This forum is in archive mode. You will not be able to post new content.

Author Topic: $_POST trouble  (Read 936 times)

0 Members and 3 Guests are viewing this topic.

Offline DreX

  • Serf
  • *
  • Posts: 42
  • Cookies: -5
    • View Profile
$_POST trouble
« on: April 27, 2015, 02:13:23 PM »
As a practice I made a simple Bank.
I have a couple of problems:

1. I can't withdraw money. The program recognizes that there is something inside $_POST['deposit']. So it executes the if for deposit which puts the "withdraw" to 0 at the end (this line is there because without it i couldnt make a deposit).
But the default value of deposit is set to FALSE (tried with NULL and 0 also). So why does it sense a value when there is non?

2. If i deposit some money it goes through and the $_POST['deposit']=0 at the end. But when I refresh the deposit is changed back to the value previously inserted.

There probably many ways I could make this code cleaner (radio button), but I just want to understand why things are this way for future.
« Last Edit: April 27, 2015, 05:24:02 PM by DreX »

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: $_POST trouble
« Reply #1 on: April 27, 2015, 06:56:21 PM »
There are so many vulnerabilities here its not even funny.

1. You should use PDO.
2. You need to sanatize and check your inputs much better. Look into is is_int, htmlspecialchars with ENT_QUOTES set,
3. String != Number
4. Setting something to null does not mean its not set
5. Your HTML is all messed up
6. Use sessions instead of cookies
6. I ran out of patience and fixed it for you:

(Havent actually tested it, but I am fairly sure it will work.)

Code: (php) [Select]

// Includes
// MySQL connection
$connection = new mysqli($db_hostname$db_username$db_password$db_database);
if ($connection->connect_error)

// Get account data
$accountNum mysqli_real_escape_string($connection$_COOKIE['cookie_account']); // sanitizeNumber?
$query "SELECT * FROM bank WHERE accountNum='$accountNum'";
$result $connection->query($query);
if (!$result)
die ($connection->error);
$display $result->fetch_array(MYSQLI_ASSOC);
// Deposit
if (isset($_POST['deposit'])){

if ($deposit == NULL || $deposit 0){
die("Invalid deposit value. Must be a number and bigger than zero.");

$query="UPDATE bank SET money=$newMoney WHERE accountNum=$accountNum";


// Withdraw
if (isset($_POST['withdraw'])){

if ($withdraw == NULL || $withdraw 0){
die("Invalid withdraw value. Must be a number and bigger than zero.");

$query="UPDATE bank SET money=$newMoney WHERE accountNum=$accountNum";


// Refresh data in case of actions above
$query "SELECT * FROM bank WHERE accountNum=$accountNum";
$result $connection->query($query);
if (!$result)
die ($connection->error);

$display $result->fetch_array(MYSQLI_ASSOC);
//display the name and everthing
echo "Account Number: "htmlspecialchars($display['accountNum'], ENT_QUOTES) ."<br>";
echo "Name: "htmlspecialchars($display['firstName'], ENT_QUOTES) ."<br>";
echo "LastName: "htmlspecialchars($display['lastName'], ENT_QUOTES) ."<br>";
echo "Money: "htmlspecialchars($display['money'], ENT_QUOTES) ."<br>";

// Function to make sure a input is a number (Int)
function sanitizeNumber($i) {
if(is_numeric($i) && (int)$i==$i)
return TRUE;
return FALSE;
<!DOCTYPE html>
<html lang="en">
<form method="post" action="accountManagment.php">
<p>Deposit: <input type="number" name="deposit" /></p>
<p><input type="submit" name"submit" value="submit" /></p>


<form method="post" action="accountManagment.php">
<p>Withdraw: <input type="number" name="withdraw" /></p>
<p><input type="submit" name"submit" value="submit" /></p>
« Last Edit: April 27, 2015, 07:12:20 PM by ande »
if($statement) { unless(!$statement) { // Very sure } }

Offline Schalla

  • VIP
  • Peasant
  • *
  • Posts: 81
  • Cookies: 29
    • View Profile
Re: $_POST trouble
« Reply #2 on: April 27, 2015, 07:02:42 PM »
1. Using mysqli is absolutly fine.
2. Yeah, and you pasted htmlentities, which is not safe. Use htmlspecialchars as you wrote, and for integers intval() or a typecast.

Also as comment, the code shown here is horrible. There are multiple guidelines, however, as start you might want to
watch into the guidelines. They are fairly good adapted.

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: $_POST trouble
« Reply #3 on: April 27, 2015, 07:12:25 PM »
Yes, htmlspecialchars, my bad.
if($statement) { unless(!$statement) { // Very sure } }


Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.