New with PDO

[davidolson]

<?php

if ($_GET['do'] != "promocode") {

    header('Location: index.php?do=promocode');

    exit();

}

if (!isset($_SESSION['loggedin'])) {

    header('Location: index.php?do=login');

    exit();

}

 

$errors = array();

 

if (!empty($_POST['submit'])) {

    

    $promocode = $_POST['promocode'];

    $username = $userinfo['username'];

    $expire = time();

    

    $query_1 = "SELECT *

                FROM promocodes_used

                WHERE username = :username AND promocode = :promocode";

    $used_stmt = $dbh->prepare($query_1);

    $used_stmt->bindParam(':username', $username);

    $used_stmt->bindParam(':promocode', $promocode);

    $used_stmt->execute();

    $used = $used_stmt->fetch(PDO::FETCH_COLUMN);

    

    $query_2 = "SELECT *

                FROM promocodes

                WHERE code = :promocode";

    $notvalid_stmt = $dbh->prepare($query_2);

    $notvalid_stmt->bindParam(':promocode', $promocode);

    $notvalid_stmt->execute();

    $notvalid = $notvalid_stmt->fetch(PDO::FETCH_COLUMN);

    

    $query_3 = "SELECT *

                FROM promocodes

                WHERE code = :promocode AND expire < :expire";

    $expire_stmt = $dbh->prepare($query_3);

    $expire_stmt->bindParam(':promocode', $promocode);

    $expire_stmt->bindParam(':expire', $expire);

    $expire_stmt->execute();

    $expire = $expire_stmt->fetch(PDO::FETCH_COLUMN);

 

    if (empty($promocode)) {

        $errors[] = "You did not enter a Promo Code!";

    }

    elseif ($used) {

        $errors[] = "You have already used this Promo Code!";

    }

    elseif (!$notvalid) {

        $errors[] = "The promo code entered is not valid!";

    }

    elseif ($expire) {

        $errors[] = "Promo Code is expired!";

    }

}

if (!empty($_POST['submit']) && empty($errors)) {

    

    $query_4 = "SELECT cash, points

                FROM promocodes

                WHERE code = :promocode";

    $value_stmt = $dbh->prepare($query_4);

    $value_stmt->bindParam(':promocode', $promocode);

    $value_stmt->execute();

    $value = $value_stmt->fetch(PDO::FETCH_ASSOC);

    

    $query_5 = "UPDATE users

                SET total_cash = total_cash +{$value['cash']}, current_cash = current_cash +{$value['cash']}    //is this line safe//

                WHERE username = :username";

    $UPDATE_1_stmt = $dbh->prepare($query_5);

    $UPDATE_1_stmt->bindParam(':username', $username);

    $UPDATE_1_stmt->execute();

    

print "You have just received ${$value['cash']}";

 }

?>

 

<?php if ($configs['ShowPageTitle']): ?>

<div id="pagetitle">Promo Code</div>

<?php endif; ?>

<?php if ($errors): ?>  

<?php foreach ($errors as $error): ?>

<div id="small_error_msg"><?php echo $error; ?></div>

<?php endforeach; ?>

<br />

<?php endif; ?>

 

<form method="POST">

<table cellpadding="4" cellspacing="0" style="width:100%" class="">

  <tr>

    <td style="width:35%"><b>Promo Code</b></td>

    <td style="width:65%"><input type="text" name="promocode" maxlength="50" style="width:200px" value="<?php echo isset($promocode) ? htmlspecialchars($promocode, ENT_QUOTES) : ''; ?>" /></td> // do this prevent XSS and Undefined variable //

  </tr>

  <tr>

    <td colspan="2" align="center" style="padding:5px 0 5px"><input type="submit" name="submit" value="Submit" /></td>

  </tr>

</table>

</form>

[kicken]

Use

tags when you post code.

 

 

 

$query_5 = "UPDATE users

                SET total_cash = total_cash +{$value['cash']}, current_cash = current_cash +{$value['cash']}    //is this line safe//

                WHERE username = :username";

Assuming that cash is a numeric type column, then yes it is fine. The value is controlled so there is no harm in using it directly in a query.

 

<td style="width:65%"><input type="text" name="promocode" maxlength="50" style="width:200px" value="<?php echo isset($promocode) ? htmlspecialchars($promocode, ENT_QUOTES) : ''; ?>" /></td> // do this prevent XSS and Undefined variable //

Yes.