Abel1216 Posted June 17, 2020 Share Posted June 17, 2020 I am working on an e banking web app. So i was stuck on the transferring to the same bank page.. I have spent a lot of time to check where the errors are to no avail. The issue is the code doesnt work it gives a blank page... This is 12.php for the post action <?php session_start(); error_reporting(E_ALL); ini_set('display_errors', TRUE); if(!isset($_SESSION['login'])) { header('Location: ../clogin.php'); } f (isset($_POST['transfer'])) { $db['db_host'] = "localhost"; $db['db_user'] = "***""; $db['db_pass'] = "***"; $db['db_name'] = "***"; foreach($db as $key => $value){ define(strtoupper($key), $value); } $connection = mysqli_connect(DB_HOST, DB_USER,DB_PASS,DB_NAME); $query = "SET NAMES utf8"; mysqli_query($connection,$query); if(!$connection) { echo "database not connected"; } //get info / $sql = "select firstname,lastname, middlename,username,balance from customer where username = '".$_SESSION['login']."'"; send query /$sql2 = mysqli_query($connection, $sql); //check query if(!$sql2) { die('ERROR:' . mysqli_error($connection)); } //get trans details $firstname = $_POST['firstname']; $lastname = $_POST['lastname']; $middlename = $_POST['middlename']; $account_number = $_POST['accountNumber']; $transAmount = $_POST['transAmount']; $description = $_POST['description']; $otp =$_POST['otp']; $sql3 = "select firstname, lastname, middlename, account_number,balance,otp,otpTime,transLimit from customer where account_number = '$account_number' "; $result3 = mysqli_query($connection,$sql3); if(!$result3) { die('ERROR:' . mysqli_error($connection)); } while($row3 = mysqli_fetch_assoc($result3)) { $rfirstname = $row3['firstname']; $rlastname = $row3['lastname']; $rmiddlename = $row3['middlename']; $raccountNumber = $row3['account_number']; if($rfirstname !== $firstname && $rlastname !== $lastname && $rmiddlename !== $middlename && $raccountNumber !== $account_number) { echo'<script>swal.fire("FAILED!!", " The Account Number doesnt match the Account Name. Check Well", "error");</script>'; } else if($rfirstname == $firstname && $rlastname == $lastname && $rmiddlename == $middlename && $raccountNumber == $account_number) { $totalTrans = $transAmount + 30; $sql5 = "SELECT * FROM customer WHERE username = {$username}"; $result5 = mysqli_query($connection, $sql5); //check query if(!$result5) { die('ERROR:' . mysqli_error($connection)); } while($row5 = mysqli_fetch_assoc($result5)) { $balance = $row5['balance']; if($totalTrans > $row5['balance']) { echo'<script>swal.fire("FAILED!!", " Insufficient Funds", "error");</script>'; } }//while balance $sql6 = "SELECT * FROM customer WHERE username = {$username}"; $result6 = mysqli_query($connection, $sql6); //check query if(!$result6) { die('ERROR:' . mysqli_error($connection)); } while($row6 = mysqli_fetch_assoc($result6)) { $transLimit = $row6['transLimit']; $acctype = $row6['acctype']; if($transAmount > $row6['transLimit'] && $row6['acctype'] == 'savings') { echo'<script>swal.fire("FAILED!!", " You can Only transfer maximum of 500,000 naira per time", "error");</script>'; } if($transAmount > $row6['transLimit'] && $row6['acctype'] == 'current') { echo'<script>swal.fire("FAILED!!", " You can Only transfer maximum of 5,000,000 naira per time", "error");</script>'; } }// end of while transLimit $sqla = "SELECT * FROM customer WHERE username = '".$SESSION['login']."'"; $sqla = mysqli_query($connection, $sqla); if(!$sqla) { die('ERROR:' . mysqli_error($connection)); } while($rowa = mysqli_fetch_assoc($sqla)) { $otp = $rowa['otp']; $db_username = $rowa['username']; $db_email = $rowa['email']; $otpTime = $rowa['otpTime']; $time_now = strtotime($otpTime); if($otp !== $rowa['otp']) { echo'<script>swal.fire("FAILED!!", " OTP does not match", "error");</script>'; } if($otp == $rowa['otp'] && (time() - $time_now > 3 * 60)) { echo'<script>swal.fire("FAILED!!", " OTP expired. Press Resend", "error");</script>'; } $sqlb = "update accounts set otp = null where username = '".$_SESSION['login']."' "; $resultb = mysqli_query($connection, $sqlb); //check query if(!$resultb) { die('ERROR:' . mysqli_error($connection)); } }// while end $sqlc = "SELECT * FROM customer WHERE username = {$username}"; $resultc = mysqli_query($connection, $sqlc); //check query if(!$resultc) { die('ERROR:' . mysqli_error($connection)); } while($rowc = mysqli_fetch_assoc($result5)) { $transLimit = $rowc['transLimit']; $otp = $rowc['otp']; $balance = $rowc['balance']; $otpTime = $rowc['otpTime']; $time_now = strtotime($otpTime); $totalTrans = $transAmount + 30; if($rfirstname == $firstname && $rlastname == $lastname && $rmiddlename == $middlename && $raccountNumber == $account_number && $totalTrans < $transLimit && $totalTrans <= $row['balance'] && $otp == $row['otp'] && (time() - $time_now < 3 * 60)) { $sql9 = "update customer set balance = $balance - $totalTrans where username = '".