[Help]please help me.

[hystrix]

Hi,

can anyone help me how to secure this php from tampering data.

hope anyone can teach me what code should i add to prevent changing the $price and the $ProductNum of the item.

Code:

<?PHP 
$account_id = stripslashes($_SESSION['user']);
$account_id = clean_var($account_id);
if($account_id == NULL){ quickrefresh('index.php'); Die ("<img src=\"images/warning.gif\" alt=\"Access Denied\"> Access Denied! Login Please!</div></table></div></table></table>"); }

$error=1;
function getD ($int) {
    if ($int == 1) { $char = "1 Hour"; }
    if ($int == 2) { $char = "2 Hour"; }
    if ($int == 3) { $char = "5 Hour"; }
    if ($int == 4) { $char = "10 Hour"; }
    if ($int == 5) { $char = "1 Day"; }
    if ($int == 6) { $char = "3 Days"; }
    if ($int == 7) { $char = "5 Days"; }
    if ($int == 8) { $char = "7 Days"; }
    if ($int == 9) { $char = "10 Days"; }
    if ($int == 10) { $char = "15 Days"; }
    if ($int == 11) { $char = "30 Days"; }
    if ($int == 12) { $char = "60 Days"; }
    if ($int == 13) { $char = "90 Days"; }
    if ($int == 14) { $char = "100 Days"; }
    if ($int == 15) { $char = "120 Days"; }
    if ($int == 16) { $char = "345 Days"; }
    if ($int == 31) { $char = "Permanent"; }
return $char;
}
if($_POST['lostpassword']=='Buy') {
    
    $error = 2;
    $account_id = stripslashes($_SESSION['user']);
    $ItemNum = $_POST['ItemNum'];
    $ItemId = $_POST['ItemID'];
    $ItemOpt = $_POST['ItemOpt'];
    $Duration = $_POST['Duration'];
    $Price = $_POST['Price'];
    $PurPrice = ($PurPrice);
    $PurPrice = $_POST['PurPrice'];
    $ItemStock = $_POST['ItemStock'];

    $result = mssql_query ("SELECT Username, UserPoint, UserNum FROM Ranuser.dbo.Userinfo Where Username = '$account_id'");
    $rows=mssql_num_rows($result);

    if($rows>0) {
        $rows=mssql_fetch_assoc($result); 
        extract($rows);
        
        $UserPoint = ($UserPoint);
        $ID = ($Username);
        $Usernum = ($UserNum);

    if($UserPoint<$Price) {
            echo "<font color=red size=2><center>Sorry not enough CR-Points to Avail this Item.<p>";
            $error = 1; delayedrefresh('webshop.php');
        }
    if($Price <= 0) {
            echo "<font color=red size=2><center>Item Hack Detected **** You...<p>";
            $error = 1; delayedrefresh('http://tinyurl.com/2la2fy');
        }
    $result1=mssql_query("SELECT ItemStock FROM Ranshop.dbo.ShopItemMap Where ProductNum = '$ItemNum'");
    $rows1=mssql_num_rows($result1);
    if ($rows1>0) {
    $rows1=mssql_fetch_assoc($result1); 
    extract($rows1);

    $ItemStock = ($ItemStock);
    $ItemMoney = ($ItemMoney);
    $PurPrice = $_POST['PurPrice'];
    $ItemMoney = $_POST['ItemMoney'];

        if($ItemStock<=0) {
            echo "<font size=2 color=red><center><strong>Sorry out of Stock!</strong></font><p>";
            $error = 1; delayedrefresh('webshop.php');
        }


    


    } else {
        echo "Account does not exist!<p>";
        $error = 1;
    }
        }
}
if($error==1) {

}
if($error==2) {
    $account_id = stripslashes($_SESSION['user']);
    $ItemName = $_POST['ItemName'];
    $ItemNum = $_POST['ItemNum'];
    $ItemId = $_POST['ItemMain'];
    $ItemOpt = $_POST['ItemSub'];
    $Duration = $_POST['Duration'];
    $Price = $_POST['Price'];
    $ItemStock = $_POST['ItemStock'];
    $ItemImage = $_POST['ItemImage'];
    $Usernum = ($UserNum);
    $UserPoint = ($UserPoint);
    $Point = ($UserPoint);
    $ProductNum = $_POST['ProductNum'];
    $PurPrice = $_POST['PurPrice'];
    $UserUID = $_POST['UserUID'];
    $PurFlag=$_POST['PurFlag'];


    $pur = mt_rand(10000000,99999999);
    mssql_query ("UPDATE Ranuser.dbo.Userinfo SET UserPoint = UserPoint - '$Price' WHERE Username = '$account_id'");
    mssql_query ("UPDATE RanShop.dbo.ShopItemMap SET ItemStock = ItemStock - 1 WHERE ProductNum = '$ItemNum' ");
    mssql_query("INSERT INTO RanShop.dbo.ShopPurchase (UserUID, ProductNum, PurPrice,Purkey)
    VALUES('$account_id','$ItemNum','$Price','$pur')");


    mssql_query ("INSERT INTO Ranuser.dbo.Donation (Name,Date, Item, Quantity, Duration, Usernum)
    VALUES('$ItemName',getdate(),'$ItemImage',1,'$Duration','$Usernum')");
    $result = mssql_query ("SELECT Username, UserPoint, UserNum FROM Ranuser.dbo.Userinfo Where Username = '$account_id'");
    $rows=mssql_num_rows($result);

    if($rows>0) {
        $rows=mssql_fetch_assoc($result); 
        extract($rows);
        $ProductNum = ($ProductNum);
        $UserPoint = ($UserPoint);
    }
    echo "<font size=3 color=green><center>Item Bought Succesfully</font><br><br><font size=2 color=black>Your Account have:</font> <font color=red size=2><b>$UserPoint</font></b><font size=2 color=black> CR-Points Left</font>";
    delayedrefresh('webshop.php');
}
?>

hoping someone will help me..

[JShor]

You can't protect data from getting changed, but you can encrypt it so it cannot be seen.

See:
http://br2.php.net/md5

[hystrix]

@JShor

thank you sir..

@mods
please close this thread.. problem solved.

[JShor]

You can just mark the thread as 'Resolved'.