26-07-2016, 12:34 PM
Some of the basic requirements for building an online shopping cart are:
Allow the customer to add items to the cart
Allow for different quantities of each item
Allow the customer to alter the quantities of an item
Allow the customer to remove items from the cart
In this article, we are going to look at the scripts that make running a shopping cart possible. The sequence of events that lead up to the user adding items to the shopping cart goes as follows:
The user is shown a product details page with the categories or genres that are available in our store (Pleasure Reading, Inc.).
The user selects a genre to view.
A list of all books in that genre is shown.
The user selects a particular book to view in detail.
The user is given the option to add the book to the shopping cart with the option of selecting the quantity.
When the user clicks on the "add to cart" button, the integration of the online store front with the shopping cart scripts begins. Here is a list of the scripts involved and what each does:
Orders.php (The first step in the checkout process) Collects the user's personal details, such as credit card numbers and delivery address
Addtocart.php Adds items to the shopping cart
Showcart.php Shows the items on the shopping cart
Delete.php Removes items from the shopping cart
When the user clicks on the "Add to cart" button, like on the book details page shown below, the online bookseller site's integration with the shopping cart is done.
The Book Details Page
The following code sends the form data to the addtocart.php script:
1 <?php
2 include "connect.php";
3 //check if
4 //A) a bookid has been submitted
5 //B) the submitted value is numeric
6 if(isset($_GET['bid'])){
7 //clean it up
8 if(!is_numeric($_GET['bid'])){
9 //Non numeric value entered. Someone tampered with the catid
10 $error=true;
11 $errormsg=" Security, Serious error. Contact webmaster: bid enter: ".$_GET['bid']."";
12 }else{
13 //book_id is numeric number
14 //clean it up
15 $cbID=mysql_escape_string($_GET['bid']);
16 $query ="SELECT * from books INNER JOIN genres ON genID=gen_id WHERE book_id='".$cbID."' ";
17 $results=mysql_query($query);
18 if($results){
19 $num = mysql_num_rows($results);
20 $row=mysql_fetch_assoc($results);
21 $authno=$row['authID'];
22 //run a query to get the auth name
23 if($authno > 0){
24 $query_auth ="SELECT * from author WHERE auth_id='".$authno."' ";
25 $results_auth=mysql_query($query_auth);
26 $row_auth=mysql_fetch_assoc($results_auth);
27 $auth=$row_auth['auth_name'];
28 }
29 }//results
30 else{
31 //there's a query error
32 $error=true;
33 $errormsg .=mysql_error();
34 }//result test
35 }//numeric
36 }//if isset
37 ?>
38 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://w3TR/xhtml1/DTD/xhtml1-transitional.dtd">
39 <html xmlns="http://w31999/xhtml">
40 <head>
41 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
42 <title>Pleasure Reading Inc::Book Detail: <?php echo $row['title'];?></title>
43 </head>
44 <body>
45 <table width="100%" border="0">
46 <tr>
47 <td colspan="3"><h1>Pleasure Reading Inc. - Book Detail </h1></td>
48 </tr>
49 <tr>
50 <td colspan="3"><b><a href="listbooks.php?catid=<?php echo trim(stripslashes($row['gen_id']));?>&catname=<?php echo stripslashes(strtoupper($row['gen_name']));?>"><?php echo stripslashes(strtoupper($row['gen_name']));?></a> > <?php echo $row['title'];?> </b></td>
51 </tr>
52 <tr>
53 <td width="12%"> </td>
54 <td width="19%"> </td>
55 <td width="69%"> </td>
56 </tr>
57 <tr>
58 <td rowspan="5" valign="top"><img src="images/<?php echo $row['book_img'];?>" width="112" height="108" /></td>
59 <td> </td>
60 <td> </td>
61 </tr>
62 <tr>
63 <td><strong>Price:</strong></td>
64 <td><?php echo "£".$row['price'];?></td>
65 </tr>
66 <tr>
67 <td><strong>ISBN:</strong></td>
68 <td><?php echo $row['ISBN'];?></td>
69 </tr>
70 <tr>
71 <td><strong>Publication Date: </strong></td>
72 <td><?php echo $row['date_of_pub'];?></td>
73 </tr>
74 <tr>
75 <td><strong>Author:</strong></td>
76 <td><?php echo $auth;?></td>
77 </tr>
78 <form action="addtocart.php" method="post">
79 <tr>
80 <td> </td>
81 <td><strong>Quantity</strong></td>
82 <td><label>
83 <select name="qty">;
84 <?php
85 for($i=1; $i<12; $i++) {
86 echo '<option value='.$i.'>'.$i.'</option>';
87 }
88 ?>
89 </select>
90 </label>
91 </td>
92 <input name="bid" type="hidden" value="<?php echo $row['book_id']?>" /></td>
93 </tr>
94 <tr>
95 <td> </td>
96 <td> </td>
97 <td><label>
98 <input type="submit" name="submit" value="Add to Cart" />
99 </label></td>
100 </tr>
101 </form>
102 </table>
103 </body>
104 </html>
view plain | print | ?
