' && ability != 'one') {
                function show_account() {
            $.ajax({
                type: "POST",
                url: "select2.php",
                data:{action:"showroom"},
                success: function (data) {
                    $('#accountinfo').html(data);
                }
            });
            }

            show_account();
            click = click + 1;
            }
        } else if(ability == "zero" || ability == "one") {
            alert("You dont have the required amount of currencies.");
            } else {
                alert('Refresh the page');
                }
    });
    $('#currency1000').click(function(){
        if(click==0){
            if (ability != 'zero' && ability != 'one') {
                var id=$(this).data("id3");

            $.ajax({
                url:"delete2.php",
                method:"POST",
                data:{id:id},
                dataType:"text",
                success:function(data){
                    show_account();
                }
            });
            }
        } else if(ability == "zero" || ability == "one") {
            alert("You dont have the required amount of currencies.");
            }
    });
    $('#currency2500').click(function(){
        if(click==0){
            if (ability == 'three'){
                function show_account() {
            $.ajax({
                type: "POST",
                url: "select3.php",
                data:{action:"showroom"},
                success: function (data) {
                    $('#accountinfo').html(data);
                }
            });
            }

            show_account();
            click = click + 1;
        }
    } else if(ability != 'three') {
            alert("You dont have the required amount of currencies.");
            } else {
                alert('Refresh the page');
                }
    });
    $('#currency2500').click(function(){
        if(click==0){
            if (ability == 'three'){
                var id=$(this).data("id3");

            $.ajax({
                url:"delete3.php",
                method:"POST",
                data:{id:id},
                dataType:"text",
                success:function(data){
                    show_account();
                }
            });
        }
    } else if(ability != 'three') {
            alert("You dont have the required amount of currencies.");
            }
    });
});

Here is the php file that will deliver the account with 250 currencies to the user, there is also the ones which are the same for 1000, 2500 and with just the value 250 changed. if its called by jquery:

<?php
   session_start();
  $link = mysqli_connect( 'localhost', 'database-username',    'database-password', 'database' );   
  $action=$_POST["action"];
   if($action=="showroom") {
    $query="SELECT * FROM tablename LIMIT 1";
    $show = mysqli_query($link, $query) or die("Error");
    echo "<p id='paragraph' style='font-size:22px;font-weight: bold;'>Here is your 250 currencies account:</p>";
    echo "<table style='position:relative;bottom:30px;' border='2px'><tr><td>Email</td><td>id</td></tr>";
    while ($row = mysqli_fetch_array($show)) {
        echo "<tr><td>" . $row['email'] . "</td><td>" . $row['id'] . "</td></tr>";
    }
    echo "</table>";
    $unames = $_SESSION['username'];
    $query2 = "UPDATE users SET currency=currency-250 WHERE username='$unames'";
    $update = mysqli_query($link, $query2);
    $link = mysql_connect( "localhost", "database-username", "database-password");
    mysql_select_db("database", $link);
    $currencyquery = mysql_query("SELECT currency FROM users WHERE username = '$unames'", $link);
    while ($row = mysql_fetch_array($currencyquery)) {
        $currencyvalue = $row['currency'];  
    }
    unset($_SESSION['currencynumber']);
    $_SESSION["currencynumber"]=strval($currencyvalue);
}

?>

Then the page which users gets in: ( Only a part from it )

<?PHP
session_start();
 if( !isset($_SESSION['username']) ) {
    header ("Location: login.html");
   }
  <div id="accountinfo"></div>
  <input type="button" id="currency2500" value="Get 2500 currencies" />
   <input type="button" id="currency1000" value="Get 1000 currencies" />
   <input type="button" id="currency250" value="Get 250 currencies" />

So: If using firefox: I can refresh 2-4 times until i can't get accounts anymore and my balance will be negative after getting those accounts. Maybe there is a way that if the balance gets negative to cancel the operation and not show anything to the user? Or how can it be solved? I am using sessions to track.

Jake A
  • 41
  • 8
  • I am wondering while asking this question the roles of the last few lines in the third file i gave. I will try to remove them and test the site. – Jake A Jun 10 '16 at 16:32
  • Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 10 '16 at 16:40
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 10 '16 at 16:40
  • The only thing user can input, is when he registers which is his username and i have a strict filter for the username which don't allow anything other than alphabets and numbers so i don't see how he can do SQL injection? – Jake A Jun 10 '16 at 16:42
  • Strict filters do not stop SQL injection. – Jay Blanchard Jun 10 '16 at 16:43
  • Ok Jay Blanchard, i will follow your advices. My top priority right now is solving this problem then I can work on other things. I am thinking at the end of select.php execution to clear all sessions so that user after he got his account, if he tries to refresh will be asked to login then i hope everything like sessions will be updated and since I with jquery not letting users to get more than one account without going back to the page ( click variable condition) , I think this would be enough. – Jake A Jun 10 '16 at 16:48
  • Clearing sessions did not work. I still have to refresh firefox multiple times for it to log me out..! What do i do waiting for an answer. – Jake A Jun 10 '16 at 17:12

0 Answers0