Hello. I have made a simple php script but would like to add some nice features to it such as a way of monitoring the sessions and timing out users after a specific time. Also, I would like the customer interface to be the default. Any other suggestions of improving the script is welcome. Currently, the script is not secure in terms of the admin logging in and editing stock. Of course, I would like a secure way of the admin logging in with the admin name and password. Thanks in advance.
<?php
//Connect with current sesssion;
session_start();
session_register("status");
session_register("owner_confirmed");
session_register("totalitems");
session_register("cart");
//Default status: customer
if (!isset($status)) $status="customer";
//Extract user instructions
extract($_POST);
//Determine user status
if (isset($changestatus))
{
if ($status=="owner") $status="customer";
else $status="owner";
}
//Continue shopping after purchase
if (isset($continue))
{
foreach($cart as $idx=>$num) unset($cart[$idx]);
unset($cart);
}
//create stock table
create_stock_table();
if ($status=="owner")
{
if (!isset($owner_confirmed))
{
//Owner Functionality
if (!isset($passwordenter))
{
//Check Password
?>
<html>
<head><title>Owner Verification</title></head>
<body>
<form action="<?=$SERVER["PHP_SELF"]?>" method="post">
<p>Enter Password:<input type="password" name="password"/>
<input type="submit" name="passwordenter" value="Enter"/</p>
</form>
</body>
<?php die();
}
else
{
if ($password!="Hello")
{ ?>
<head><title>Verification Failed</title></head>
<body><p>Verification Failure</p></body>
<?php die();
}
else $owner_confirmed="true";
}
}
//Add new item to database
if ($newitem) new_stock_item($author,$title,$price,$number);
}
else
{
//Customer Functionality
//Obtain database entry for selected item index
$item=get_stock_item($itemindex);
//Edit cart contents
if ($additem)
{
//Add item to cart
if (!isset($cart[$itemindex])) $cart[$itemindex]=1;
else $cart[$itemindex]++;
$totalitems++;
}
if ($delitem)
{
//Remove item from cart
if (isset($cart[$itemindex]))
{
if ($cart[$itemindex]>1) $cart[$itemindex]--;
else unset($cart[$itemindex]);
$totalitems--;
if ($totalitems==0) unset($cart);
}
}
}
?>
<html>
<head><title>Bookshop</title></head>
<body>
<form action="<?=$SERVER["PHP_SELF"]?>" method="post">
<?php if ($status=="customer")
{ ?>
<h2>Customer Interface</h2>
<?php if ($checkout)
{ ?>
<h3>Checkout:</h3>
<?php generate_order($cart); ?>
<p><input type="submit" name="continue" value="Continue shopping"/></p>
<?php }
else
{ ?>
<h3>Items Currently In Stock:</h3>
<?php list_stock();?>
<p>
Index Number:<input type="text" name="itemindex"/>
<input type="submit" name="additem" value="Add"/>
<input type="submit" name="delitem" value="Remove"/>
</p>
<h3>Items In Shopping Cart:</h3>
<?php list_cart($cart); ?>
<p>
<input type="submit" name="checkout" value="Proceed to checkout"/>
<input type="submit" name="changestatus" value="Log in as owner"/>
</p>
<?php }
}
else
{ ?>
<h2>Owner Interface</h2>
<h3>Add New Item:</h3>
<p>
Author:<input type="text" name="author"/>
Title:<input type="text" name="title"/>
Price:<input type="text" name="price"/>
Number:<input type="text" name="number"/>
</p>
<p><input type="submit" name="newitem" value="Add item to database"/></p>
<p><input type="submit" name="changestatus" value="Log in as customer"/></p>
<?php } ?>
</form>
</body>
</html>
<?php
function create_stock_table()
{
//Creates a new stock table (if one does not already exist)
$conn=connect();
mysql_query("CREATE TABLE Stock (indx INT(3) NOT NULL PRIMARY KEY AUTO_INCREMENT,
author VARCHAR(30),
title VARCHAR(30),
price VARCHAR(5),
number VARCHAR(5))");
disconnect($conn);
}
function new_stock_item($author,$title,$price,$number)
{
//Add new item to stock table
$conn=connect();
mysql_query("INSERT INTO Stock (author,title,price,number)
VALUES ('$author','$title','$price','$number')");
disconnect($conn);
}
function list_stock()
{
//Display stock table
$conn=connect();
$res_table=mysql_query("SELECT * FROM Stock");
if ($res_table)
{
print("<table border='1'><thead><th>Index</th><th>Author</th><th>Title</th><th>Price</th><th>Number</th></thead><tbody>");
while ($item_array=mysql_fetch_array($res_table))
{
extract($item_array);
print("<tr><td>$indx</td><td>$author</td><td>$title</td><td>$price</td><td>$number</td><tr>");
}
print("</tbody></table>");
}
disconnect($conn);
}
function list_cart($cart)
{
if (isset($cart))
{
print("<table border='1'><thead><th>Index</th><th>Title</th><th>Price</th><th>Number</th></thead><tbody>");
foreach ($cart as $idx=>$num)
{
$item=get_stock_item($idx);
extract($item);
print("<tr><td>$indx</td><td>$title</td><td>$price</td><td>$num</td></tr>");
}
print("</tbody></table>");
}
else print("<p>The cart is currently empty</p>");
}
function generate_order($cart)
{
if (isset($cart))
{
print("<table border='1'><thead><th>Index</th><th>Title</th><th>Price</th><th>Number</th></thead><tbody>");
$total=0;
foreach ($cart as $idx=>$num)
{
//Obtain details of cart item
$item=get_stock_item($idx);
extract($item);
//Check that enough are in stock
if ($number>=$num)
{
$newnumber=$number-$num;
update($idx,$newnumber);
}
else
{
$num=$number;
update($idx,0);
$notenough="true";
}
$total+=$num*$price;
print("<tr><td>$indx</td><td>$title</td><td>$price</td><td>$num</td></tr>");
}
print("<tr><td colspan='3'>Total Price (£):</td><td>$total</td></tr></tbody></table>");
if (isset($notenough)) print("<p>We regret there is insufficient stock to cover all of your order</p>");
}
else print("<p>The cart is currently empty</p>");
}
function get_stock_item($index)
{
//Obtain the details of a specified stock item
$conn=connect();
$res_table=mysql_query("SELECT * FROM Stock WHERE indx=$index");
if ($res_table) $item_array=mysql_fetch_array($res_table);
disconnect($conn);
return $item_array;
}
function update($index,$number)
{
//Update quantity of an item in stock
$conn=connect();
mysql_query("UPDATE Stock SET number='$number' WHERE indx='$index'");
disconnect($conn);
}
function connect()
{
//Connect to database
$connection=mysql_connect("ftemysql","ku12881","carstairs");
mysql_select_db("ku12881",$connection);
return $connection;
}
function disconnect($connection)
{
//Disconnect from database
mysql_close($connection);
}
?>