Some of the basic requirements for building an online shopping cart are:
- Allow the customer to add items to the cart
- Allow for different quantities of each item
- Allow the customer to alter the quantities of an item
- Allow the customer to remove items from the cart
In this article, we are going to look at the scripts that make running a shopping cart possible. The sequence of events that lead up to the user adding items to the shopping cart goes as follows:
- The user is shown a product details page with the categories or genres that are available in our store (Pleasure Reading, Inc.).
- The user selects a genre to view.
- A list of all books in that genre is shown.
- The user selects a particular book to view in detail.
- The user is given the option to add the book to the shopping cart with the option of selecting the quantity.
When the user clicks on the "add to cart" button, the integration of the online store front with the shopping cart scripts begins. Here is a list of the scripts involved and what each does:
Orders.php(The first step in the checkout process) Collects the user's personal details, such as credit card numbers and delivery address
Addtocart.php Adds items to the shopping cart
Showcart.php Shows the items on the shopping cart
Delete.php Removes items from the shopping cart
The following code sends the form data to the
The parts marked in red clearly show where the form data is sent. Also note that the
bookID are the only values that are sent to the
Now let's look at how the form data is handled. Below is the code for the
This script is at the heart of the application, so let's walk through it. It receives two form values:
- Book ID in the form of
- Quantity in the form of
Both these values are potential security vulnerabilities, because they did not originate from you. Therefore, they have to go through a "cleaning" process. This is exactly what happens in the first part of the PHP code:
The above code checks if the
book ID value is numeric using the
is_numeric() function. I cannot stress enough the importance of doing these checks. For the sake of security, by all means do the checks and use other methods and functions to validate. When the code verifies that the value is what it is supposed to be (i.e., it's numeric), we do further filtering by checking to see if a book with that ID exists in the database:
If we find that it does not exist, then we redirect the user to the index page:
That's all the filtering we need for the
book ID value. Now we need to check the
qty value. Both form values are meant to be numeric, so the only effective way of checking the validity of this value is to check if it is numeric:
Here you see that I created a new variable called
c in the name of the variable indicates that it has been filtered and is "safe" to use in a MySQL query. You will also notice that I've used the
mysql_real_escape_string() function to filter the form value. By all means, do further filtering as you see fit.
Throughout the code, I used a Boolean variable called
$err, which will eventually be key to this whole script. It will help the script decide whether to insert the posted data into the data or not:
If there is no error in the script, the form data is inserted into the
cart_track table. Because we started a session by calling the
connect.php script, we are also able to get the session ID with the following code:
This session ID is key to identifying the user throughout the shopping process. The session ID together with the current date will make it easy for us to ID a user. Another function that I used in this script is the
ob_end_flush() functions. These two functions make sure that we don't get the "headers already sent" error message when the script is executed.
After everything has been executed and no errors occur, the script redirects the user to the showcart page (see link below) where the contents of the shopping cart are shown together with the total.
As you can see, the showcart page provides the user with the option to remove an item from the shopping cart. This, along with the orders script, will be the subject of discussion in the next page.