davidolson Posted May 26, 2013 Share Posted May 26, 2013 <?php if ($_GET['do'] != "promocode") { header('Location: index.php?do=promocode'); exit(); } if (!isset($_SESSION['loggedin'])) { header('Location: index.php?do=login'); exit(); } $errors = array(); if (!empty($_POST['submit'])) { $promocode = $_POST['promocode']; $username = $userinfo['username']; $expire = time(); $query_1 = "SELECT * FROM promocodes_used WHERE username = :username AND promocode = :promocode"; $used_stmt = $dbh->prepare($query_1); $used_stmt->bindParam(':username', $username); $used_stmt->bindParam(':promocode', $promocode); $used_stmt->execute(); $used = $used_stmt->fetch(PDO::FETCH_COLUMN); $query_2 = "SELECT * FROM promocodes WHERE code = :promocode"; $notvalid_stmt = $dbh->prepare($query_2); $notvalid_stmt->bindParam(':promocode', $promocode); $notvalid_stmt->execute(); $notvalid = $notvalid_stmt->fetch(PDO::FETCH_COLUMN); $query_3 = "SELECT * FROM promocodes WHERE code = :promocode AND expire < :expire"; $expire_stmt = $dbh->prepare($query_3); $expire_stmt->bindParam(':promocode', $promocode); $expire_stmt->bindParam(':expire', $expire); $expire_stmt->execute(); $expire = $expire_stmt->fetch(PDO::FETCH_COLUMN); if (empty($promocode)) { $errors[] = "You did not enter a Promo Code!"; } elseif ($used) { $errors[] = "You have already used this Promo Code!"; } elseif (!$notvalid) { $errors[] = "The promo code entered is not valid!"; } elseif ($expire) { $errors[] = "Promo Code is expired!"; } } if (!empty($_POST['submit']) && empty($errors)) { $query_4 = "SELECT cash, points FROM promocodes WHERE code = :promocode"; $value_stmt = $dbh->prepare($query_4); $value_stmt->bindParam(':promocode', $promocode); $value_stmt->execute(); $value = $value_stmt->fetch(PDO::FETCH_ASSOC); $query_5 = "UPDATE users SET total_cash = total_cash +{$value['cash']}, current_cash = current_cash +{$value['cash']} //is this line safe// WHERE username = :username"; $UPDATE_1_stmt = $dbh->prepare($query_5); $UPDATE_1_stmt->bindParam(':username', $username); $UPDATE_1_stmt->execute(); print "You have just received ${$value['cash']}"; } ?> <?php if ($configs['ShowPageTitle']): ?> <div id="pagetitle">Promo Code</div> <?php endif; ?> <?php if ($errors): ?> <?php foreach ($errors as $error): ?> <div id="small_error_msg"><?php echo $error; ?></div> <?php endforeach; ?> <br /> <?php endif; ?> <form method="POST"> <table cellpadding="4" cellspacing="0" style="width:100%" class=""> <tr> <td style="width:35%"><b>Promo Code</b></td> <td style="width:65%"><input type="text" name="promocode" maxlength="50" style="width:200px" value="<?php echo isset($promocode) ? htmlspecialchars($promocode, ENT_QUOTES) : ''; ?>" /></td> // do this prevent XSS and Undefined variable // </tr> <tr> <td colspan="2" align="center" style="padding:5px 0 5px"><input type="submit" name="submit" value="Submit" /></td> </tr> </table> </form> Quote Link to comment https://forums.phpfreaks.com/topic/278406-new-with-pdo/ Share on other sites More sharing options...
kicken Posted May 26, 2013 Share Posted May 26, 2013 Use tags when you post code. $query_5 = "UPDATE users SET total_cash = total_cash +{$value['cash']}, current_cash = current_cash +{$value['cash']} //is this line safe// WHERE username = :username"; Assuming that cash is a numeric type column, then yes it is fine. The value is controlled so there is no harm in using it directly in a query. <td style="width:65%"><input type="text" name="promocode" maxlength="50" style="width:200px" value="<?php echo isset($promocode) ? htmlspecialchars($promocode, ENT_QUOTES) : ''; ?>" /></td> // do this prevent XSS and Undefined variable //Yes. Quote Link to comment https://forums.phpfreaks.com/topic/278406-new-with-pdo/#findComment-1432407 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.