Reload problem to rectify cookie...

darthmahon

Hi,

Ok I am currently making a shopping cart and have a problem. I am using cookies to keep track of a users shopping cart and when they add an item, I need it to redirect them to the product the just ordered but also, to show a little summary of their cart on the page. Now this is the code I am using:

$product = $_REQUEST['pid'];
$quantity = 1;
$cart = new Cart($cart_id); 
$cart->add_item($product, $quantity);
echo "<h2>Item Added to Shopping Basket</h2>";
echo "<p>Thank you for adding the item to your shopping basket.</p>";
echo "<p><a href=\"index.php?section=Checkout\">Checkout</a> or ";
echo "<a href=\"".$_SERVER['HTTP_REFERER']."\">go back to previous product.</a></p>";

Now, the above code kicks in when the user clicks the Add to Basket button.

This is some of the class I am using that you saw initiated above:

// Add item to cart
function add_item($product, $quantity) {

// Select data for product
$query = "SELECT fld_quantity FROM " . $this->inv_table .
" WHERE fld_pid='$product'";

$result = mysql_query($query, $this->dblink);

$row = mysql_fetch_array($result);

// Quantity greater than stock level
if($quantity > $row['fld_quantity']) return false;

mysql_free_result($result);

// Check not ordering more than total amount
$qty = $this->check_item($product);

// Product not already added to cart, add new
if($qty == 0) {

	// Insert into database
	$query = "INSERT INTO ".$this->cart_table
	. " (fld_id, fld_pid, fld_cartid, fld_amount, fld_date, fld_time) VALUES ";
	$query .= "('', '$product', '".$this->cart_id."',  '$quantity',CURRENT_DATE(), CURRENT_TIME()) ";
	mysql_query($query, $this->dblink);

} else { // Product already added to cart, update quantity for that product

	// Add one to quantity
	$quantity += $qty;

	// Update database
	$query = "UPDATE ".$this->cart_table .
	" SET fld_amount='$quantity' WHERE fld_cartid='".$this->cart_id."' AND ";
	$query .= "fld_pid='$product' ";
	mysql_query($query, $this->dblink);

}
return true;
}

This is the cookie being set for $cart_id:

// no cookie set for cart
if(!isset($HTTP_COOKIE_VARS['DCP_Cart'])) {

// create random cart id
$cart_id = md5(uniqid(rand()));

// set cookie for cart
setcookie("DCP_Cart", $cart_id, time() + 14400);

// cart cookie already set, use it
} else {

$cart_id = $HTTP_COOKIE_VARS['DCP_Cart'];

}

This is the script that shows if something has been added to the cart:

<?
// check to see if there are items in the users cart
$cart = new Cart($cart_id);
if ($cart->num_items() > 0) { ?>

<img src="../_img/img_cart.jpg" alt=" " width="17" height="34" title=" "/><br />
</br><a href="#"> <? echo _txt_VALIDATEORDER_; ?></a> 

<? } ?>

Any ideas on how to get this to show as soon as I add a product...the problem seems to be where I say thankyou, I would like to have a refresh of the page there but I can't do it with the PHP Location function as it's not at the top of the page and it gives me errors about headers already being sent.

Anyone think of a better way to update this?

Cheers,
Chris

PHPMagician

Process the form, set the cookie, THEN redirect to the thankyou page which will enable you to determine if the cookie exists or not. Another option would be to use the http-equiv refresh tag (http://www.indiana.edu/~wmhome/tool_guide_info/refresh_metatag.shtml)

WARNING: This script, as is, seems to be suceptible to SQL Injection. This is definelty not something you want in shopping cart software. Use intval (http://ie2.php.net/intval) on the product ID, and make sure ', " and \ are all slashed (the directive magic_quotes_gpc may be doing this, your code should determine if it is). If you unaware of what SQL Injection is, it is vital that you do some research on the topic.

darthmahon

META refresh seems to be the easiest solution, works for me now.

Yes I had wondered about this whole SQL inject thing, any bits of my code in particular that are subject to it - or just the majority?

Cheers,
Chris

PHPMagician

Basically, Your product ID is.

For instance, if some wrote the product ID to be like: UNION SELECT cc_number as fld_quanity FROM credit_cards_numbers

They could possibly (depends on version of MySQL) view all the credit card details of the database. Even if you don't store credit cards, there are passwords (hashed or not, not something you want to give out). There are various possible things you can do for various different RDBMSs, ranging in severity. Best to be immune from all. I strongly suggest reading tutorials on it - the PHP manual is a good start for some possible scenarios.

http://www.php.net/manual/en/security.database.php

If you haven't already, I would suggest that you read the whole security section of the php manual, and do extensive research on the topic of security - very important, especially for an application like yours. XSS, session hijacking, SQL Injection, directory tranversal, are common problems which could lead to serious problems. Halt your project for a little while if possible and review these topics and more.

Good Luck