Pages: [1]

Author Topic: $_POST trouble  (Read 857 times)

0 Members and 1 Guest are viewing this topic.

Offline DreX

  • Serf
  • *
  • Posts: 42
  • Cookies: -5
    • View Profile
$_POST trouble
« on: April 27, 2015, 02:13:23 pm »
As a practice I made a simple Bank.
http://pastebin.com/YzVMRui4
I have a couple of problems:

1. I can't withdraw money. The program recognizes that there is something inside $_POST['deposit']. So it executes the if for deposit which puts the "withdraw" to 0 at the end (this line is there because without it i couldnt make a deposit).
But the default value of deposit is set to FALSE (tried with NULL and 0 also). So why does it sense a value when there is non?

2. If i deposit some money it goes through and the $_POST['deposit']=0 at the end. But when I refresh the deposit is changed back to the value previously inserted.

There probably many ways I could make this code cleaner (radio button), but I just want to understand why things are this way for future.
« Last Edit: April 27, 2015, 05:24:02 pm by DreX »
Report to moderator   Logged

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: $_POST trouble
« Reply #1 on: April 27, 2015, 06:56:21 pm »
There are so many vulnerabilities here its not even funny.

1. You should use PDO.
2. You need to sanatize and check your inputs much better. Look into is is_int, htmlspecialchars with ENT_QUOTES set,
3. String != Number
4. Setting something to null does not mean its not set
5. Your HTML is all messed up
6. Use sessions instead of cookies
6. I ran out of patience and fixed it for you:

(Havent actually tested it, but I am fairly sure it will work.)


Code: (php) [Select]
<?php

 // Includes
 require_once('mysqlLogin.php');
  
 // MySQL connection
 $connection = new mysqli($db_hostname$db_username$db_password$db_database);
 if ($connection->connect_error)
 die($connection->connect_error);
// Get account data
 $accountNum mysqli_real_escape_string($connection$_COOKIE['cookie_account']); // sanitizeNumber?
 $query "SELECT * FROM bank WHERE accountNum='$accountNum'";
 $result $connection->query($query);
 if (!$result)
 die ($connection->error);
 $display $result->fetch_array(MYSQLI_ASSOC);
  
 // Deposit
 if (isset($_POST['deposit'])){
$deposit=sanitizeNumber($_POST['deposit']);
 if ($deposit == NULL || $deposit 0){
 die("Invalid deposit value. Must be a number and bigger than zero.");
 }
$newMoney=$display['money']+$deposit;
 $query="BEGIN";
 $connection->query($query);
 $query="UPDATE bank SET money=$newMoney WHERE accountNum=$accountNum";
 $connection->query($query);
 $query="COMMIT";
 $connection->query($query);
}
// Withdraw
 if (isset($_POST['withdraw'])){
$withdraw=sanitizeNumber($_POST['withdraw']);
 if ($withdraw == NULL || $withdraw 0){
 die("Invalid withdraw value. Must be a number and bigger than zero.");
 }
$newMoney=$display['money']-$withdraw;
 $query="BEGIN";
 $connection->query($query);
 $query="UPDATE bank SET money=$newMoney WHERE accountNum=$accountNum";
 $connection->query($query);
 $query="COMMIT";
 $connection->query($query);
}

// Refresh data in case of actions above
 $query "SELECT * FROM bank WHERE accountNum=$accountNum";
 $result $connection->query($query);
 if (!$result)
 die ($connection->error);
$display $result->fetch_array(MYSQLI_ASSOC);
 //display the name and everthing
 echo "Account Number: "htmlspecialchars($display['accountNum'], ENT_QUOTES) ."<br>";
 echo "Name: "htmlspecialchars($display['firstName'], ENT_QUOTES) ."<br>";
 echo "LastName: "htmlspecialchars($display['lastName'], ENT_QUOTES) ."<br>";
 echo "Money: "htmlspecialchars($display['money'], ENT_QUOTES) ."<br>";
   
 $result->close();
 $connection->close();
// Function to make sure a input is a number (Int)
 function sanitizeNumber($i) {
 if(is_numeric($i) && (int)$i==$i)
 return TRUE;
 return FALSE;
 }
  
?><!DOCTYPE html>
<html lang="en">
<body>
<form method="post" action="accountManagment.php">
<p>Deposit: <input type="number" name="deposit" /></p>
<p><input type="submit" name"submit" value="submit" /></p>
</form>

<br><br>

<form method="post" action="accountManagment.php">
<p>Withdraw: <input type="number" name="withdraw" /></p>
<p><input type="submit" name"submit" value="submit" /></p>
</form>
</body>
</html>

https://gist.github.com/anonymous/222a342f3df49b0b2bf5
« Last Edit: April 27, 2015, 07:12:20 pm by ande »
Report to moderator   Logged
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline Schalla

  • VIP
  • Peasant
  • *
  • Posts: 81
  • Cookies: 29
    • View Profile
Re: $_POST trouble
« Reply #2 on: April 27, 2015, 07:02:42 pm »
1. Using mysqli is absolutly fine.
2. Yeah, and you pasted htmlentities, which is not safe. Use htmlspecialchars as you wrote, and for integers intval() or a typecast.


Also as comment, the code shown here is horrible. There are multiple guidelines, however, as start you might want to
watch into the http://www.php-fig.org/psr/ guidelines. They are fairly good adapted.
Report to moderator   Logged

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: $_POST trouble
« Reply #3 on: April 27, 2015, 07:12:25 pm »
Yes, htmlspecialchars, my bad.
Report to moderator   Logged
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true
Pages: [1]