Jump to content

Coding Failure


Abel1216

Recommended Posts

I am working on an e banking web app. So i was stuck on the transferring to the same bank page.. I have spent a lot of time to check where the errors are to no avail. The issue is the code doesnt work it gives a blank page...

    This is 12.php for the post action

<?php
session_start();
        error_reporting(E_ALL);
        
ini_set('display_errors', TRUE);

  if(!isset($_SESSION['login']))
    {
     header('Location: ../clogin.php');
      }

f (isset($_POST['transfer'])) 

      {

    $db['db_host'] = "localhost";
$db['db_user'] = "***"";
$db['db_pass'] = "***";
$db['db_name'] = "***";

foreach($db as $key => $value){
define(strtoupper($key), $value);
}

$connection = mysqli_connect(DB_HOST, DB_USER,DB_PASS,DB_NAME);

$query = "SET NAMES utf8";
mysqli_query($connection,$query);

if(!$connection) {
    echo "database not connected";
}
//get info
 /  $sql = "select firstname,lastname, middlename,username,balance from customer where username = '".$_SESSION['login']."'"; 

send query
/$sql2 = mysqli_query($connection, $sql);

//check query 
if(!$sql2)

die('ERROR:' . mysqli_error($connection)); 
}
//get trans details
$firstname =  $_POST['firstname'];

              $lastname  =  $_POST['lastname'];   
                   $middlename  =  $_POST['middlename'];          
              $account_number  =  $_POST['accountNumber'];
              $transAmount = $_POST['transAmount'];
              
 $description = $_POST['description'];
 
 $otp =$_POST['otp'];
 
              
$sql3 = "select firstname, lastname, middlename, account_number,balance,otp,otpTime,transLimit from customer
                        where account_number = '$account_number'  ";
               $result3 = mysqli_query($connection,$sql3);


if(!$result3) {
        die('ERROR:' . mysqli_error($connection));
    }

                       
while($row3 = mysqli_fetch_assoc($result3))
{
    
              $rfirstname  = $row3['firstname'];
                             $rlastname   = $row3['lastname'];  
                             $rmiddlename = $row3['middlename'];
                             $raccountNumber = $row3['account_number'];
                  

if($rfirstname !== $firstname &&  $rlastname !== $lastname &&    $rmiddlename !== $middlename && $raccountNumber !== $account_number)           
                         { 

echo'<script>swal.fire("FAILED!!", " The Account Number doesnt match the Account Name. Check Well", "error");</script>';
}


else if($rfirstname == $firstname &&  $rlastname == $lastname &&    $rmiddlename == $middlename && $raccountNumber == $account_number)
 
                            
{
    
    $totalTrans = $transAmount + 30;
    
$sql5 = "SELECT * FROM customer WHERE username = {$username}";
$result5 = mysqli_query($connection, $sql5);
    
    //check query
    if(!$result5) {
        die('ERROR:' . mysqli_error($connection));
    }
    
while($row5 = mysqli_fetch_assoc($result5))
{
$balance = $row5['balance'];

if($totalTrans > $row5['balance'])
{
    echo'<script>swal.fire("FAILED!!", " Insufficient Funds", "error");</script>';

}

}//while balance
    
 $sql6 = "SELECT * FROM customer WHERE username = {$username}";
$result6 = mysqli_query($connection, $sql6);
    
    //check query
    if(!$result6) {
        die('ERROR:' . mysqli_error($connection));
    }
    
while($row6 = mysqli_fetch_assoc($result6))
{  

$transLimit = $row6['transLimit'];

$acctype = $row6['acctype'];


if($transAmount > $row6['transLimit'] && $row6['acctype'] == 'savings')
{
    echo'<script>swal.fire("FAILED!!", " You can Only transfer maximum of 500,000 naira per time", "error");</script>';
}
if($transAmount > $row6['transLimit'] && $row6['acctype'] == 'current')
{
    echo'<script>swal.fire("FAILED!!", " You can Only transfer maximum of 5,000,000 naira per time", "error");</script>';
}

