Where is security bug? [closed]

I’m using laravel 5.1. This is the code of custom function so users can transfer coins.

<?php
public function postCoinTransfer( Request $request )
{
$user = Auth::user();
$validator = Validator::make( $request->all(), [
'recipient' => 'required|min:1|max:20',
'amount' => 'required|numeric|integer'
]);

if ( $validator->fails() )
{
return redirect( 'account/settings#transfer' )
->withErrors( $validator )
->withInput();
}

$username = $request->recipient;
$amount = $request->amount;

if ($user->name == $username)
{
flash()->error( 'You can't transfer coins to yourself.' );
return redirect()->back();

}

if (($amount <= 0) || ($amount > 9999))
{
flash()->error( 'Amount should be from 1 to 9999 Coins.' );
return redirect()->back();
}
if ($amount > $user->money)
{
flash()->error( 'Sorry, not enough coins to make this transaction.' );
return redirect()->back();
}

$recipient = User::where('name', $username) -> first();
if (!$recipient)
{
flash()->error( 'Can't find this user.' );
return redirect()->back();

}
Coin::create([
'sender_id' => $user->ID,
'recipient_id' => $recipient->ID,
'amount' => $amount
]);

$user = Auth::user();
$user->money = $user->money - $amount;
$user->save();

$recipient->money = $recipient->money + $amount;
$recipient->save();

flash()->success( 'Coins sent successfully.' );
return redirect( 'account/settings#transfer' );
}

Recently I saw this one in my database. Logs

User with ID 1456 has transferred the coins to himself. And this actions created unlimited and free coins for him. How to fix this bug please?

from Newest questions tagged laravel-5 – Stack Overflow https://ift.tt/2Hmswvi
via IFTTT

Related Posts

Codeigniter : Parse error: syntax error, unexpected ‘const’ (T_CONST), expecting variable (T_VARIABLE) in Laravel project

I’m getting following error: **Parse error: syntax error, unexpected ‘const’ (T_CONST), expecting variable (T_VARIABLE)** Note : It’s working in local but facing issue in production server. private…

Firebase receive notification while tab is active or on focus

What i want is to be able to perform an action when a user receives a notification while the browser is open and tab is active or…

Laravel’s alias loader does not find class

We have a legacy project that we cannot update and we need to make some changes in symfony’s Response.php in vendor. We have solved this by copying…

Laravel 5 – generic document management

I have a system where you can create different types of unique documents. For instance, one document is called Project Identified and this expects certain inputs. Originally,…

Laravel Nova limit the results in indexQuery

I ran intro a situation where I need to limit the results of a resource to only 3 results. To be more specific, based on the logged…

Auditoria en laravel 5.8 [closed]

Cómo puedo automatizar el registro de actividades de un usuario en laravel? Si un usuario ingresa a un app de laravel, debo guardar toda su actividas, a…

Leave a Reply

Your email address will not be published.