Jump to content

New with PDO


davidolson

Recommended Posts

<?php

if ($_GET['do'] != "promocode") {

    header('Location: index.php?do=promocode');

    exit();

}

if (!isset($_SESSION['loggedin'])) {

    header('Location: index.php?do=login');

    exit();

}

 

$errors = array();

 

if (!empty($_POST['submit'])) {

    

    $promocode = $_POST['promocode'];

    $username = $userinfo['username'];

    $expire = time();

    

    $query_1 = "SELECT *

                FROM promocodes_used

                WHERE username = :username AND promocode = :promocode";

    $used_stmt = $dbh->prepare($query_1);

    $used_stmt->bindParam(':username', $username);

    $used_stmt->bindParam(':promocode', $promocode);

    $used_stmt->execute();

    $used = $used_stmt->fetch(PDO::FETCH_COLUMN);

    

    $query_2 = "SELECT *

                FROM promocodes

                WHERE code = :promocode";

    $notvalid_stmt = $dbh->prepare($query_2);

    $notvalid_stmt->bindParam(':promocode', $promocode);

    $notvalid_stmt->execute();

    $notvalid = $notvalid_stmt->fetch(PDO::FETCH_COLUMN);

    

    $query_3 = "SELECT *

                FROM promocodes

                WHERE code = :promocode AND expire < :expire";

    $expire_stmt = $dbh->prepare($query_3);

    $expire_stmt->bindParam(':promocode', $promocode);

    $expire_stmt->bindParam(':expire', $expire);

    $expire_stmt->execute();

    $expire = $expire_stmt->fetch(PDO::FETCH_COLUMN);

 

    if (empty($promocode)) {

        $errors[] = "You did not enter a Promo Code!";

    }

    elseif ($used) {

        $errors[] = "You have already used this Promo Code!";

    }

    elseif (!$notvalid) {

        $errors[] = "The promo code entered is not valid!";

    }

    elseif ($expire) {

        $errors[] = "Promo Code is expired!";

    }

}

if (!empty($_POST['submit']) && empty($errors)) {

    

    $query_4 = "SELECT cash, points

                FROM promocodes

                WHERE code = :promocode";

    $value_stmt = $dbh->prepare($query_4);

    $value_stmt->bindParam(':promocode', $promocode);

    $value_stmt->execute();

    $value = $value_stmt->fetch(PDO::FETCH_ASSOC);

    

    $query_5 = "UPDATE users

                SET total_cash = total_cash +{$value['cash']}, current_cash = current_cash +{$value['cash']}    //is this line safe//

                WHERE username = :username";

    $UPDATE_1_stmt = $dbh->prepare($query_5);

    $UPDATE_1_stmt->bindParam(':username', $username);

    $UPDATE_1_stmt->execute();

    

print "You have just received ${$value['cash']}";

 }

?>

 

<?php if ($configs['ShowPageTitle']): ?>

<div id="pagetitle">Promo Code</div>

<?php endif; ?>

<?php if ($errors): ?>  

<?php foreach ($errors as $error): ?>

<div id="small_error_msg"><?php echo $error; ?></div>

<?php endforeach; ?>

<br />

<?php endif; ?>

 

<form method="POST">

<table cellpadding="4" cellspacing="0" style="width:100%" class="">

  <tr>

    <td style="width:35%"><b>Promo Code</b></td>

    <td style="width:65%"><input type="text" name="promocode" maxlength="50" style="width:200px" value="<?php echo isset($promocode) ? htmlspecialchars($promocode, ENT_QUOTES) : ''; ?>" /></td> // do this prevent XSS and Undefined variable //

  </tr>

  <tr>

    <td colspan="2" align="center" style="padding:5px 0 5px"><input type="submit" name="submit" value="Submit" /></td>

  </tr>

</table>

</form>

Link to comment
Share on other sites

Use

tags when you post code.

 

 

 

$query_5 = "UPDATE users

                SET total_cash = total_cash +{$value['cash']}, current_cash = current_cash +{$value['cash']}    //is this line safe//

                WHERE username = :username";

Assuming that cash is a numeric type column, then yes it is fine. The value is controlled so there is no harm in using it directly in a query.

 

<td style="width:65%"><input type="text" name="promocode" maxlength="50" style="width:200px" value="<?php echo isset($promocode) ? htmlspecialchars($promocode, ENT_QUOTES) : ''; ?>" /></td> // do this prevent XSS and Undefined variable //

Yes.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.