<?php
if ($_GET['do'] != "promocode") {
header('Location: index.php?do=promocode');
exit();
}
if (!isset($_SESSION['loggedin'])) {
header('Location: index.php?do=login');
exit();
}
$errors = array();
if (!empty($_POST['submit'])) {
$promocode = $_POST['promocode'];
$username = $userinfo['username'];
$expire = time();
$query_1 = "SELECT *
FROM promocodes_used
WHERE username = :username AND promocode = :promocode";
$used_stmt = $dbh->prepare($query_1);
$used_stmt->bindParam(':username', $username);
$used_stmt->bindParam(':promocode', $promocode);
$used_stmt->execute();
$used = $used_stmt->fetch(PDO::FETCH_COLUMN);
$query_2 = "SELECT *
FROM promocodes
WHERE code = :promocode";
$notvalid_stmt = $dbh->prepare($query_2);
$notvalid_stmt->bindParam(':promocode', $promocode);
$notvalid_stmt->execute();
$notvalid = $notvalid_stmt->fetch(PDO::FETCH_COLUMN);
$query_3 = "SELECT *
FROM promocodes
WHERE code = :promocode AND expire < :expire";
$expire_stmt = $dbh->prepare($query_3);
$expire_stmt->bindParam(':promocode', $promocode);
$expire_stmt->bindParam(':expire', $expire);
$expire_stmt->execute();
$expire = $expire_stmt->fetch(PDO::FETCH_COLUMN);
if (empty($promocode)) {
$errors[] = "You did not enter a Promo Code!";
}
elseif ($used) {
$errors[] = "You have already used this Promo Code!";
}
elseif (!$notvalid) {
$errors[] = "The promo code entered is not valid!";
}
elseif ($expire) {
$errors[] = "Promo Code is expired!";
}
}
if (!empty($_POST['submit']) && empty($errors)) {
$query_4 = "SELECT cash, points
FROM promocodes
WHERE code = :promocode";
$value_stmt = $dbh->prepare($query_4);
$value_stmt->bindParam(':promocode', $promocode);
$value_stmt->execute();
$value = $value_stmt->fetch(PDO::FETCH_ASSOC);
$query_5 = "UPDATE users
SET total_cash = total_cash +{$value['cash']}, current_cash = current_cash +{$value['cash']} //is this line safe//
WHERE username = :username";
$UPDATE_1_stmt = $dbh->prepare($query_5);
$UPDATE_1_stmt->bindParam(':username', $username);
$UPDATE_1_stmt->execute();
print "You have just received ${$value['cash']}";
}
?>
<?php if ($configs['ShowPageTitle']): ?>
<div id="pagetitle">Promo Code</div>
<?php endif; ?>
<?php if ($errors): ?>
<?php foreach ($errors as $error): ?>
<div id="small_error_msg"><?php echo $error; ?></div>
<?php endforeach; ?>
<br />
<?php endif; ?>
<form method="POST">
<table cellpadding="4" cellspacing="0" style="width:100%" class="">
<tr>
<td style="width:35%"><b>Promo Code</b></td>
<td style="width:65%"><input type="text" name="promocode" maxlength="50" style="width:200px" value="<?php echo isset($promocode) ? htmlspecialchars($promocode, ENT_QUOTES) : ''; ?>" /></td> // do this prevent XSS and Undefined variable //
</tr>
<tr>
<td colspan="2" align="center" style="padding:5px 0 5px"><input type="submit" name="submit" value="Submit" /></td>
</tr>
</table>
</form>
if ($_GET['do'] != "promocode") {
header('Location: index.php?do=promocode');
exit();
}
if (!isset($_SESSION['loggedin'])) {
header('Location: index.php?do=login');
exit();
}
$errors = array();
if (!empty($_POST['submit'])) {
$promocode = $_POST['promocode'];
$username = $userinfo['username'];
$expire = time();
$query_1 = "SELECT *
FROM promocodes_used
WHERE username = :username AND promocode = :promocode";
$used_stmt = $dbh->prepare($query_1);
$used_stmt->bindParam(':username', $username);
$used_stmt->bindParam(':promocode', $promocode);
$used_stmt->execute();
$used = $used_stmt->fetch(PDO::FETCH_COLUMN);
$query_2 = "SELECT *
FROM promocodes
WHERE code = :promocode";
$notvalid_stmt = $dbh->prepare($query_2);
$notvalid_stmt->bindParam(':promocode', $promocode);
$notvalid_stmt->execute();
$notvalid = $notvalid_stmt->fetch(PDO::FETCH_COLUMN);
$query_3 = "SELECT *
FROM promocodes
WHERE code = :promocode AND expire < :expire";
$expire_stmt = $dbh->prepare($query_3);
$expire_stmt->bindParam(':promocode', $promocode);
$expire_stmt->bindParam(':expire', $expire);
$expire_stmt->execute();
$expire = $expire_stmt->fetch(PDO::FETCH_COLUMN);
if (empty($promocode)) {
$errors[] = "You did not enter a Promo Code!";
}
elseif ($used) {
$errors[] = "You have already used this Promo Code!";
}
elseif (!$notvalid) {
$errors[] = "The promo code entered is not valid!";
}
elseif ($expire) {
$errors[] = "Promo Code is expired!";
}
}
if (!empty($_POST['submit']) && empty($errors)) {
$query_4 = "SELECT cash, points
FROM promocodes
WHERE code = :promocode";
$value_stmt = $dbh->prepare($query_4);
$value_stmt->bindParam(':promocode', $promocode);
$value_stmt->execute();
$value = $value_stmt->fetch(PDO::FETCH_ASSOC);
$query_5 = "UPDATE users
SET total_cash = total_cash +{$value['cash']}, current_cash = current_cash +{$value['cash']} //is this line safe//
WHERE username = :username";
$UPDATE_1_stmt = $dbh->prepare($query_5);
$UPDATE_1_stmt->bindParam(':username', $username);
$UPDATE_1_stmt->execute();
print "You have just received ${$value['cash']}";
}
?>
<?php if ($configs['ShowPageTitle']): ?>
<div id="pagetitle">Promo Code</div>
<?php endif; ?>
<?php if ($errors): ?>
<?php foreach ($errors as $error): ?>
<div id="small_error_msg"><?php echo $error; ?></div>
<?php endforeach; ?>
<br />
<?php endif; ?>
<form method="POST">
<table cellpadding="4" cellspacing="0" style="width:100%" class="">
<tr>
<td style="width:35%"><b>Promo Code</b></td>
<td style="width:65%"><input type="text" name="promocode" maxlength="50" style="width:200px" value="<?php echo isset($promocode) ? htmlspecialchars($promocode, ENT_QUOTES) : ''; ?>" /></td> // do this prevent XSS and Undefined variable //
</tr>
<tr>
<td colspan="2" align="center" style="padding:5px 0 5px"><input type="submit" name="submit" value="Submit" /></td>
</tr>
</table>
</form>