$_SESSION['login']."'"; $result9 = mysqli_query($connection, $sql9); //check query if(!$result9) { die('ERROR:' . mysqli_error($connection)); } $sql10 = "update customer set balance = $balance + $transAmount where firstname = '$rfirstname' and lastname= '$rlastname' and account_number = '$raccountNumber' and middlename= '$rmiddlename' "; $result10 = mysqli_query($connection, $sql10); //check query if(!$result10) { die('ERROR:' . mysqli_error($connection)); } }//end of if }//end of while $sqlf = "SELECT * FROM customer WHERE username = {$username}"; $resultf = mysqli_query($connection, $sqlf); //check query if(!$resultf) { die('ERROR:' . mysqli_error($connection)); } while($rowf = mysqli_fetch_assoc($result5)) { $db_username = $rowf['username']; $db_email = $rowf['email']; $msg = " <!DOCTYPE html><body>Dear <h1> $db_username, </h1> <h2><font color='darkviolet'>You transferred $transAmount to $rfirstname $rlastname $rmiddlename with account Number $raccountNumber . Transaction statement/history is available on your portal for reference purposes.Thanks For banking with Us<b>. <br> If you didnt request for this transaction, contact your bank immediately!!!</font></h2>.....<br></b><i><font color='blue'>MMFB</font></i> </body></html> $headers = ""; $headers .= "From: Mayor Microfinance Bank(MMFB)<admin@mmfb.com.ng> \r\n"; $headers .= "Reply-To:" . $db_username. "\r\n" ."X-Mailer: PHP/" . phpversion(); $headers .= 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $send = mail("$db_email","SUCCESFUL TRANSACTION",$msg,$headers); }//end of while $transid = substr(str_shuffle('abcdefghijklMnopqrstuvwxyz01234567890') , 0 , 10 ); $status1 = '<button class="button">CREDIT</button>'; $status2 = '<button class="button2">DEDIT</button>'; $sqlm = "SELECT * FROM customer WHERE username = {$username}"; $resultm = mysqli_query($connection, $sqlm); //check query if(!$resultm) { die('ERROR:' . mysqli_error($connection)); } while($rowm = mysqli_fetch_assoc($resultm)) { $sfirstname = $rowm['firstname']; $smiddlename = $rowm['middlename']; $slastname = $rowm['lastname']; $date = date("d/m/Y"); $sql11 = "insert into transactions where account_number = '$raccountNumber' (status,firstname,lastname,middlename,transAmount,date,account_number,description,transid,type) values ('credit transaction',$sfirstname', '$slastname', '$smiddlename', '$transAmount', '$date', '$raccountNumber', '$description', '$transid', '$status1')"; // $result11 = $connection->query($sql11); $result11 = mysqli_query($connection, $sql11); //check query if(!$result11) { die('ERROR:' . mysqli_error($connection)); } $sql12 = "insert into transactions where username = '$username' (status,firstname,lastname,middlename,transAmount,date,accountNumber,description,transid,type) values ('debit transaction','$firstname', '$lastname', '$middlename', '$transAmount', '$date', '$accountNumber', '$description', '$tranid', '$status2')"; $result12 = mysqli_query($connection, $sql12); //check query if(!$result12) { die('ERROR:' . mysqli_error($connection)); } }//end of ehile $sql15 = "SELECT * FROM customer WHERE username = {$username}"; $result15 = mysqli_query($connection, $sqlf); //check query if(!$result15) { die('ERROR:' . mysqli_error($connection)); } while($row15 = mysqli_fetch_assoc($result15)) { $firstname = $row15['firstname']; $lastname = $row15['lastname']; $db_email = $row15['email']; $sql16 = "SELECT * FROM customer WHERE account_numberr = $raccountNumber "; $result16 = mysqli_query($connection, $sql16); //check query if(!$result16) { die('ERROR:' . mysqli_error($connection)); } while($row16 = mysqli_fetch_assoc($result16)) { $remail = $row16['email']; $msg = " <!DOCTYPE html><body>Dear <h1> $rfirstname $rlastname $rmiddlename </h1> <h2><font color='darkviolet'>Your account $raccountNumber has been credited with $transAmount from $firstname $lastname . Transaction statement/history is available on your portal for reference purposes.Thanks For banking with Us<b>. <br> If you didnt request for this transaction, contact ur bank immediately!!!</font></h2>.....<br></b><i><font color='blue'>MMFB</font></i> </body></html> $headers = ""; $headers .= "From: Mayor Microfinance Bank(MMFB)<admin@mmfb.com.ng> \r\n"; $headers .= "Reply-To:" . $db_username. "\r\n" ."X-Mailer: PHP/" . phpversion(); $headers .