The parts marked in red clearly show where the form data is sent. Also note that the quantity and bookID are the only values that are sent to the addtocart.php script.
Now let's look at how the form data is handled. Below is the code for the addtocart script:
1 <?php
2 ob_start();
3 include "connect.php";
4 //clean the data:
5 //1.check if bookid is numeric
6 //2.then escape it with mysql_escape string
7 //3.then test to see if a book with that ID exist
8 if(!is_numeric($_POST['bid'])){
9 //Non numeric value entered. Someone tampered with the catid
10 $error=true;
11 $errormsg=" Security, Serious error. Contact webmaster: bid entered: ".$_POST['bid']."";
12 }else{
13 //book_id is numeric number
14 //Now, lets see if that <code>book ID</code> is valid run a query
15 $cbID=mysql_escape_string($_POST['bid']);
16 }
17 //Now that the bookid is clean, lets test its validity
18 $bidcheck = "SELECT title FROM books WHERE book_id='".$cbID."'";
19 $result=mysql_query($bidcheck);
20 if(!$result){
21 $err=true;
22 //bookid not valid, sent to index page
23 header("location:index.php");
24 }
25 //now, clean the other form value - quantity
26 //since it comes from a select-menu it is pretty secure
27 //but it is still worth filtering, just in case
28 if(!is_numeric($_POST['qty'])){
29 $err=true;
30 }else{
31 $cqty=mysql_escape_string($_POST['qty']);
32 }
33 if(!$err){
34 $PHPSESSID=session_id();
35 //(session_id,bid,date_added,qty)
36 $addtocart="INSERT INTO cart_track SET session_id='".$PHPSESSID."',bid='".$cbID."',date_added ='".$td."',qty='".$cqty."'";
37 mysql_query($addtocart);
38 //go to showcart
39 header("location
howcart.php");
40 exit;
41 }
42 ob_end_flush()
43 ?>
view plain | print | ?
This script is at the heart of the application, so let's walk through it. It receives two form values:
Book ID in the form of bid
Quantity in the form of qty
Both these values are potential security vulnerabilities, because they did not originate from you. Therefore, they have to go through a "cleaning" process. This is exactly what happens in the first part of the PHP code:
1 ob_start();
2 include "connect.php";
3 //clean the data:
4 //1.check if bookid is numeric
5 //2.then escape it with mysql_escape string
6 //3.then test to see if a book with that ID exist
7 if(!is_numeric($_POST['bid'])){
8 //Non-numeric value entered. Someone tampered with the book id
9 $error=true;
10 $errormsg=" Security, Serious error. Contact webmaster: bid entered: ".$_POST['bid']."";
11 }else{
view plain | print | ?
The above code checks if the book ID value is numeric using the is_numeric() function. I cannot stress enough the importance of doing these checks. For the sake of security, by all means do the checks and use other methods and functions to validate. When the code verifies that the value is what it is supposed to be (i.e., it's numeric), we do further filtering by checking to see if a book with that ID exists in the database:
1 //book_id is numeric number
2 //Now, lets see if that <code>book ID</code> is valid run a query
3 $cbID=mysql_escape_string($_POST['bid']);
4 }
5 //Now that the bookid is clean, lets test its valididty
6 $bidcheck = "SELECT title FROM books WHERE book_id='".$cbID."'";
7 $result=mysql_query($bidcheck);
view plain | print | ?
