learnings

My entire code to run update command on the application is as follows public function run($sql, $args = []) { if (empty($args)) { return $this->db->query($sql); } $stmt = $this->db->prepare($sql); $stmt->execute($args); return $stmt; } public function update($table, $data, $where) { $collection = array_merge($data, $where); $values = array_values($collection); $fieldDetails = null; foreach ($data as $key => $value) { $fieldDetails .= "$key = ?,"; } $fieldDetails = rtrim($fieldDetails, ','); $whereDetails = null; $i = 0; foreach ($where as $key => $value) { $whereDetails .= $i == 0 ? "$key = ?" : " AND $key = ?"; $i++; } $stmt = $this->run("UPDATE $table SET $fieldDetails WHERE $whereDetails", $values); return $stmt->rowCount(); } $towallet = intval($rgy['mainbalance']) - intval($newamount); $letUpdate = $db->update('mywallet', ['main' => $towallet], ['validate' => $apikill]);

Yes, I did. Any amount lesser than 100 will have the script terminated. And amount associated inputted value that is not number or negative in value will be terminated. Moreso, when the wallet changes occurred. The user can't determine the amount, the amount is sorted according from the DB.

<pre>public function update($table, $data, $where) { $collection = array_merge($data, $where); $values = array_values($collection); $fieldDetails = null; foreach ($data as $key => $value) { $fieldDetails .= "$key = ?,"; } $fieldDetails = rtrim($fieldDetails, ','); $whereDetails = null; $i = 0; foreach ($where as $key => $value) { $whereDetails .= $i == 0 ? "$key = ?" : " AND $key = ?"; $i++; } $stmt = $this->run("UPDATE $table SET $fieldDetails WHERE $whereDetails", $values); return $stmt->rowCount(); } </pre> <pre>$towallet = intval($rgy['mainbalance']) - intval($newamount); $letUpdate = $db->update('mywallet', ['main' => $towallet], ['validate' => $apikill]); </pre> From the screenshot, the third column addresses the amount value. The very one at the top is the previous balance, the middle is the new amount while the third is the new balance. All credit and debit were written to b recorded in the transaction table. All of this works fine for many months, until someone was able to breach it this week over and over. And there's no record for this strange activities. There's no other direct code to interact with my wallet table, what could have been wrong

I successfully built a transactional app with PDO MySQL, all transactions that deals with cash inflow and outflow are programmed to record accordingly. But I figure out that someone credited his wallet by himself and the method he uses bypass recording is channel of self funding. I will love who is willing to assist me on this