I am aware that the title does not fully reflect what I am about to explain, so sorry for the irrelevant title.
the goal: to allow the user to be able to download a document only if the user has a balance> 0
I built this download area and each user has its own balance, however I am having difficulty subtracting the value -1 from the user's balance at the time of download, as my download area is built using the while of the documents table and at the time of the download, I can only check the user's balance by going back to his id, via the $ _SESSION when logging in.
the biggest problem is that I can't access the user's balance because obviously the only value I get is from the documents -> "documenti" table and not from users ->"utenti".
page document:
<?php
ob_start();
session_start();
include 'connection/cnt.php';
?>
<?php
include 'download.php';
?>
<?php while($file = mysqli_fetch_assoc($query_lc)){ ?>
<ul>
<li><?php echo $file['documento']; ?> | <a style="color: #731617;" href="download.php?i_doc=<?php echo $file['id_doc'] ?>">Download</a></li>
</ul>
<?php } ?>
download page:
<?php
ob_start();
session_start();
include 'connection/cnt.php';
$id_utente = $_SESSION['test'];
$query_lav_c = "
SELECT *
FROM documenti
";
$query_lc = mysqli_query($connessione, $query_lav_c);
$files = mysqli_fetch_all($result, MYSQLI_ASSOC);
// SCARICA DOCUMENTO
if (isset($_GET['i_doc'])) {
$id = $_GET['i_doc'];
/*CONTROLLA CHE IL TOKEN CHE INSERISCE IL PROFESSIONISTA SIA IL TOKEN CORRETTO DELLA RICHIESTA*/
$controlla_token = $connessione->query("SELECT * FROM utenti WHERE id='$id_utente' AND saldo > 0");
/*SE IL TOKEN È CORRETTO*/
if ($controlla_token->num_rows > 0)
{
/*ASSOCIA I VALORI*/
$data = $controlla_token->fetch_array();
// fetch file to download from database
$sql = "SELECT * FROM documenti WHERE id_doc=$id";
$result = mysqli_query($connessione, $sql);
$file = mysqli_fetch_assoc($result);
$filepath = 'uploads/' . $file['documento'];
$files = mysqli_fetch_all($result, MYSQLI_ASSOC);
// UPDATE
$t = "SELECT * FROM utenti WHERE id = '$id_utente' ";
$r = mysqli_query($connessione, $t);
while($n = mysqli_fetch_assoc($r)){
$saldo = $n['saldo'];
}
$sql = "UPDATE utenti SET saldo= '$saldo'-1 WHERE id= '$id_utente'";
if (file_exists($filepath)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename=' . basename($filepath));
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize('uploads/' . $file['documento']));
readfile('uploads/' . $file['documento']);
}
}
/*
* SE IL TOKEN INSERITO NON È CORRETTO, RIMANDA IL PROFESSIONISTA ALLA PAGINA RICH_DISPONIBILI FACENDOGLI VISUALIZZARE UN
MESSAGGIO DI ALERT - DANGER
*/
else{
?>
<script type="text/javascript">
var tknerrato = "<?php echo $id ?>";
window.location = "rich_disponibili.php?tknerrato=" + tknerrato;
</script>
<?php
}
}
the code does its job perfectly checks before the user has the balance> 0 and if so it allows the download, the problem is in the next step when from the users table once the download is done I have to subtract the value -1 from the balance of the user who downloaded the document but how can I access the balance value of the user if in the while where I show the documents the query requests the values of another table or those of the document table?
You will need to subtract the balance before you start the download. You can't do it afterwards really - your PHP code cannot tell when the download has completed.
You need to get the user ID from the Session, and then you can update the balance in the users table easily like this:
$sql = 'UPDATE utenti SET saldo=saldo-1 WHERE id=$id_utente';
mysqli_query($connessione, $sql);
Please also pay attention to my first comment above regarding SQL injection. The query I have just shown isn't really vulnerable because the $id_utente comes from a Session variable which is under your control, but the queries where you make use of values from $_GET are very vulnerable. Please learn how to write such queries safely and protect your database.