= 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $send = mail("$remail","SUCCESFUL TRANSACTION",$msg,$headers); }//end while 1 }//end while 2 } else { echo'<script>swal.fire("FAILED!!", " Something Went Wrong Try Again Later.", "error");</script>'; } }//while }//submit ?> Then my html form in transfer.php is <form method="POST" class="form-horizontal mt-4" action=""> <div class="form-group"> <label>Account Number</label> <input type="number" class="form-control" id="number" name="accountNumber" placeholder="Enter destination account No" required> </div> <div class="form-group"> <label>Firstname</label> <input type="text" class="form-control" id="firstname" name="firstname" placeholder="Enter destination surname" required> </div> <div class="form-group"> <label>Lastname</label> <input type="text" class="form-control" id="lastname" name="lastname" placeholder="Enter destination last name" required> </div> <div class="form-group"> <label>Middlename</label> <input type="text" class="form-control" id="middlename" name="middlename" placeholder="Enter destination Middlename" required> </div> <div class="form-group"> <label>Description</label> <input type="text" class="form-control" id="description" name="description" placeholder="Enter transfer description" required> </div> <div class="form-group"> <label>Amount</label> <input type="number" class="form-control" id="amount" name="transAmount" placeholder="Enter the amount to Send" required> </div> <div class="form-group"> <label>ENTER OTP<label> <input type="number" class="form-control" name="otp" placeholder="OTP" pattern="[0-9]{4}" title="Only Digits (4 digit required)" required> </div> <div class="form-group row"> <div class="col-12 text-right"> <button class="btn btn-primary w-md waves-effect waves-light" type="submit" name="transfer">Transfer</button> </div> </div> <div class="form-group mt-2 mb-0 row"> <div class="col-12 mt-4"> <p class="mb-0">You will be charged 30 Naira for Transfer fee.<a href="dash.php" class="text-primary"> No!! Cancel Transfer</a></p> </div> </div> </form> <!-- <button type="button" id ="box" class="btn btn-primary w-md waves-effect waves-light">SEND OTP</button> --> </div> </div> </div> I will be glad if u can help me. Thanks in advance Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted June 17, 2020 Share Posted June 17, 2020 (edited) the posted code contains at least three places where it looks like characters were cut off from wherever this code was copied from, which would be producing fatal php parse/syntax errors. you should have the php error_reporting/display_errors settings in the php.ini on your system so that ALL php errors will get reported and displayed. putting these settings in your code won't help for parse/syntax errors since your code never runs to cause the settings to take effect. next, you have probably 5 times too many queries, code, and variables. some suggestions - use exceptions for database statement errors and in most cases let php catch the exceptions, where it will use its error related settings to control what happens with the actual error information. you can then remove all the error handling logic that you have now. INSERT queries don't have WHERE ... clauses. the account_number column should be added to the list of columns being inserted. don't put external, unknown, dynamic values directly into an sql query statement. use prepared queries. you would also want to switch to the much simpler PDO database extension. don't copy variables to other variables for no reason. you should NOT maintain a balance column in a single row by updating the value. any transaction that increases or decreases an amount should be handled by inserting a new row in the transactions table. the sets of INSERT queries that deducts the amount from the source account and adds the amount to the destination account need to be part of a database transaction, so that they will either both succeed and be committed or they will be rolled back. the post method form processing code should be before the start of the html document and should store any validation error messages in an array, then test/display the contents of this array at the appropriate location in the html document. any header() redirect needs an exit/die statement after it to stop program execution. don't use a loop to fetch a single row of data from a query. just directly execute the fetch statement one time. any dynamic value you output in a html context (email, web page) needs to have htmlentities() applied to it to help prevent cross site scripting. Edited June 17, 2020 by mac_gyver 1 Quote Link to comment Share on other sites More sharing options...
Abel1216 Posted June 17, 2020 Author Share Posted June 17, 2020 Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.