Database hack

I successfully built a transactional app with PDO MySQL, all transactions that deals with cash inflow and outflow are programmed to record accordingly. But I figure out that someone credited his wallet by himself and the method he uses bypass recording is channel of self funding. I will love who is willing to assist me on this

Programming help forums can only help with problems with your code if you post all the relevant code needed to reproduce the problem.

There’s probably a dozen different ways this could have happened. It would taking seeing your code to determine which one was used.

1 Like

This question already has answers here:

How can I prevent SQL injection in PHP? (27 answers)

Your post has been associated with a similar question. If that question doesn’t answer your issue, edit your question to highlight the difference between the associated question and yours. If edited, your question will be reviewed and might be reopened.

Find out more about duplicates and why your question has been closed.

Closed 35 mins ago.

This post was edited and submitted for review just now.

Edit questionDelete question

These are the code that interacts with my wallet table, yet some users are able to credit their wallet against what was written in the web application. The complete application has been working fine has programmed until some people are able to breach and update wallet on their own.

public function run($sql, $args = [])
{
    if (empty($args)) {
        return $this->db->query($sql);
    }

    $stmt = $this->db->prepare($sql);
    $stmt->execute($args);

    return $stmt;
}
public function update($table, $data, $where)
{
    $collection = array_merge($data, $where);

    $values = array_values($collection);

    $fieldDetails = null;
    foreach ($data as $key => $value) {
        $fieldDetails .= "$key = ?,";
    }
    $fieldDetails = rtrim($fieldDetails, ',');

    $whereDetails = null;
    $i = 0;
    foreach ($where as $key => $value) {
        $whereDetails .= $i == 0 ? "$key = ?" : " AND $key = ?";
        $i++;
    }

    $stmt = $this->run("UPDATE $table SET $fieldDetails WHERE $whereDetails", $values);

    return $stmt->rowCount();
}


$towallet = intval($rgy['mainbalance']) - intval($newamount);
$letUpdate = $db->update('mywallet', ['main' => $towallet], ['validate' => $apikill]);

Is this coffee opened to any form of SQL injection or xss attack

This code has two serious implementation problems.

The first one is a race condition between the point where you are getting the current amount, calculating the new amount, and executing the update query. If there are multiple concurrent updates, they will all get the same starting amount, modify it, then the last query to execute will be the last value that will be stored in the database table column. So, if you are expecting 2 or more amounts to be deducted at the same time, but only one actually occurred, it is because of this problem. The correct way of handling this is to perform the subtraction as one ‘atomic’ operation in the update query, e.g. ... SET main = main - ? ....

The second one is you should NOT update a column to maintain a numerical accounting value. It doesn’t provide an audit trail so that you would have a way of determining if a programming mistake, duplicate form submission, or nefarious activity modified a value. You should instead INSERT a new row for every transaction that affects a value. The row of data would include all the relevant - Who, What, When, Where, and Why information about the transaction. To get the current total, you would perform a SUM() in a query of the +/- amounts in the rows for any particular account/wallet.

BTW - you can simplify the logic for the $fieldDetails and the $whereDetails, by simply adding the “$key = ?” terms to arrays, then imploding the correspond array with either an ‘,’ or an ’ AND '. This will work correctly for 1 or more terms.

Sponsor our Newsletter | Privacy Policy | Terms of Service