MySQL/PHP 请求操作

Question

First time posting.

I manage a website that handles certain types of transactions for virtual currency. It is a php/mysql web application. Recently we've had a user somehow withdraw the same amount (essentially duplicating their virtual money) 6 or 7 times (until we ran out of funds). Looking at the log, the transactions were processed milliseconds apart, so I'm assuming that they user had for example 5,000 funds and requested to withdraw them by spamming the request in order to attempt to withdraw more than they owned.

How could I go about preventing this from happening in the future, and how could I test this, or repeat this process myself?

Thanks for any help.

I don't think this is a typical question on here, I'm sorry. I'm not a developer, my current developer is on leave, so he's refused to assist.

Answer 1

One way this could be managed would be to force a certain time interval to pass at a timestamp level (ie the user cannot process multiple transactions within x minutes).

To do this, and assuming you'd be inserting into your table the transaction stats then apply it accordingly, you can force a check constraint on new insertions that will reject any row not respecting your timestamp condition

Answer 2

Some idea to avoid to spam request :

FRONT SIDE :

• Disable the button that allow user to click and spam the request.
• When user click replace the button by some loading icon

BACK SIDE :

• Create a temporary file when the transaction begin (or edit one file to add some information about the transaction) and when the transaction end delete the file (or the data). So before EACH transaction, you check if you have the file / data : if you have something -> no transaction because one is already running. Some documentation about this : http://php.net/manual/fr/function.file-put-contents.php

• An other idea is to add some param in your database (or create some table like user_transaction) and when you start the transaction you create a user_transaction row (or change a param from 0 to 1 as you want) and when the transaction end you delete the row or change the param from 1 to0. So before EACH transaction you check if a row exist for this user or if the param is 1 : if yes -> no transaction because one is already running. Nothing complicated here, I have no information about your database so can't do more :)

Try to add one lock from FRONT + one lock from BACK and you should reduce the problem !

---

EDIT : add some tracking

To avoid user to spam request, you can add some tracking to avoid fraude :

• You can add some counter and add +1 each time user click to know if he spam
• You can create a table in database to know each time a user send a request to know which user click, when and how much currency for example

This way you know who fraude (who click a lot to spam request or who send to many request in few times) and you can send email or warning message for example, or if you can track the amount of currency he win by "cheating", ask him to give it back I don't know how your app works !

Answer 3

A SQL to withdraw funds should be:

   UPDATE balance
   FROM users
   SET balance = balance - $amount
   WHERE id = $id AND balance >= $amount

If there is 0 rows affected then there is insufficient balance.

Any solution that tests balance before hand is susceptible to race conditions.

Answer 4

如果余额的类型是整数或大整数，则将其设为无符号将防止其变为负数。

ALTER TABLE user MODIFY balance BIGINT UNSIGNED NOT NULL;