0

Good evening

Please i have a question i would like to ask here. I am trying to write a program that when i click transfers, it would deduct the amount from the balance and update with the new balance in the mysql database.

My code looks like this

Edit: 

$myotp = $_POST['otp'];
if(OTPPASS==$myotp)
{
    $amt = $POST['amt'];
    require 'config/config.php';
    $con = mysqli_connect($hostname, $user, $pass, $db) or die ('Cannot connect');
    $sql = "select openBal from accInfo where userID ='".$_SESSION['userID']."'";
    $result = mysqli_query($con,$sql);
    $row = mysqli_fetch_array($result);
    $balance = $row['openBal'];
    $account = $row['accountNo'];
    $sql2 = "update accInfo set openBal='".$balance."'-$amt here accountNo='".$account."'";
    mysqli_query($con,$sql2);

    echo "Transfer Complete";
    mysqli_close($con);

    header('Location: success.html');
}else{
        echo ("<SCRIPT LANGUAGE='JavaScript'>
    window.alert('Transaction Failed')
    window.location.href='transfers.php';
    </SCRIPT>");    
}
?>

Question is it doesnt deduct the balance from the database row , $row['openBal'] I need Further explaniation on this , sought the internet and couldnt find a good article.

I started thinking maybe its the way i setup the sql File..

RealMary
  • 13
  • 6
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Mar 06 '17 at 19:06
  • Have you checked your error logs? You're making an assumption the query is working. Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Mar 06 '17 at 19:08
  • 1
    Everything about this is extremely concerning. Is this an academic exercise or are you dealing with real-world money? If it's real money you **must** get this code audited by someone who knows about security risks and best practices for writing financial code. – tadman Mar 06 '17 at 19:10
  • Also it's been the case since the early 2000s that capitalizing HTML tags is no longer necessary, nor encouraged. ` – tadman Mar 06 '17 at 19:11
  • Using transactions would be highly recommendable in the context of money transfer.Check the on [transactions](http://php.net/manual/en/mysqli.begin-transaction.php) – Dan Ionescu Mar 06 '17 at 19:12
  • @tadman , sorry this is just an excersise , nothing more – RealMary Mar 06 '17 at 19:17
  • Sorry about being so harsh, but code like this has a way of getting deployed and then later [bad things happen](http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/) to lots of users. I'd still strongly recommend you abandon this approach until you've studied *at least* half a dozen e-commerce systems to see how they implement this internally. [Magento](http://magento.com) is a good example to start with, but there are dozens of others of varying quality that can be educational to pick apart and understand. They're open source so you can see exactly how they do it. – tadman Mar 06 '17 at 19:18
  • You don't have to be an expert to write code like this, but you do need to have learned from some reputable examples. There's a multitude of apocalyptically bad tutorials out there causing harm that are best avoided. Look at production code that's been audited, or at least community reviewed. There's no one way to do this, but there are a few ways that have been proven to work in practice. – tadman Mar 06 '17 at 19:20
  • 1
    The land-mine you stepped on here is called a [race condition](https://en.wikipedia.org/wiki/Race_condition) where overlapping transactions will corrupt your data and lead to money leaking from your system. This is a dangerously common mistake and actually lead to the downfall of several Bitcoin exchanges, so don't feel bad about tripping up on it. I'm just using that to illustrate how difficult this code is to get right, there's lots of hazards like that. – tadman Mar 06 '17 at 19:22
  • @tadman i am starting and hence i wanted to learn before i proceed to code major e-commerce systems , i am coming from a C/C++ and a Pascal perspective and i have not much knowledge of php thats why i am asking what i am asking on here – RealMary Mar 06 '17 at 19:24
  • like someone said , transactions i guess i am getting something from there – RealMary Mar 06 '17 at 19:25
  • Whenever possible, write atomic adjustments: `UPDATE x SET y=y-z WHERE y>z` for example. That will fail on a a deduction that's too large. Transactions are also an important part to prevent race conditions, but used incorrectly you can end up with deadlocks. These are choppy waters to navigate. Be careful, look at as many examples as you can manage, and test, test, and test some more. It's not impossible, it's just really demanding code to write. – tadman Mar 06 '17 at 19:31
  • i have updated my source now , dont know if i got it correctly. – RealMary Mar 06 '17 at 19:38
  • You have `here` instead of `where` in your update sql. – J.D. Pace Mar 06 '17 at 19:55

0 Answers0