can't figure out why this not working

[desjardins2010]

hello all, i can't get this to work; i'm able to echo both accts entered into the form via the _get but can't pull both balances using the $from_acct and $to_acct only the first query working do I have it formated wrong

 

<?php
//check for submit
$submit = $_GET['submit'];
//end looking for submit

//set varibles if submit is present
if (!$submit) {
echo "Sorry Mate I don't see you have submitted anything for me to process";
}
else {
//make the connecting and set some varibles from _get
$from_acct = $_GET['from_acct'];
$to_acct = $_GET['to_acct'];
$amount = $_GET['amount'];



$connect = mysql_connect("localhost","root","") or die (mysql_error());
mysql_select_db('users') or die ("no such database exisit");

$query = mysql_query("SELECT * from members WHERE bankaccount=$from_acct") or die ("Could not locate to account");
$query2 = mysql_query("SELECT * from members WHERE bankaccount=$to_acct") or die ("Could not locate to account");

while ($result = mysql_fetch_assoc($query) && $result2 = mysql_fetch_assoc($query2))
{
$fromb = $result['balance'];
$tob = $result2['balance'];
}
//make a check to see if the account that is sending has the money to send
if ($fromb<$amount) {
echo "Mate you don't have enough cash to transfer " .$amount. "to this account<br />";
echo "Your Current Balance available for transfer is " .$fromb;

}
else {
$newbalancefrom = $fromb - $amount;
$newbalanceto = $tob + $amount;
//make the transfer
$transfer = mysql_query("UPDATE 'users' . 'members' SET 'balance' = '$newblanceto' WHERE bankaccount='$to_acct'") or die ("could not write to profile");
$transfer2 = mysql_query("UPDATE 'users' . 'members' SET 'balance' = '$newblancefrom' WHERE bankaccount='$from_acct'") or die ("Could Not Write to From Account");

if ($transfer) {
echo "Transfer Complete Thanks!";
}
else {
echo "There was a error in the transfer process please try again";
}
}
}
echo $fromb . "<br />";
echo $tob . "<br />";
echo $from_acct . "<br />";
echo $to_acct . "<br />";
?>
<h2>Peer to Peer Transfer</h2><br><br>
<form action="testtrans.php" method="get">
Amount to Transfer: <input type="text" size="8" name="amount"><br>
From Account: <input type="text" size="15" name="from_acct"> To Account: <input type="text" size="15" name="to_acct" /><br />
<input type="submit" name="submit" value="transfer" />
</form>

[Zurev]

Did you try surrounding your select query items in single quotes? Also, you realize you are completely vulnerable to injection right? You aren't using escape string (which has its own flaws since you're using MySQL, and not prepared statements), whatever the user enters in the $_GET is being entered directly into your query. You could also try regex whitelisting, and only allow certain values or patterns into your GET values.

 

Have a look at http://www.learnphponline.com/security/sql-injection-prevention-mysql-php man, otherwise you're asking for an attack.

[BlueSkyIS]

if there should be only one account for an account number, there is no point in using a loop to get the results.

 

$query = mysql_query("SELECT * from members WHERE bankaccount=$from_acct") or die ("Could not locate to account");
$query2 = mysql_query("SELECT * from members WHERE bankaccount=$to_acct") or die ("Could not locate to account");

$result = mysql_fetch_assoc($query);
$result2 = mysql_fetch_assoc($query2);

$fromb = $result['balance'];
$tob = $result2['balance'];

[sasa]

remove  single qvotes around the filename in your query

$transfer = mysql_query("UPDATE  members SET balance = '$newblanceto' WHERE bankaccount='$to_acct'") or die ("could not write to profile");