}// end of while transLimit

 

$sqla = "SELECT * FROM customer WHERE username = '".$SESSION['login']."'";
           
  $sqla = mysqli_query($connection, $sqla);  
    
    
if(!$sqla) {
        die('ERROR:' . mysqli_error($connection));
    }
  while($rowa = mysqli_fetch_assoc($sqla))
  {  
 $otp = $rowa['otp'];
 $db_username = $rowa['username'];
           $db_email = $rowa['email'];
           $otpTime = $rowa['otpTime'];
           $time_now = strtotime($otpTime);
           
     

if($otp !== $rowa['otp'])
{
    echo'<script>swal.fire("FAILED!!", " OTP does not match", "error");</script>';
}
if($otp == $rowa['otp'] && (time() - $time_now > 3 * 60))
{
echo'<script>swal.fire("FAILED!!", " OTP expired. Press Resend", "error");</script>';
}
 $sqlb = "update accounts set otp = null where username = '".$_SESSION['login']."' ";     
  
$resultb = mysqli_query($connection, $sqlb);
    
    //check query
    if(!$resultb) {
        die('ERROR:' . mysqli_error($connection));
    }
  
}// while end

$sqlc = "SELECT * FROM customer WHERE username = {$username}";
$resultc = mysqli_query($connection, $sqlc);
    
    //check query
    if(!$resultc) {
        die('ERROR:' . mysqli_error($connection));
    }
    
while($rowc = mysqli_fetch_assoc($result5))
{


$transLimit = $rowc['transLimit'];
$otp = $rowc['otp'];
$balance = $rowc['balance'];
$otpTime = $rowc['otpTime'];

$time_now = strtotime($otpTime);
$totalTrans = $transAmount + 30;

if($rfirstname == $firstname &&  $rlastname == $lastname &&    $rmiddlename == $middlename && $raccountNumber == $account_number && $totalTrans < $transLimit && $totalTrans <= $row['balance']  && $otp == $row['otp'] && (time() - $time_now < 3 * 60))
{
    $sql9 = "update customer set balance = $balance - $totalTrans
                          where username = '".$_SESSION['login']."'";
                
$result9 = mysqli_query($connection, $sql9);
    
    //check query
    if(!$result9) {
        die('ERROR:' . mysqli_error($connection));
    }
  

  $sql10 = "update customer set   balance = $balance + $transAmount
                          where firstname = '$rfirstname' and lastname= '$rlastname' and account_number = '$raccountNumber' and middlename= '$rmiddlename' ";
$result10 = mysqli_query($connection, $sql10);
    
    //check query
    if(!$result10) {
        die('ERROR:' . mysqli_error($connection));
    }
                 
                 
                 
                 
}//end of if
}//end of while


$sqlf = "SELECT * FROM customer WHERE username = {$username}";
$resultf = mysqli_query($connection, $sqlf);
    
    //check query
    if(!$resultf) {
        die('ERROR:' . mysqli_error($connection));
    }
    
while($rowf = mysqli_fetch_assoc($result5))
{

$db_username = $rowf['username'];
$db_email = $rowf['email'];

$msg = " <!DOCTYPE html><body>Dear <h1> $db_username, </h1>
 <h2><font color='darkviolet'>You transferred $transAmount to $rfirstname $rlastname $rmiddlename  with account Number $raccountNumber . Transaction statement/history is available on your portal for reference purposes.Thanks For banking with Us<b>.
 <br> If you didnt request for this transaction, contact your bank immediately!!!</font></h2>.....<br></b><i><font color='blue'>MMFB</font></i>
  </body></html>

 