If we find that it does not exist, then we redirect the user to the index page:
1 if(!$result){
2 $err=true;
3 //bookid not valid, sent to index page
4 header("location:index.php");
5 }
view plain | print | ?
That's all the filtering we need for the book ID value. Now we need to check the qty value. Both form values are meant to be numeric, so the only effective way of checking the validity of this value is to check if it is numeric:
1 //now, clean the other form value - quantity
2 //since it comes from a select-menu it is pretty secure
3 //but it is still worth filtering, just in case
4 if(!is_numeric($_POST['qty'])){
5 $err=true;
6 }else{
7 $cqty=mysql_escape_string($_POST['qty']);
8 }
view plain | print | ?
Here you see that I created a new variable called $cqty. The c in the name of the variable indicates that it has been filtered and is "safe" to use in a MySQL query. You will also notice that I've used the mysql_real_escape_string() function to filter the form value. By all means, do further filtering as you see fit.
Throughout the code, I used a Boolean variable called $err, which will eventually be key to this whole script. It will help the script decide whether to insert the posted data into the data or not:
1 if(!$err){
2 $PHPSESSID=session_id();
3 //(session_id,bid,date_added,qty)
4 $addtocart="INSERT INTO cart_track SET session_id='".$PHPSESSID."',bid='".$cbID."',date_added ='".$td."',qty='".$cqty."'";
5 mysql_query($addtocart);
6 //go to showcart
7 header("locationhowcart.php");
8 exit;
9 }
10 ob_end_flush()
view plain | print | ?
If there is no error in the script, the form data is inserted into the cart_track table. Because we started a session by calling the connect.php script, we are also able to get the session ID with the following code:
1 $PHPSESSID=session_id();
view plain | print | ?
This session ID is key to identifying the user throughout the shopping process. The session ID together with the current date will make it easy for us to ID a user. Another function that I used in this script is the ob_start() and ob_end_flush() functions. These two functions make sure that we don't get the "headers already sent" error message when the script is executed.
After everything has been executed and no errors occur, the script redirects the user to the showcart page (see page link below) where the contents of the shopping cart are shown together with the total.
Allow the customer to add items to the cart
Allow for different quantities of each item
Allow the customer to alter the quantities of an item
Allow the customer to remove items from the cart
In this article, we are going to look at the scripts that make running a shopping cart possible. The sequence of events that lead up to the user adding items to the shopping cart goes as follows:
The user is shown a product details page with the categories or genres that are available in our store (Pleasure Reading, Inc.).
The user selects a genre to view.
A list of all books in that genre is shown.
The user selects a particular book to view in detail.
The user is given the option to add the book to the shopping cart with the option of selecting the quantity.
When the user clicks on the "add to cart" button, the integration of the online store front with the shopping cart scripts begins. Here is a list of the scripts involved and what each does:
Orders.php (The first step in the checkout process) Collects the user's personal details, such as credit card numbers and delivery address
Addtocart.php Adds items to the shopping cart
Showcart.php Shows the items on the shopping cart
Delete.php Removes items from the shopping cart
When the user clicks on the "Add to cart" button, like on the book details page shown below, the online bookseller site's integration with the shopping cart is done.
