Author Topic: $_POST trouble  (Read 905 times)

0 Members and 1 Guest are viewing this topic.

Offline DreX

  • Serf
  • *
  • Posts: 42
  • Cookies: -5
    • View Profile
$_POST trouble
« on: April 27, 2015, 02:13:23 pm »
As a practice I made a simple Bank.
http://pastebin.com/YzVMRui4
I have a couple of problems:

1. I can't withdraw money. The program recognizes that there is something inside $_POST['deposit']. So it executes the if for deposit which puts the "withdraw" to 0 at the end (this line is there because without it i couldnt make a deposit).
But the default value of deposit is set to FALSE (tried with NULL and 0 also). So why does it sense a value when there is non?

2. If i deposit some money it goes through and the $_POST['deposit']=0 at the end. But when I refresh the deposit is changed back to the value previously inserted.

There probably many ways I could make this code cleaner (radio button), but I just want to understand why things are this way for future.
« Last Edit: April 27, 2015, 05:24:02 pm by DreX »

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: $_POST trouble
« Reply #1 on: April 27, 2015, 06:56:21 pm »
There are so many vulnerabilities here its not even funny.

1. You should use PDO.
2. You need to sanatize and check your inputs much better. Look into is is_int, htmlspecialchars with ENT_QUOTES set,
3. String != Number
4. Setting something to null does not mean its not set
5. Your HTML is all messed up
6. Use sessions instead of cookies
6. I ran out of patience and fixed it for you:

(Havent actually tested it, but I am fairly sure it will work.)


Code: (php) [Select]
<?php

// Includes
require_once('mysqlLogin.php');
 
// MySQL connection
$connection = new mysqli($db_hostname$db_username$db_password$db_database);
if ($connection->connect_error)
die($connection->connect_error);

// Get account data
$accountNum mysqli_real_escape_string($connection$_COOKIE['cookie_account']); // sanitizeNumber?
$query "SELECT * FROM bank WHERE accountNum='$accountNum'";
$result $connection->query($query);
if (!$result)
die ($connection->error);
$display $result->fetch_array(MYSQLI_ASSOC);
 
// Deposit
if (isset($_POST['deposit'])){

$deposit=sanitizeNumber($_POST['deposit']);
if ($deposit == NULL || $deposit 0){
die("Invalid deposit value. Must be a number and bigger than zero.");
}

$newMoney=$display['money']+$deposit;
$query="BEGIN";
$connection->query($query);
$query="UPDATE bank SET money=$newMoney WHERE accountNum=$accountNum";
$connection->query($query);
$query="COMMIT";
$connection->query($query);

}

// Withdraw
if (isset($_POST['withdraw'])){

$withdraw=sanitizeNumber($_POST['withdraw']);
if ($withdraw == NULL || $withdraw 0){
die("Invalid withdraw value. Must be a number and bigger than zero.");
}

$newMoney=$display['money']-$withdraw;
$query="BEGIN";
$connection->query($query);
$query="UPDATE bank SET money=$newMoney WHERE accountNum=$accountNum";
$connection->query($query);
$query="COMMIT";
$connection->query($query);

}


// Refresh data in case of actions above
$query "SELECT * FROM bank WHERE accountNum=$accountNum";
$result $connection->query($query);
if (!$result)
die ($connection->error);

$display $result->fetch_array(MYSQLI_ASSOC);
//display the name and everthing
echo "Account Number: "htmlspecialchars($display['accountNum'], ENT_QUOTES) ."<br>";
echo "Name: "htmlspecialchars($display['firstName'], ENT_QUOTES) ."<br>";
echo "LastName: "htmlspecialchars($display['lastName'], ENT_QUOTES) ."<br>";
echo "Money: "htmlspecialchars($display['money'], ENT_QUOTES) ."<br>";
  
$result->close();
$connection->close();

// Function to make sure a input is a number (Int)
function sanitizeNumber($i) {
if(is_numeric($i) && (int)$i==$i)
return TRUE;
return FALSE;
}
 
?>
<!DOCTYPE html>
<html lang="en">
<body>
<form method="post" action="accountManagment.php">
<p>Deposit: <input type="number" name="deposit" /></p>
<p><input type="submit" name"submit" value="submit" /></p>
</form>

<br><br>

<form method="post" action="accountManagment.php">
<p>Withdraw: <input type="number" name="withdraw" /></p>
<p><input type="submit" name"submit" value="submit" /></p>
</form>
</body>
</html>

https://gist.github.com/anonymous/222a342f3df49b0b2bf5
« Last Edit: April 27, 2015, 07:12:20 pm by ande »
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline Schalla

  • VIP
  • Peasant
  • *
  • Posts: 81
  • Cookies: 29
    • View Profile
Re: $_POST trouble
« Reply #2 on: April 27, 2015, 07:02:42 pm »
1. Using mysqli is absolutly fine.
2. Yeah, and you pasted htmlentities, which is not safe. Use htmlspecialchars as you wrote, and for integers intval() or a typecast.


Also as comment, the code shown here is horrible. There are multiple guidelines, however, as start you might want to
watch into the http://www.php-fig.org/psr/ guidelines. They are fairly good adapted.

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: $_POST trouble
« Reply #3 on: April 27, 2015, 07:12:25 pm »
Yes, htmlspecialchars, my bad.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true