$headers = "";
$headers .= "From: Mayor Microfinance Bank(MMFB)<admin@mmfb.com.ng> \r\n";
$headers .= "Reply-To:" . $db_username. "\r\n" ."X-Mailer: PHP/" . phpversion();
$headers .= 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; 
$send = mail("$db_email","SUCCESFUL TRANSACTION",$msg,$headers);
}//end of while


$transid = substr(str_shuffle('abcdefghijklMnopqrstuvwxyz01234567890') , 0 , 10 );

$status1 = '<button class="button">CREDIT</button>';

$status2 = '<button class="button2">DEDIT</button>';

$sqlm = "SELECT * FROM customer WHERE username = {$username}";
$resultm = mysqli_query($connection, $sqlm);
    
    //check query
    if(!$resultm) {
        die('ERROR:' . mysqli_error($connection));
    }
    
while($rowm = mysqli_fetch_assoc($resultm))
{
$sfirstname = $rowm['firstname'];
$smiddlename = $rowm['middlename'];
$slastname = $rowm['lastname'];
$date = date("d/m/Y");

$sql11 = "insert into transactions where account_number = '$raccountNumber'
                                 (status,firstname,lastname,middlename,transAmount,date,account_number,description,transid,type)
                                   values  
                                  ('credit transaction',$sfirstname', '$slastname',
                                   '$smiddlename',
                                   '$transAmount', '$date',
                                   '$raccountNumber',
                                   '$description', '$transid', '$status1')";

                     //   $result11 = $connection->query($sql11);
                        $result11 = mysqli_query($connection, $sql11);
    
    //check query
    if(!$result11) {
        die('ERROR:' . mysqli_error($connection));
    }

$sql12 = "insert into transactions where username = '$username'
                                 (status,firstname,lastname,middlename,transAmount,date,accountNumber,description,transid,type)
                                   values  
                                  ('debit transaction','$firstname', '$lastname',
                                   '$middlename',
                                   '$transAmount', '$date',
                                   '$accountNumber',
                                   '$description', '$tranid', '$status2')";

                      

$result12 = mysqli_query($connection, $sql12);
    
    //check query
    if(!$result12) {
        die('ERROR:' . mysqli_error($connection));
    }

}//end of ehile
$sql15 = "SELECT * FROM customer WHERE username = {$username}";
$result15 = mysqli_query($connection, $sqlf);
    
    //check query
    if(!$result15) {
        die('ERROR:' . mysqli_error($connection));
    }
    
while($row15 = mysqli_fetch_assoc($result15))
{

$firstname = $row15['firstname'];
$lastname = $row15['lastname'];
$db_email = $row15['email'];

$sql16 = "SELECT * FROM customer WHERE account_numberr = $raccountNumber ";
$result16 = mysqli_query($connection, $sql16);
    
    //check query
    if(!$result16) {
        die('ERROR:' . mysqli_error($connection));
    }
    
while($row16 = mysqli_fetch_assoc($result16))
{
$remail = $row16['email'];

$msg = " <!DOCTYPE html><body>Dear <h1> $rfirstname $rlastname $rmiddlename </h1>
 <h2><font color='darkviolet'>Your account $raccountNumber has been credited with $transAmount from $firstname $lastname . Transaction statement/history is available on your portal for reference purposes.Thanks For banking with Us<b>.
 <br> If you didnt request for this transaction, contact ur bank immediately!!!</font></h2>.....<br></b><i><font color='blue'>MMFB</font></i>
  </body></html>

 

$headers = "";
$headers .= "From: Mayor Microfinance Bank(MMFB)<admin@mmfb.com.ng> \r\n";
$headers .= "Reply-To:" . $db_username. "\r\n" ."X-Mailer: PHP/" . phpversion();
$headers .= 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; 
$send = mail("$remail","SUCCESFUL TRANSACTION",$msg,$headers);   

}//end while 1
}//end while 2

}


else 
{
    echo'<script>swal.fire("FAILED!!", " Something Went Wrong Try Again Later.", "error");</script>';
}

