0

i'm very confused right now, the last days the same code worked normally, yet now this error appears:

Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '00-0.006 WHERE usersUID = 'test'' at line 1 in

the session was set in the login as the name and it would also work to just output the uid.

thanks

$QT = $_GET['number'];
$url = $_GET['url'];
$serviceid = $_GET['serviceid'];
$lastprice = $_GET['price'];

$converted_price = sprintf('%.8f', floatval($lastprice));

$devidedamount = $converted_price * $QT;
$currentcredits = $_SESSION['credits'];

$v = (float)$currentcredits - (float)$devidedamount;

if($currentcredits < $devidedamount){
    header("location: ../newOrder.php?error=nobalance");
}
else{
$sqldevidecredits = "UPDATE users SET credits= ? WHERE usersUID = ? ";


$devidestm = mysqli_stmt_init($conn);
mysqli_stmt_prepare($devidestm, $sqldevidecredits);

mysqli_stmt_bind_param($devidestm, "ds",  $v, $_SESSION['useruid']);

mysqli_stmt_execute($devidestm);

mysqli_query($conn, $sqldevidecredits);

}
Theo Meyer
  • 23
  • 5
  • 3
    **WARNING**: When using `mysqli` you should be using [parameterized queries](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](https://php.net/manual/en/mysqli-stmt.bind-param.php) to add any data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](https://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or data *of any kind* directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Nov 13 '22 at 00:38
  • 1
    Note: The [object-oriented interface to `mysqli`](https://www.php.net/manual/en/mysqli.quickstart.connections.php) is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface where missing a single `i` can cause trouble. Use this style: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era and isn't the best option in new code. – tadman Nov 13 '22 at 00:38
  • 3
    It's also extremely perplexing why the "current credits" value is stored in the session. That sounds like it will go out of sync extremely quickly. The correct way to attempt this is to do `UPDATE users SET credits=credits-? WHERE credits>=?` by binding the deduction amount. This prevents going negative as well. – tadman Nov 13 '22 at 00:39
  • Your code also allows someone to order a negative number of items and make infinite money. – tadman Nov 13 '22 at 00:40
  • first thank you for your answer, I had now changed it so: goonlinetools.com/snapshot/code/#9zqldzyguifqt3ck2sfn6 nevertheless i think it is the same kind of error that appears there @tadman – Theo Meyer Nov 13 '22 at 00:57
  • @tadman now the error is: Uncaught Error: mysqli_stmt object is not fully initialized – Theo Meyer Nov 13 '22 at 00:58
  • It helps if you include your code in the question. – tadman Nov 13 '22 at 00:58
  • @tadman is sended the link... but here also: `$sqldevidecredits = "UPDATE users SET credits= ?-? WHERE usersUID = ? ";; $devidestm = mysqli_stmt_init($conn); mysqli_stmt_bind_param($devidestm, "dds", $currentcredits ,$devidedamount, $_SESSION['useruid']); mysqli_stmt_execute($$devidestm); mysqli_query($conn, $sqldevidecredits); ` – Theo Meyer Nov 13 '22 at 01:03
  • Not sure what's up with all the doubled characters, like `;;` and `$$`, but you're getting on the right track now. I don't see a `prepare()` call though, that should be your first step. – tadman Nov 13 '22 at 01:04
  • @tadman in not ugly: https://goonlinetools.com/snapshot/code/#9zqldzyguifqt3ck2sfn6 – Theo Meyer Nov 13 '22 at 01:04
  • A quick amendment to your question is the best way to add additional context. – tadman Nov 13 '22 at 01:04
  • @tadman what do you mean? – Theo Meyer Nov 13 '22 at 01:06
  • i changed the ;; and $$ now but it wasnt a mistake... idk – Theo Meyer Nov 13 '22 at 01:07
  • @tadman i forgot to prepare the stm and sql. Now the Original error from ebove comes again – Theo Meyer Nov 13 '22 at 01:14
  • Found the error, i was doing query and then also with prepared statement. i only needed one :( – Theo Meyer Nov 13 '22 at 03:25

1 Answers1

-1

Both $currentcredits and $devidedamount are string. You can't do arithmetic operations on strings. Convert them to numeric first. I think you can do something like that :

$currentcredits =  floatval($currentcredits);
$devidedamount = floatval($devidedamount);

$sqldevidecredits = "UPDATE users SET credits= $currentcredits-$devidedamount   WHERE usersUID = '" .$_SESSION['useruid']. "'";

You may subtract them first :

$v =  (float)$currentcredits -  (float)$devidedamount;
$sqldevidecredits = "UPDATE users SET credits= $v WHERE usersUID = '" .$_SESSION['useruid']. "'";
Ehab
  • 284
  • 1
  • 9
  • Hi, thanks for answering. when i do the 0 + $ ... it is saying that A non-numeric value encountered in this line. but that isnt right, in the session is just the same value as in the db stored and in the database are just numbers.... @Ehab – Theo Meyer Nov 13 '22 at 01:51
  • Sorry for that 0 + $ was working in old days (PHP4, PHP5). Code Modified, try $v = (float)$currentcredits - (float)$devidedamount; or use floatval($currentcredits) - floatval($currentcredits). – Ehab Nov 13 '22 at 01:58
  • I have dv'ed this answer because it is not implementing best practices while executing a database query containing php variables. Also, which strings are the ones with respiratory problems? – mickmackusa Nov 13 '22 at 02:00
  • @mickmackusa, Using $_SESSION['useruid'] is not a good practice but it was not the reason for the problem. – Ehab Nov 13 '22 at 02:03
  • @Ehab ah okay, thanks for the tips but i think it handnt solved my error. now only the original error is showing. – Theo Meyer Nov 13 '22 at 02:07
  • @Theo Meyer Can you debug $sqldevidecredits? – Ehab Nov 13 '22 at 02:10
  • @Ehab what do you mean with debug? – Theo Meyer Nov 13 '22 at 02:20
  • Already pointed out but to be more explicit - "*asthmatics*"? – Don't Panic Nov 13 '22 at 02:24
  • @Theo Meyer Debugging is the process of identifying and removing errors. In your case you need to see the executed query (contents of `$sqldevidecredits`) to identify the error. – Ehab Nov 13 '22 at 02:34
  • @Ehab when i replace the ? with variables again its showing in the error message the right things with the right and calculated amount – Theo Meyer Nov 13 '22 at 02:43
  • Found the error, i was doing query and then also with prepared statement. i only needed one :( – Theo Meyer Nov 13 '22 at 03:25