1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Can you give me an idea of what this line of code is saying?

Discussion in 'PHP' started by chrisj, Mar 18, 2019.

  1. #1
    Can you tell me about this line of code:

    $this_day_video_earn = $db->rawQuery("SELECT SUM(amount - admin_com) AS sum FROM ".T_VIDEOS_TRSNS." c WHERE `time` >= ".$day_start." AND `time` <= ".$day_end." AND user_id = ".$pt->user->id);
    PHP:
     
    chrisj, Mar 18, 2019 IP
  2. SpacePhoenix

    SpacePhoenix Well-Known Member

    Messages:
    196
    Likes Received:
    28
    Best Answers:
    2
    Trophy Points:
    155
    #2
    Looks like it's getting a sites daily earnings from either sales and/or viewings of videos. As it stands it's vulnerable to SQL Injection attacks as they're plugging raw data into a query
     
    SpacePhoenix, Mar 18, 2019 IP
    sarahk likes this.
  3. chrisj

    chrisj Well-Known Member

    Messages:
    606
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    101
    #3
    Thanks for your reply.

    I am trying to change that script file to get the site's daily earnings, instead, to come from the amount in the 'u_paid_videos' (db table) > 'earned_amount' (column) which reflects the earned amount that the uploader earns upon each video sales transaction. I tried this without success:

    $this_day_video_earn = $db->rawQuery("SELECT (earned_amount) FROM ".T_U_PAID_VIDEOS." c WHERE `time` >= ".$day_start." AND `time` <= ".$day_end." AND user_id_uploaded = ".$pt->user->id);
    //$this_day_video_earn = $db->rawQuery("SELECT SUM(amount - admin_com) AS sum FROM ".T_VIDEOS_TRSNS." c WHERE `time` >= ".$day_start." AND `time` <= ".$day_end." AND user_id = ".$pt->user->id);
    
    PHP:
    By 'without success' I mean that upon selecting the 'transaction' html page, it just hangs, it doesn't redirect to it. But, if I remove my modification attempt, it redirects successfully.

    Any ideas on helping me with what I'm trying to accomplish will be appreciated.
     
    chrisj, Mar 18, 2019 IP
  4. NetStar

    NetStar Notable Member

    Messages:
    2,471
    Likes Received:
    541
    Best Answers:
    21
    Trophy Points:
    245
    #4
    Translation: Execute me to slow your database down and get your web site hacked.
     
    NetStar, Mar 26, 2019 IP
  5. JEET

    JEET Notable Member

    Messages:
    3,825
    Likes Received:
    502
    Best Answers:
    19
    Trophy Points:
    265
    #5
    Try this:

    $this_day_video_earn = $db->rawQuery("SELECT (earned_amount) as sum FROM ".T_U_PAID_VIDEOS." c WHERE `time` >= ".$day_start." AND `time` <= ".$day_end." AND user_id_uploaded = ".$pt->user->id);
    //$this_day_video_earn = $db->rawQuery("SELECT SUM(amount - admin_com) AS sum FROM ".T_VIDEOS_TRSNS." c WHERE `time` >= ".$day_start." AND `time` <= ".$day_end." AND user_id = ".$pt->user->id);
     
    JEET, Mar 29, 2019 IP
  6. SpacePhoenix

    SpacePhoenix Well-Known Member

    Messages:
    196
    Likes Received:
    28
    Best Answers:
    2
    Trophy Points:
    155
    #6
    That's still vulnerable to SQL injection attacks
     
    SpacePhoenix, Mar 29, 2019 IP
  7. JEET

    JEET Notable Member

    Messages:
    3,825
    Likes Received:
    502
    Best Answers:
    19
    Trophy Points:
    265
    #7
    Yes vulnerable, but he just wanted that line changed so his script could get the result of the query.

    Also, I think the script is sending query parameters which the user cannot change, probably checked previously for validity.
     
    JEET, Mar 29, 2019 IP