}//while 
}//submit


?>

Then my html form in transfer.php is

                       <form method="POST" class="form-horizontal mt-4" action="">

                                <div class="form-group">
                                    <label>Account Number</label>
                                    <input type="number" class="form-control" id="number" name="accountNumber" placeholder="Enter destination account No" required>
                                </div>

                                <div class="form-group">
                                    <label>Firstname</label>
                                    <input type="text" class="form-control" id="firstname" name="firstname" placeholder="Enter destination surname" required>
                                </div>

                                <div class="form-group">
                                          <label>Lastname</label>
                                    <input type="text" class="form-control" id="lastname" name="lastname" placeholder="Enter destination last name" required>
                                </div>

<div class="form-group">
                                          <label>Middlename</label>
                                    <input type="text" class="form-control" id="middlename" name="middlename" placeholder="Enter destination Middlename" required>
                                </div>
                                <div class="form-group">
                                          <label>Description</label>
                                    <input type="text" class="form-control" id="description" name="description"  placeholder="Enter transfer description" required>
                                </div>
                                <div class="form-group">
                                          <label>Amount</label>
                                    <input type="number" class="form-control" id="amount" name="transAmount" placeholder="Enter the amount to Send" required>
                                </div>
   <div class="form-group">      
<label>ENTER OTP<label>
        <input type="number" class="form-control" name="otp" placeholder="OTP" pattern="[0-9]{4}" title="Only Digits (4 digit required)" required>
          
</div>

<div class="form-group row">
                                  <div class="col-12 text-right">
                                        <button class="btn btn-primary w-md waves-effect waves-light" type="submit" name="transfer">Transfer</button>
                                    </div>
                                </div>

                                <div class="form-group mt-2 mb-0 row">
                                    <div class="col-12 mt-4">
                                        <p class="mb-0">You will be charged 30 Naira for Transfer fee.<a href="dash.php" class="text-primary"> No!! Cancel Transfer</a></p>
                                    </div>
                                </div>

                            </form>
<!-- <button type="button" id ="box" class="btn btn-primary w-md waves-effect waves-light">SEND OTP</button>  -->
                        </div>
                    </div>

                </div>

I will be glad if u can help me. Thanks in advance

 

Link to comment
Share on other sites

the posted code contains at least three places where it looks like characters were cut off from wherever this code was copied from, which would be producing fatal php parse/syntax errors. you should have the php error_reporting/display_errors settings in the php.ini on your system so that ALL php errors will get reported and displayed. putting these settings in your code won't help for parse/syntax errors since your code never runs to cause the settings to take effect.

next, you have probably 5 times too many queries, code, and variables. some suggestions -

  1. use exceptions for database statement errors and in most cases let php catch the exceptions, where it will use its error related settings to control what happens with the actual error information. you can then remove all the error handling logic that you have now.
  2. INSERT queries don't have WHERE ... clauses. the account_number column should be added to the list of columns being inserted.
  3. don't put external, unknown, dynamic values directly into an sql query statement. use prepared queries. you would also want to switch to the much simpler PDO database extension.
  4. don't copy variables to other variables for no reason.
  5. you should NOT maintain a balance column in a single row by updating the value. any transaction that increases or decreases an amount should be handled by inserting a new row in the transactions table.
  6. the sets of INSERT queries that deducts the amount from the source account and adds the amount to the destination account need to be part of a database transaction, so that they will either both succeed and be committed or they will be rolled back.
  7. the post method form processing code should be before the start of the html document and should store any validation error messages in an array, then test/display the contents of this array at the appropriate location in the html document.
  8.  any header() redirect needs an exit/die statement after it to stop program execution.
  9. don't use a loop to fetch a single row of data from a query. just directly execute the fetch statement one time.
  10. any dynamic value you output in a html context (email, web page) needs to have htmlentities() applied to it to help prevent cross site scripting.
Edited by mac_gyver
  • Thanks 1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.