I have a php file that includes two functions, one to connect to the database and one to set cookied for the cart. Here is that file:
<?php
$dbServer="localhost";
$dbName="test";
function ConnectToDb($server, $database){
$s=@mysql_connect($server);
$d=@mysql_select_db($database, $s);
if(!$s || !$d)
return false;
else
return true;
}
function GetCartId(){
if(isset($_COOKIE["cartId"])){
return $_COOKIE["cartId"];
}
else {
session_start();
setcookie("cartId", session_id(), time()+((3600*24)*30));
return session_id();
}
}
?>
The function for connecting to the database works well in another php file for this particular program. I am having a problem with it in this file:
<?php
include("db.php");
switch($_GET["action"]) {
case "add_item":
{
AddItem($_GET["id"], $_GET["qty"]);
ShowCart();
break;
}
case "update_item": {
UpdateItem($_GET["id"], $_GET["qty"]);
ShowCart();
break;
}
case "remove_item": {
RemoveItem($_GET["id"]);
ShowCart();
break;
}
default: {
ShowCart();
}
}
function AddItem($itemId, $qty) {
// Will check whether or not this item
// already exists in the cart table.
// If it does, the UpdateItem function
// will be called instead
$cxn = @ConnectToDb($dbServer, $dbName);
// Check if this item already exists in the users cart table
$result = mysql_query("select count(*) from cs368_cart where cookieID = '" . GetCartID() . "' and itemId = $itemId");
$row = mysql_fetch_row($result);
$numRows = $row[0];
if($numRows == 0) {
// This item doesn't exist in the users cart,
// we will add it with an insert query
@mysql_query("insert into cs368_cart(cookieID, itemId, qty) values('" . GetCartID() . "', $itemId, $qty)");
}
else {
// This item already exists in the users cart,
// we will update it instead
UpdateItem($itemId, $qty);
}
}
function UpdateItem($itemId, $qty) {
// Updates the quantity of an item in the users cart.
// If the qutnaity is zero, then RemoveItem will be
// called instead
$cxn = @ConnectToDb($dbServer, $dbName);
if($qty == 0) {
// Remove the item from the users cart
RemoveItem($itemId);
}
else {
mysql_query("update cs368_cart set qty = $qty where cookieID = '" . GetCartID() . "' and itemId = $itemId");
}
}
function RemoveItem($itemId) {
// Uses an SQL delete statement to remove an item from
// the users cart
$cxn = @ConnectToDb($dbServer, $dbName);
mysql_query("delete from cs368_cart where cookieID = '" . GetCartID() . "' and itemId = $itemId");
}
function ShowCart() {
// Gets each item from the cart table and display them in
// a tabulated format, as well as a final total for the cart
$cxn = @ConnectToDb($dbServer, $dbName);
$result = mysql_query("select * from cs368_cart inner join cs368_products on cart.itemId =
items.itemId where cart.cookieID = '" . GetCartID() . "' order by items.itemName asc")
or die("Query to get test in function ShowCart failed with error: ".mysql_error());
?>
What can I do the remedy this problem? Thanks!
First: lose the @, and put some proper error handling in there (those functions return false when something goes wrong, and you can use mysql_error and mysql_errno to log it).
Second: mysql_real_escape_string and intval on those $_GET parameters before someone sneaks in some extra code through the URL.
Third: you’re accessing $dbServer and $dbName as variables local to the function UpdateItem, rather than global to the script. You should only connect to the database once (in the original db.php file), and let the query functions take care of the rest (since there’s only one connection, they all default to that one anyway).