Home/ Questions/Q 6777989
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T16:12:49+00:00

I have a shopping cart which at this point in time sends items that

  • 0

I have a shopping cart which at this point in time sends items that are brought by the customer to the database, but now I have included a login system whereby you have to be a member before you purchase an item. I have kept the logged in user in a session and so I am trying to send the session variable to the database as well once an order has been made. At the moment, I have three tables which are customers, orders and order_detail (see the following code):

session_start();
?>
<?php
if(!isset($_SESSION["username"]))
{
    header("Location: shoppinglogin.php");
}
?>

<?
    include("includes/db.php");
    include("includes/functions.php");

    if($_REQUEST['command']=='update'){
        $name=$_REQUEST['name'];
        $email=$_REQUEST['email'];
        $address=$_REQUEST['address'];
        $phone=$_REQUEST['phone'];

        $result=mysql_query("insert into customers values('','$name','$email','$address','$phone')");
        $customerid=mysql_insert_id();
        $date=date('Y-m-d');
        $result=mysql_query("insert into order values('','$date','$customerid')");
        $orderid=mysql_insert_id();

        $max=count($_SESSION['cart']);
        for($i=0;$i<$max;$i++){
            $pid=$_SESSION['cart'][$i]['productid'];
            $q=$_SESSION['cart'][$i]['qty'];
            $price=get_price($pid);
            mysql_query("insert into order_detail values ($orderid,$pid,$q,$price)");
        }
        die('Thank You! your order has been placed!');
        session_unset(); 
    }
?>

I have changed it into the following code:

 <?php

session_start();
?>
<?php
if(!isset($_SESSION["username"]))
{
    header("Location: shoppinglogin.php");
}
?>

<?
    include("includes/db.php");
    include("includes/functions.php");

    if($_REQUEST['command']=='update'){
        $name=$_REQUEST['name'];
        $email=$_REQUEST['email'];
        $address=$_REQUEST['address'];
        $phone=$_REQUEST['phone'];

$max=count($_SESSION['cart']);
        for($i=0;$i<$max;$i++){
            $orderid=mysql_insert_id();
            $pid=$_SESSION['cart'][$i]['productid'];
            $q=$_SESSION['cart'][$i]['qty'];
            $price=get_price($pid);
            $date=date('Y-m-d');
            $user=$_SESSION['username'];
            mysql_query("insert into order values ($orderid,$pid,$q,$price,$date,$user)");
        }
        die('Thank You! your order has been placed!');
        session_unset(); 
    }
?>

the code above does not insert anything into my order table.

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ugh. Database operations with absolutely NO error handling at all. Assuming a DB query succeeds only gets you into situations like this – no clue as to what’s wrong.

    At absolutely bare mininum, your DB operations should look like this:

    $sql = "... query goes here ..."
$result = mysql_query($sql);
if ($result === FALSE) {
   die("Query failed!" . mysql_error() . $sql);
}

    which at least stops the script dead in its tracks, tells you that the query failed, tells you WHY it failed, and tells you what the query was.

    As well, your code is WIDE OPEN to SQL injection attacks. This is especially bad in what is obviously an e-commerce setup. I suggest you immediately SHUT DOWN this system until you’ve had a chance to read up on this and plug the holes.

    • 0