-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathactions_3.php
102 lines (73 loc) · 2.85 KB
/
actions_3.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
<?php
session_start();
$error_message = "";
$success_message = "";
if(isset($_GET['logout'])){
$_SESSION['logged'] = FALSE;
unset($_SESSION['logged']);
$url = sprintf("%s://%s%s",isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off' ? 'https' : 'http',$_SERVER['HTTP_HOST'],$_SERVER['REQUEST_URI']);
$url = strtok($url, '?');
header("Location: $url");
}
// If the user is not trying to login, and it is not logged in
if( (!isset($_SESSION['logged']) || isset($_SESSION['logged']) != TRUE) && !(isset($_POST['action']) && $_POST['action']=="login")){
include("login.php");
die();
}
mysql_connect($DB_HOST,$DB_USERNAME,$DB_PASSWORD);
mysql_select_db($DB_NAME);
if(isset($_SESSION['logged']) && $_SESSION['logged']){
$funds = mysql_query("SELECT * FROM `account` WHERE account.number=\"{$_SESSION['account']}\"");
$funds = mysql_fetch_row($funds)[3];
}
$request = $_POST;
// Start processing actions
if(isset($request['action'])){
// Lets check the referer
$referer = $_SERVER["HTTP_REFERER"];
$uri = $_SERVER["HTTP_HOST"];
if( preg_match("/http(.?):\/\/".$uri."(\/)?(.*)/", $referer) == FALSE){
$error_message = "Security Error";
return;
}
if($request['action']=="login"){
$user = mysql_real_escape_string($request['user']);
$password = mysql_real_escape_string($request['password']);
$result = mysql_query("SELECT * FROM `users` WHERE user=\"{$user}\" and password=\"${password}\"");
if(mysql_num_rows($result) == 1){
$_SESSION['logged'] = TRUE;
$row = mysql_fetch_row($result);
$_SESSION['user'] = $row[0];
$_SESSION['account'] = $row[1];
$funds = mysql_query("SELECT * FROM `account` WHERE account.number=\"{$_SESSION['account']}\"");
$funds = mysql_fetch_row($funds)[3];
$result = mysql_query("SELECT * FROM `account` WHERE account.number=\"{$row[1]}\"");
$row = mysql_fetch_row($result);
$_SESSION['name'] = $row[2];
}else{
include("login.php");
die();
}
}
if($request['action']=="transfer"){
if(!isset($request['to'])){
$error_message = "No destination account";
return;
}
if(!isset($request['to']) || $request['amount']=="0"){
$error_message = "Enter an amount";
return;
}
$to = mysql_real_escape_string($request['to']);
$amount = mysql_real_escape_string($request['amount']);
if($funds<$amount){
$error_message = "Not enough funds";
}else{
$result = mysql_query("INSERT INTO `transaction` (transaction.from, transaction.to, amount, transaction.date) VALUES (\"{$_SESSION['account']}\",\"$to\", \"$amount\", now())");
$result = mysql_query("UPDATE `account` SET balance=balance-{$amount} WHERE account.number={$_SESSION['account']}");
$result = mysql_query("UPDATE `account` SET balance=balance+{$amount} WHERE account.number={$to}");
$success_message = "Your money transfer was successful!";
}
}
}
?>