Banking System Help Needed

Hi.

I’m working on a banking system project and I need help with a few files that’s not working right. It’s a 3 part function that I’m having trouble with. Thanks in advanced.

netbanking.sql:
[php]

– Table structure for table accounts

CREATE TABLE IF NOT EXISTS accounts (
accno varchar(25) NOT NULL,
customerid int(10) NOT NULL,
accstatus varchar(25) NOT NULL,
primaryacc varchar(10) NOT NULL,
accopendate date NOT NULL,
accounttype varchar(25) NOT NULL,
accountbalance double(10,2) NOT NULL,
unclearbalance double(10,2) NOT NULL,
accuredinterest double(10,2) NOT NULL,
PRIMARY KEY (accno)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

– Dumping data for table accounts

INSERT INTO accounts (accno, customerid, accstatus, primaryacc, accopendate, accounttype, accountbalance, unclearbalance, accuredinterest) VALUES
(‘4661’, 98683, ‘active’, ‘40000’, ‘2013-02-11’, ‘sv’, 200000.00, 100.00, 100.00),
(‘4662’, 98683, ‘active’, ‘40000’, ‘2013-02-11’, ‘sv’, 100000.00, 100.00, 100.00);

–
– Table structure for table transaction

CREATE TABLE IF NOT EXISTS transaction (
transactionid int(10) NOT NULL AUTO_INCREMENT,
transactiondate date NOT NULL,
paymentdate datetime NOT NULL,
payeeid int(25) NOT NULL,
receiveid int(10) NOT NULL,
debitac varchar(25) NOT NULL,
amount float(10,2) NOT NULL,
paymentstat varchar(25) NOT NULL,
PRIMARY KEY (transactionid)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=2147483647 ;

– Dumping data for table transaction

INSERT INTO transaction (transactionid, transactiondate, paymentdate, payeeid, receiveid, debitac, amount, paymentstat) VALUES
(2147483647, ‘2012-12-13’, ‘2012-12-03 04:21:10’, 111232154, 0, ‘150000’, 100000.00, ‘active’);
[/php]
dbconnection.php - NO CHANGES NEEDED:
[php]

[/php]
accounttransfer.php
Ok. So, for this file, whenever someone chooses Transfer From, it is supposed to show the current balance in the Current Balance field so the customer will know if they have enough to transfer.
[php]

      <input type="submit" value="Transfer" name="transfer1"
      id="transfer1"></div>
    </td>
  </tr>
</tbody>

$to = $_POST[‘transferto’];
$from = $_POST[‘transferfrom’];
$amount = $_POST[‘amount’];

/if(isset($_POST[‘transfer1’]))
{
else
{
$result1 = mysql_query(“SELECT * FROM accounts WHERE accountsid=’$to’”);
$result2 = mysql_query(“SELECT * FROM accounts WHERE accountsid=’$from’”);
}
}
$transferarray = mysql_query(“SELECT * FROM accounts”);/

if(isset($_POST[“transfer2”]))
{
//$newbal = $_POST[‘currbal’] + $_POST[‘amount’];

    if($_POST[trpass] == $_POST[conftrpass])
    {
            if($to === $from)
            {
                    $error = "The account numbers are the same.<br>
                              Please <button onclick=\"history.go(-1);\">Go Back</button>
                              and choose a different account number.";
            }
            elseif($amount == "")
            {
                    $error = "No amount has been entered.<br>
                              Please <button onclick=\"history.go(-1);\">Go Back</button>
                              and enter an amount.";
            }
            else
            {
                    $error = "Failed to transfer";
            }
            if($to == TRUE)
            {
                    $from = mysql_query("SELECT accountbalance FROM accounts WHERE accno='.$from.'
                                                                             AND customerid='$_GET[customerid]'");
                    while($from = mysql_fetch_array($from, MYSQL_BOTH))
                    {
                            if($amount > $from[0])
                            {
                                    $error = "Amount insufficient!";
                                    $forward = false;
                            }
                            else
                            {
                                    $sql = ("UPDATE accounts SET accountbalance = accountbalance - $amount WHERE accno = '.$from.'");
                                    $sql = ("UPDATE accounts SET accountbalance = accountbalance + $amount WHERE accno = '.$to.'");
                                    $currbal = mysql_query("SELECT accountbalance FROM accounts WHERE accno = '.$to.'");

                                    if (mysql_query($sql))
                                    {
                                            // succeeded
                                            $result1="INSERT INTO transaction(recipient,
                                                                              payeeid,
                                                                              depositac,
                                                                              transactionmethod,
                                                                              transactiontype,
                                                                              accountbalance,
                                                                              transactiondate)VALUES('$_POST[accno] $to',
                                                                                                     '$_POST[accno] $from',
                                                                                                     '$_POST[amount]',
                                                                                                     'Cash',
                                                                                                     'Transfer',
                                                                                                     '$_POST[currbal]',
                                                                                                     '$_POST[date]')";
                                            header("Location: accounttransfer3.php");
                                    }
                            }
                    }
                    if (!mysql_query($sql,$con))
                    {
                            die('Error: ' . mysql_error());
                    }
            }
    }
    mysql_close($dbc);