The Book Details Page
The following code sends the form data to the addtocart.php script:
1 <?php
2 include "connect.php";
3 //check if
4 //A) a bookid has been submitted
5 //B) the submitted value is numeric
6 if(isset($_GET['bid'])){
7 //clean it up
8 if(!is_numeric($_GET['bid'])){
9 //Non numeric value entered. Someone tampered with the catid
10 $error=true;
11 $errormsg=" Security, Serious error. Contact webmaster: bid enter: ".$_GET['bid']."";
12 }else{
13 //book_id is numeric number
14 //clean it up
15 $cbID=mysql_escape_string($_GET['bid']);
16 $query ="SELECT * from books INNER JOIN genres ON genID=gen_id WHERE book_id='".$cbID."' ";
17 $results=mysql_query($query);
18 if($results){
19 $num = mysql_num_rows($results);
20 $row=mysql_fetch_assoc($results);
21 $authno=$row['authID'];
22 //run a query to get the auth name
23 if($authno > 0){
24 $query_auth ="SELECT * from author WHERE auth_id='".$authno."' ";
25 $results_auth=mysql_query($query_auth);
26 $row_auth=mysql_fetch_assoc($results_auth);
27 $auth=$row_auth['auth_name'];
28 }
29 }//results
30 else{
31 //there's a query error
32 $error=true;
33 $errormsg .=mysql_error();
34 }//result test
35 }//numeric
36 }//if isset
37 ?>
38 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://w3TR/xhtml1/DTD/xhtml1-transitional.dtd">
39 <html xmlns="http://w31999/xhtml">
40 <head>
41 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
42 <title>Pleasure Reading Inc::Book Detail: <?php echo $row['title'];?></title>
43 </head>
44 <body>
45 <table width="100%" border="0">
46 <tr>
47 <td colspan="3"><h1>Pleasure Reading Inc. - Book Detail </h1></td>
48 </tr>
49 <tr>
50 <td colspan="3"><b><a href="listbooks.php?catid=<?php echo trim(stripslashes($row['gen_id']));?>&catname=<?php echo stripslashes(strtoupper($row['gen_name']));?>"><?php echo stripslashes(strtoupper($row['gen_name']));?></a> > <?php echo $row['title'];?> </b></td>
51 </tr>
52 <tr>
53 <td width="12%"> </td>
54 <td width="19%"> </td>
55 <td width="69%"> </td>
56 </tr>
57 <tr>
58 <td rowspan="5" valign="top"><img src="images/<?php echo $row['book_img'];?>" width="112" height="108" /></td>
59 <td> </td>
60 <td> </td>
61 </tr>
62 <tr>
63 <td><strong>Price:</strong></td>
64 <td><?php echo "£".$row['price'];?></td>
65 </tr>
66 <tr>
67 <td><strong>ISBN:</strong></td>
68 <td><?php echo $row['ISBN'];?></td>
69 </tr>
70 <tr>
71 <td><strong>Publication Date: </strong></td>
72 <td><?php echo $row['date_of_pub'];?></td>
73 </tr>
74 <tr>
75 <td><strong>Author:</strong></td>
76 <td><?php echo $auth;?></td>
77 </tr>
78 <form action="addtocart.php" method="post">
79 <tr>
80 <td> </td>
81 <td><strong>Quantity</strong></td>
82 <td><label>
83 <select name="qty">;
84 <?php
85 for($i=1; $i<12; $i++) {
86 echo '<option value='.$i.'>'.$i.'</option>';
87 }
88 ?>
89 </select>
90 </label>
91 </td>
92 <input name="bid" type="hidden" value="<?php echo $row['book_id']?>" /></td>
93 </tr>
94 <tr>
95 <td> </td>
96 <td> </td>
97 <td><label>
98 <input type="submit" name="submit" value="Add to Cart" />
99 </label></td>
100 </tr>
101 </form>
102 </table>
103 </body>
104 </html>
view plain | print | ?
The parts marked in red clearly show where the form data is sent. Also note that the quantity and bookID are the only values that are sent to the addtocart.php script.
Now let's look at how the form data is handled. Below is the code for the addtocart script:
1 <?php
2 ob_start();
3 include "connect.php";
4 //clean the data:
5 //1.check if bookid is numeric
6 //2.then escape it with mysql_escape string
7 //3.then test to see if a book with that ID exist
8 if(!is_numeric($_POST['bid'])){
9 //Non numeric value entered. Someone tampered with the catid
10 $error=true;
11 $errormsg=" Security, Serious error. Contact webmaster: bid entered: ".$_POST['bid']."";
12 }else{
13 //book_id is numeric number
14 //Now, lets see if that <code>book ID</code> is valid run a query
15 $cbID=mysql_escape_string($_POST['bid']);
16 }
17 //Now that the bookid is clean, lets test its validity
18 $bidcheck = "SELECT title FROM books WHERE book_id='".$cbID."'";
19 $result=mysql_query($bidcheck);
20 if(!$result){
21 $err=true;
22 //bookid not valid, sent to index page
23 header("location:index.php");
24 }
25 //now, clean the other form value - quantity
26 //since it comes from a select-menu it is pretty secure
27 //but it is still worth filtering, just in case
28 if(!is_numeric($_POST['qty'])){
29 $err=true;
30 }else{
31 $cqty=mysql_escape_string($_POST['qty']);
32 }
33 if(!$err){
34 $PHPSESSID=session_id();
35 //(session_id,bid,date_added,qty)
36 $addtocart="INSERT INTO cart_track SET session_id='".$PHPSESSID."',bid='".$cbID."',date_added ='".$td."',qty='".$cqty."'";
37 mysql_query($addtocart);
38 //go to showcart
39 header("location
howcart.php"); 40 exit;
41 }
42 ob_end_flush()
43 ?>
view plain | print | ?
