PHP网站用户之间的转移号码

时间:2014-06-26 20:16:53

标签: php

我试图允许用户在帐户之间转移资金,但我的数据库没有像我希望的那样用新数字更新,即使所有检查似乎都在通过。不确定我是否遗漏了回答问题可能需要的任何信息,如果我有,我会在重新发送信息后立即更新问题。

继承我的代码:

<?php
       // If our submit is set...
    if (isset($_POST['submit'])) {
        // Get the balance for the from user
        $fromBalance = $user->data()->money;
        // Get the balance for the to user
        $toBalance = DB::getInstance()->query("SELECT * FROM users WHERE username = '" . $_POST['touser'] . "'");
        $toMoney = $toBalance->results();
        $toMoney1 = isset($toMoney['money']); 
        // Get our new amounts, but don't do anything yet!
        $newmoney1  = $toMoney1   + $_POST['amount'];
        $newmoney2  = $fromBalance - $_POST['amount'];

        // amount
        $amount = $_POST['amount'];

        // Check to make sure we have a valid amount
        if(!($_POST['amount'] || $_POST['amount'] == 0 || $_POST['amount'] == '')) {
            // Or error out!
            echo '<center>ERROR: Bad amount Specified!</center>';
        // Check to make sure we have two valid users
        } elseif($user->data()->username == $_POST['touser']) {
            // Or error out!
            echo '<center>ERROR: Cannot transfer money to yourself!</center>';
        // Check to make sure sufficient funds are available
        } elseif($newmoney2 < 0) {
            // Or error out!
            echo '<center>ERROR: Insufficient funds!</center>';
        // Check for default user selection...
        } elseif($_POST['touser'] === 'null') {
                // Or Error Out
                echo '<center>ERROR: No username selected!</center>';
        // Otherwise we are good...
        } else {
            // So we call our update functions.
            $update = DB::getInstance()->query("UPDATE users SET `money` = '" . $newmoney2 . " WHERE username = '" . $user->data()->username . "'");
            $update2 = DB::getInstance()->query("UPDATE users SET `money` = '" . $newmoney1 . " WHERE username = '" . $_POST['touser'] . "'");

            // Send a success message
            echo '<center>Transfer completed successfully, thank you!</center>';
        }
    }

    ?>

表格是:

<form class="reg-page" role="form" action="" method="post">
<center>
Please note: Transfering funds is done at your own risk, please make sure you transfer the funds to the right person.
<br>
<br> 
<div class='row'>
    <div class='col-sm-6'>
        <label>Transfer $ To<span class='color-red'> *</span></label>
        <select name='touser' class='form-control margin-bottom-20'> 
        <option value="null">Select user:</option>
            <?php
                $query = DB::getInstance()->query("SELECT username FROM users");
                    // Loop over all our usernames...
                    foreach($query->results() as $row) {
                        if ($row->username != $user->data()->username) {
                        echo '<option value="' . $row->username . '" >' . $row->username . '</option>';
                        }
                    }
            ?>
        </select>
    </div>
    <div class='col-sm-6'>
        <label>Amount $<span class='color-red'> *</span></label>
        <input type='number' step="any" name='amount' class='form-control margin-bottom-20'>
    </div>
</div>
<button type="submit" class="btn-u" name="submit">Transfer</button>
</center>

道歉,如果我错过了可能需要帮助我的任何信息。如果我有,我会尽快更新问题。 谢谢你的帮助!

2 个答案:

答案 0 :(得分:0)

每个'中至少有一个UPDATE。如果应该是SET money="

请注意,您的实现受各种并发和安全问题的影响。您至少应该SET money = money + ? / SET money = money - ?,并且至少将这两个放在事务块中。您还应该测试更新的结果,并正确地转义发送到SQL服务器的所有内容。

答案 1 :(得分:0)

  • 您的quote语句中有一个流氓单sql update,它也没有关闭。
  • 如果您尝试检查$toBalance是否有结果&#34; money&#34;田野,你错过了什么。
    • 如果脚本不可用(未设置),我的更改将停止脚本,但您可以执行任何操作。
  • 使用$toMoney而非$toMoney1作为新余额,或者您会遇到一些重大问题。

您可能希望代码更像...... (代码更改由//CHANGE START//CHANGE END

包围 
<?php
       // If our submit is set...
    if (isset($_POST['submit'])) {
        // Get the balance for the from user
        $fromBalance = $user->data()->money;
        // Get the balance for the to user
        $toBalance = DB::getInstance()->query("SELECT * FROM users WHERE username = '" . $_POST['touser'] . "'");
        $toMoney = $toBalance->results();
//CHANGE START
        if (!isset($toMoney['money']))
        {
            echo '<center>ERROR: Target account unavailable!</center>';
            exit();
        }
        // Get our new amounts, but don't do anything yet!
        $newmoney1  = $toMoney   + $_POST['amount'];
//CHANGE END
        $newmoney2  = $fromBalance - $_POST['amount'];

        // amount
        $amount = $_POST['amount'];

        // Check to make sure we have a valid amount
        if(!($_POST['amount'] || $_POST['amount'] == 0 || $_POST['amount'] == '')) {
            // Or error out!
            echo '<center>ERROR: Bad amount Specified!</center>';
        // Check to make sure we have two valid users
        } elseif($user->data()->username == $_POST['touser']) {
            // Or error out!
            echo '<center>ERROR: Cannot transfer money to yourself!</center>';
        // Check to make sure sufficient funds are available
        } elseif($newmoney2 < 0) {
            // Or error out!
            echo '<center>ERROR: Insufficient funds!</center>';
        // Check for default user selection...
        } elseif($_POST['touser'] === 'null') {
                // Or Error Out
                echo '<center>ERROR: No username selected!</center>';
        // Otherwise we are good...
        } else {
            // So we call our update functions.
//CHANGE START
            $update = DB::getInstance()->query("UPDATE users SET `money` = " . $newmoney2 . " WHERE username = '" . $user->data()->username . "'");
            $update2 = DB::getInstance()->query("UPDATE users SET `money` = " . $newmoney1 . " WHERE username = '" . $_POST['touser'] . "'");
//CHANGE END

            // Send a success message
            echo '<center>Transfer completed successfully, thank you!</center>';
        }
    }

?>
相关问题
最新问题