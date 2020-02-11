First, a laundry list of problems in just the posted code (probably repeating some things you have already been told) -

The query that deducts the credits from the purchaser’s wallet needs to be part of the transaction you are showing in this code. All these related queries must either succeed or they must all be rolled-back. While I doubt the PT_Secure function is actually as secure as the original author of this script thinks, casting the value to an int at least means the submitted value is safe to use in the rest of the code. The rest of the posted code should use $video_id, not $id. $video_cost_new should be used in the rest of the code. The current code is inserting the default $video_cost into the paid_videos table. It would probably help if most of these variables were better named as to the meaning of the data in them. The 50% multiplier should be a configuration value, not hard-coded. The INSERT query contains derived/redundant/unnecessary values. This query is recording the information about the purchase of an item. It should have just the unique/one-time - who (purchased the item), what (was purchased), when (the purchase was made), where (the purchase was made from - it’s customary to record the visitor’s ip address for just about everything that occurs on the web), and why (a status/memo value) information. For the posted code, the video_pay_price, user_id_uploaded, video_title, and earned_amount are all derived values and are known based on the video id (since this script lacks any way of tracking price changes or the earned amount percentage change, you may need to record some of these values with the purchase to provide an audit trail.) Any data related to the purchase of an item should use the last insert id from this INSERT query (see the next point.)

Next, on to what could be occurring. Sometime in the last few months, you were told that every operation that modifies the credits/money of a user needs to be done by inserting a row into an ‘accounting’ table, rather than to just update a value in a column. The reason you were given for doing this was so that you have a record, an audit trail, of everything that modifies the value, and were further told this is so that you can detect if a programming mistake, a duplicate form submission, or nefarious activity modified a value. Since the code isn’t doing that, you don’t really know why the data isn’t what you expect. All you are seeing is the end result of all the code running or not running. It could be that the UPDATE query is adding the amount to the wallet, but some other code could be deducting the amount or could be updating the amount back to the original value.

Since ti is doubtful you will (be able to) change the design to do this, to debug this problem, you will need to add logic at each update query in the code that is modifying the user’s wallet amount so that you can log all the relevant information so that you can see what is actually occurring.