CODEWITHSUNDEEP
mysqlphp
Stephen
Stephen

Reputation: 1

Updating user table with an order amount

I am trying to update a database user table with an amount from orders table i.e refund the user but i can't seem to get the code correct.

Can anyone help

if (isset($_GET['act']) && $_GET['act'] == "done" && isset($_GET['order_id']) && is_numeric($_GET['order_id']) && isset($_GET['offer_id']) && is_numeric($_GET['offer_id']))
{
    $order_id = (int)$_GET['order_id'];
    $offer_id = (int)$_GET['offer_id'];
    $seller_id = (int)$_GET['seller'];

            smart_mysql_query("UPDATE users SET balance=balance+".$order_row['amount']." WHERE user_id='$seller_id' LIMIT 1");

            header("Location: index.php?msg=done");
            exit();
        }

I just can't seem to get it to work when click the refund button

<a class="btn btn-danger" style="margin-top: 2px" href="<?php echo SITE_URL; ?>item_orders.php?id=<?php echo $order_row['offer_id']; ?>&order_id=<?php echo $order_row['order_id']; ?>&act=done"> Refund</a>

$order_row is from the query below, this works for pulling all the order details including amount which is what i want to credit back.

<?php 

if (isset($_GET['offer_id']) && $_GET['offer_id'] > 0 && isset($_GET['id']) && $_GET['id'] > 0)
{ 
    $order_id       = (int)$_REQUEST['id'];
    $offer_id       = (int)$_REQUEST['offer_id'];

    $order_result = smart_mysql_query("SELECT *, DATE_FORMAT(created, '%d %b %Y %h:%i %p') AS order_date, DATE_FORMAT(expiry, '%d %b %Y %h:%i %p') AS expire_date FROM orders WHERE offer_id='$offer_id' AND order_id='$order_id' AND user_id='$userid' LIMIT 1");
    if (mysqli_num_rows($order_result) == 0)
    {
        header ("Location: index.php");
        exit();
    }
    else
    {
        $order_row = mysqli_fetch_array($order_result);

    }

?> Hope someone can shed some light on why it does not work

Upvotes: 0

Views: 20

Answers (1)

nbk
nbk

Reputation: 49385

There is no offer_id in your html link

?id=<?php echo $order_row['offer_id']; ?>?

So your PHP code must be 

$offer_id = (int)$_GET['id'];

Or change your link to

 ?offer_id=<?php echo $order_row['offer_id']; ?>?

Also you are vulnerably for sql injection please read How can I prevent SQL injection in PHP? and use prepared statements with parameters for your your queries

Upvotes: 1

Related Questions