            /*mysql_query ("UPDATE `` SET `` = `accountbalance` + `.$amount.`
                                            WHERE `` = `..`");
                                            //AND customerid='$_GET[customerid]'");*/





            /*while($res = mysql_fetch_array($to, MYSQL_BOTH))
            {
                    $updateamount = $res[0]+$amount;

                    mysql_query("UPDATE accounts SET accountbalance='$updateamount'
                                                 WHERE accno='$to'
                                                 AND customerid='$_GET[customerid]'");
            }*/





    /*else
    {
            $passerr = "<b>Invalic password entered...<br> Please re-enter transaction password</b>";
            $payto = $_POST[paytoo];
            $payamt = $_POST[amt];
            $payacno= $_POST[payeeid];
    }*/

}
//$acc= mysql_query(“select * from accounts where customer_id=’$_SESSION[customer_id]’”);
?>

$to = $_POST[‘accountnumber’];
$tranaction = mysql_query(“SELECT * FROM transaction”);

$trans = mysql_query(“SELECT * FROM transaction WHERE transactionid”);

while($rows = mysql_fetch_array($trans))
{
$recipient = $rows[‘accountnumber’];
$oldbal = $rows[‘oldaccountbalance’];
$newbal = $rows[‘accountbalance’];
}
mysql_close($con);
?>

I wasn’t going to respond to this post, but the more and more I thought about it the more I had too. I feel it’s better to be honest than to sugar-coat this, so here it goes. If I had to use this website as my main way of banking, I rather build a bonfire and start throwing my money into the fire in order to keep the fire going than do any transaction at this website. For at least I know where my money would be going instead who it would be going to. ;D :o

1. You using mysql instead of mysqli or PDO, mysql is going to be obsolete and has more security holes in it than Swiss cheese has holes.

2. No security measures what-so-ever taken, but maybe that you’re trying to get the code to work first??? Not to forget about number 1.

I just hope this is something you’re doing for fun and not something that is actually being done for a place of business, if it is for a business I hope that there are other employees with actual experience and knowledge to steer you in the right direction. I know personally that I would never tackle any script that deals with other people’s money and if I do I would use a trusted 3rd party company that deals with money transactions on a daily basis.

There’s not a whole lot more I can add to what you said other than holy moly! It’s not worth the risk to create anything like what you’re doing. Use a service such as PayPal, yeah you lose around 2% of the transaction, but it’s worth the 2% to know that both you and more importantly your customers are safe. – Small price to pay.

This isn’t the banking system as a whole. This is just the transfer part. Of course, there is more to it than just this.

This is just one of the major parts of the whole thing. I’ve just used this part for testing and fixing the files. Of course, I’m gonna lookup mysql_real_escape_strings and other code to secure the files of my banking system.

I’m just trying to get the items working. I have loan payment and other payment files that I need to fix and wanna do it based on the fixing of these files.

Besides, without the rest of the system, how would money be transferred, if money can’t even be added to the system?

You shouldn’t, escaping input for db queries were replaced by a superior method (parameterized queries) 10 years ago.

Is this going to be a real, live system with actual users or just a learning-by-doing project? If this is going to go live I would strongly suggest you can a good audit afterwards. Messing with money (and especially other peoples money) could quickly get real messy.

There are so many things that could go wrong in doing this. You would also have to make sure you are following the law wherever you are in regards to customer information / bank account information / credit card information.

///

It’s for both, a real banking system I’m working on and for me to personally, learn advanced php programming with the ability to transfer info to different parts of the system and external systems.

As far as real banking, I plan to use the system to:

[ul][li]Start off with help with my family and my finances and to help payoff my brother’s house.[/li]
[li]Help churches, particularly my church to payoff the new building that we just built.[/li]
[li]Help the poor and needy around the world.[/li][/ul]

CRIKEY!!! - a song comes to mind here… ‘There may be trouble ahead’…

It’s been pointed out to you politely, non-sugar-coated and shockingly…
Now I’m going to tell you in plain English:

If you are silly enough to put this code in a live environment be prepared to deal with angry family members, chased by the churches legal teams, a visit from the law and lord knows whomever else!!

Remember this:
Your reputation is only as good as your last piece of code…

Yes, I’m willing to do it in MySqli and/or PDO. Thanks.

Your first decision is whether to use Mysqli OR PDO - not both.

I personally use Mysqli and I know a couple of the other guys like Jim and Strider use PDO.

The decision you really should be making is ‘should i do this at all?’

The best advice has already been given by Scott:

You must understand, we are not trying to put you off PHP, coding or even building something like the code you are writing, what we are trying to do is point out there are better, more secure ways of doing some things by people (companies) that spend a fortune making their scripts the best they can be - why re-invent the wheel?

Red