This script is at the heart of the application, so let's walk through it. It receives two form values:
Book ID in the form of bid
Quantity in the form of qty
Both these values are potential security vulnerabilities, because they did not originate from you. Therefore, they have to go through a "cleaning" process. This is exactly what happens in the first part of the PHP code:
1 ob_start();
2 include "connect.php";
3 //clean the data:
4 //1.check if bookid is numeric
5 //2.then escape it with mysql_escape string
6 //3.then test to see if a book with that ID exist
7 if(!is_numeric($_POST['bid'])){
8 //Non-numeric value entered. Someone tampered with the book id
9 $error=true;
10 $errormsg=" Security, Serious error. Contact webmaster: bid entered: ".$_POST['bid']."";
11 }else{
view plain | print | ?
The above code checks if the book ID value is numeric using the is_numeric() function. I cannot stress enough the importance of doing these checks. For the sake of security, by all means do the checks and use other methods and functions to validate. When the code verifies that the value is what it is supposed to be (i.e., it's numeric), we do further filtering by checking to see if a book with that ID exists in the database:
1 //book_id is numeric number
2 //Now, lets see if that <code>book ID</code> is valid run a query
3 $cbID=mysql_escape_string($_POST['bid']);
4 }
5 //Now that the bookid is clean, lets test its valididty
6 $bidcheck = "SELECT title FROM books WHERE book_id='".$cbID."'";
7 $result=mysql_query($bidcheck);
view plain | print | ?
If we find that it does not exist, then we redirect the user to the index page:
1 if(!$result){
2 $err=true;
3 //bookid not valid, sent to index page
4 header("location:index.php");
5 }
view plain | print | ?
That's all the filtering we need for the book ID value. Now we need to check the qty value. Both form values are meant to be numeric, so the only effective way of checking the validity of this value is to check if it is numeric:
1 //now, clean the other form value - quantity
2 //since it comes from a select-menu it is pretty secure
3 //but it is still worth filtering, just in case
4 if(!is_numeric($_POST['qty'])){
5 $err=true;
6 }else{
7 $cqty=mysql_escape_string($_POST['qty']);
8 }
view plain | print | ?
Here you see that I created a new variable called $cqty. The c in the name of the variable indicates that it has been filtered and is "safe" to use in a MySQL query. You will also notice that I've used the mysql_real_escape_string() function to filter the form value. By all means, do further filtering as you see fit.
Throughout the code, I used a Boolean variable called $err, which will eventually be key to this whole script. It will help the script decide whether to insert the posted data into the data or not:
1 if(!$err){
2 $PHPSESSID=session_id();
3 //(session_id,bid,date_added,qty)
4 $addtocart="INSERT INTO cart_track SET session_id='".$PHPSESSID."',bid='".$cbID."',date_added ='".$td."',qty='".$cqty."'";
5 mysql_query($addtocart);
6 //go to showcart
7 header("location
howcart.php"); 8 exit;
9 }
10 ob_end_flush()
view plain | print | ?
If there is no error in the script, the form data is inserted into the cart_track table. Because we started a session by calling the connect.php script, we are also able to get the session ID with the following code:
1 $PHPSESSID=session_id();
view plain | print | ?
This session ID is key to identifying the user throughout the shopping process. The session ID together with the current date will make it easy for us to ID a user. Another function that I used in this script is the ob_start() and ob_end_flush() functions. These two functions make sure that we don't get the "headers already sent" error message when the script is executed.
After everything has been executed and no errors occur, the script redirects the user to the showcart page (see page link below) where the contents of the shopping cart are shown together with the total.
