payment and delivery storage

pete2000

ok here goes, I have got a script which allows me to store quantity of the product, the customer id and day in a mysql database. That bit works fine, but I also want to store payment and delivery information but I get the error:

Parse error: parse error, unexpected T_STRING on line 21

<html>

<head></head>

<body>

<?php include('loginCheck.php');

$dbcnx = myConnect();
$query = "SELECT $table_basket.PROD_ID, $table_basket.CUST_ID, QUANTITY
			FROM $table_basket, $table_users
			WHERE $table_basket.CUST_ID = $table_users.CUST_ID
			AND $table_users.USERNAME = \"$User\"";
$result=mysql_query($query);
if (! $result) printf ("Error: %s<br>", mysql_error ());

for ($i = 0; $i < mysql_num_rows ($result); $i++) {
	$row = mysql_fetch_row($result);
	$cust_id = $row[1];
	$query = "INSERT INTO $table_order (SET PROD_ID,QUANTITY,CUST_ID,DAY,USERNAME,CREDIT_CARD,CARDHOLDER_NAME,CARDNUMBER,EXPIRATION_DATE,ADDRESS 1,ADDRESS2,CITY,COUNTY,POST_CODE)
    values ('$row[0]','$row[2]','$row[1]','date("Ymd")','$row[3]','$row[4]','$row[5]','$row[6]','$row[7]','$row[8]','$row[9]','$row[10]','$row[11]','$row[12])";

		if (! $result2) printf ("Error: %s<br>", mysql_error ());
};

if (mysql_num_rows ($result)>0) {
	$query = "DELETE FROM $table_basket
				WHERE $table_basket.CUST_ID = $cust_id";
	$result=mysql_query($query);
	if (! $result) printf ("Error: %s<br>", mysql_error ());
};

echo("ORDER SUBMITTED");
include('navigation.php');
?>

</body>

</html>

I hope someone can help,
thank you in advance😃

pete_bisby

It looks like the query within the for loop. You've used double-quotes within the date() function, but PHP thinks you've stopped and started the query string, resulting in the error.

Try the following, and it should get around it:

$query = "INSERT INTO $table_order (SET  PROD_ID,QUANTITY,CUST_ID,DAY,USERNAME,CREDIT_CARD, CARDHOLDER_NAME,CARDNUMBER,EXPIRATION_DATE,ADDRESS1,ADDRESS2,CITY,COUNTY,POST_CODE)
values ('$row[0]','$row[2]','$row[1]','" . date("Ymd" ) . "','$row[3]','$row[4]','$row[5]','$row[6]','$row[7]','$row[8]','$row[9]','$row[10]','$row[11]','$row[12])";

AstroTeg

Have you thought about credit card fraud? You're storing CREDIT_CARD,CARDHOLDER_NAME,CARDNUMBER,EXPIRATION_DATE. That's enough for someone to either hack away at your database, your PHP scripts, or sessions.

pete2000

thanks for your help pete_bisby 😃, but.....i now get a different error and that is

Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING on line 26

The php script now looks like this:

<html>

<head></head>

<body>

<?php include('loginCheck.php');

$dbcnx = myConnect();
$query = "SELECT $table_basket.PROD_ID, $table_basket.CUST_ID, QUANTITY
			FROM $table_basket, $table_users
			WHERE $table_basket.CUST_ID = $table_users.CUST_ID
			AND $table_users.USERNAME = \"$User\"";
$result=mysql_query($query);
if (! $result) printf ("Error: %s<br>", mysql_error ());

for ($i = 0; $i < mysql_num_rows ($result); $i++) {
	$row = mysql_fetch_row($result);
	$cust_id = $row[1];
	$query = "INSERT INTO $table_order (SET   PROD_ID,QUANTITY,CUST_ID,DAY,USERNAME,CREDIT_CARD,
  CARDHOLDER_NAME,CARDNUMBER,EXPIRATION_DATE,ADDRESS
1,ADDRESS2,CITY,COUNTY,POST_CODE) 
values ('$row[0]','$row[2]','$row[1]','" . date("Ymd" ) . " ','$row[3]','$row[4]','$row[5]','$row[6]','$row[7]
','$row[8]','$row[9]','$row[10]','$row[11]','$row[
12])";

		if (! $result2) printf ("Error: %s<br>", mysql_error ());
};

if (mysql_num_rows ($result)>0) {
	$query = "DELETE FROM $table_basket
				WHERE $table_basket.CUST_ID = $cust_id";
	$result=mysql_query($query);
	if (! $result) printf ("Error: %s<br>", mysql_error ());
};

echo("ORDER SUBMITTED");
include('navigation.php');
?>

</body>

</html>

thank you again for helping me

pete2000

Originally posted by AstroTeg
Have you thought about credit card fraud? You're storing CREDIT_CARD,CARDHOLDER_NAME,CARDNUMBER,EXPIRATION_DATE. That's enough for someone to either hack away at your database, your PHP scripts, or sessions.

i have already put the dbfunctions script out of the public domain, will that be enough? Thank you for your feedback 😃

AstroTeg

In the end, its all data.

Just because you put your DB scripts out of reach from the web doesn't mean folks can't get to your data.

You could have a bug in one of your scripts that allows someone to pull data from your database.

A new hack could compromise a buffer overflow allowing someone in as root and they could then browse your data.

You could simply be browsing your data (lets say in phpmyadmin) via a non-SSL connect and someone packet sniffs the data.

These are just 3 examples off the top of my head. There's plenty more possibilities. Will they ever happen? Maybe not. But what if it does? Best case is no one finds out because they can't track it. Worst case is you become news for CNN or wired.com which could open you up to legal problems.

If it was your credit card number, would you still do business with someone who stored it as to how you're doing it?

batman

In your query take off "SET".

Your query....
$query = "INSERT INTO $table_order (SET PROD_ID

I believe that will be looking for a field in the database named "SET PROD_ID"

Make it look like:

$sql = "INSERT INTO table (bla, bla, bla) VALUES('$bla1','$bla2','$bla3')";

Not sure if this will fix it or not, but its worth a shot.

pete2000

thanks for your help batman, cool name, it goes with my background with delboy and rodney dressed up as batman and robin 😃 but back to the subject, I need to hold my hand up here, the reason I got the previous error was because there was space which I sorted out, so thanks again pete_bisby. but...now i get "error" then order submitted and when i check the showorders form, it is blank so it isn't submitting propertly. i take it the error message is coming from the mysql code but i don't know which one or how to sort it out😕 i took your advice batman about removing the "set" but it doesn't make a difference with the new problem.

pete2000

hey astroteg, you do have a point, so how would you advise on getting around the problem? cheers for your help