Building an Online Shop's Product Detail Page

In the previous article we looked at how to create an online shopping front. We also created and normalized the database tables needed to run this part of the shopping experience. However, we did not complete the process of viewing individual products. We are going to complete that process in this article and then we will look at how to create a shopping cart mechanism for the remainder of the series.

So let's continue to create the PHP page that will help us view the details of a book that a user wants to view. Here's how a user gets to this page. First, the user is offered a chance to select from a list of categories of the type of books that they want to read. Types can include for example Comedy or Thriller or Romance, etc. Once the user has selected a category, a list of all of the books in that category will be displayed. If the user wants to view a particular book, then all they have to do is click on the title of the book and all of the details of the book such as the title, price and ISBN number will be displayed to them. This is what we are going to look at in the first part of this article. Below is a screen shot of what this page looks like:

Figure 1

In the picture above you can clearly see the all of the details of the chosen book; details such as how much the book costs, its ISBN number, author and publication date. The page also provides you with a drop down box in which you select the number of copies you want. Once the user clicks on the "Add to Cart" button, the chosen book will be added to the cart and then the cart itself will be shown to the user. Now, for the code. Create a PHP document called bookdetails.php and add the following code:

<?php include "connect.php"; $error=""; $errormsg=""; //check if //A) a bookid has been submitted //B) the submitted value is numeric if(isset($_GET['bid'])){ //clean it up if(!is_numeric($_GET['bid'])){ //Non numeric value entered. Someone tampered with the bookid $error=true; $errormsg=" Security, Serious error. Contact webmaster: bid enter: ".$_GET['bid'].""; }else{ //book_id is numeric number //clean it up $cbID=mysql_escape_string($_GET['bid']); $query ="SELECT * from books INNER JOIN genres ON genID=gen_id WHERE book_id='".$cbID."' "; $results=mysql_query($query); if($results){ $num = mysql_num_rows($results); $row=mysql_fetch_assoc($results); $authno=$row['authID']; //run a query to get the auth name if($authno > 0){ $query_auth ="SELECT * from author WHERE auth_id='".$authno."' "; $results_auth=mysql_query($query_auth); $row_auth=mysql_fetch_assoc($results_auth); $auth=$row_auth['auth_name']; } }//results else{ //there's a query error $error=true; $errormsg .=mysql_error(); }//result test }//numeric }//if isset ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Pleasure Reading Inc::Book Detail: <?php echo $row['title'];?></title> </head> <body> <table width="100%" border="0"> <tr> <td colspan="3"><h1>Pleasure Reading Inc. - Book Detail </h1></td> </tr> <tr> <td colspan="3"><b><a href="listbooks.php?catid=<?php echo trim(stripslashes($row['gen_id']));?>&catname=<?php echo stripslashes(strtoupper($row['gen_name']));?>"><?php echo stripslashes(strtoupper($row['gen_name']));?></a> > <?php echo $row['title'];?> </b></td> </tr> <tr> <td width="12%"> </td> <td width="19%"> </td> <td width="69%"> </td> </tr> <tr> <td rowspan="5" valign="top"><img src="images/<?php echo $row['book_img'];?>" width="112" height="108" /></td> <td> </td> <td> </td> </tr> <tr> <td><strong>Price:</strong></td> <td><?php echo "£".$row['price'];?></td> </tr> <tr> <td><strong>ISBN:</strong></td> <td><?php echo $row['ISBN'];?></td> </tr> <tr> <td><strong>Publication Date: </strong></td> <td><?php echo $row['date_of_pub'];?></td> </tr> <tr> <td><strong>Author:</strong></td> <td><?php echo $auth;?></td> </tr> <form action="addtocart.php" method="post"> <tr> <td> </td> <td><strong>Quantity</strong></td> <td><label> <select name="qty">; <?php for($i=1; $i<12; $i++) { echo '<option value='.$i.'>'.$i.'</option>'; } ?> </select> </label> </td> <input name="bid" type="hidden" value="<?php echo $row['book_id']?>" /></td> </tr> <tr> <td> </td> <td> </td> <td><label> <input type="submit" name="submit" value="Add to Cart" /> </label></td> </tr> </form> </table> </body> </html>

Lets walk through this code line by line, so you can see the logic of it. A book ID is passed by the previous script that will be used by this script to retrieve the book details. The very first line after the tags gets the database connection details:

include "connect.php";

Now, this is a standard way of getting the database connection credentials to connect to the database server. However, it is full of security risks. Any attacker that gets access to your "home directory" will be able to get his hands on your username and password. Therefore, I would recommend storing this file in a directory that is outside of your home directory or public folder. This way, even if an attacker gets into your public directory, he will not be able to get hold of your database details. Then a couple of variables are initialized; normally you would not need to initialize variables, but in some environments, a warning is issued saying that the variables are not defined or initialized. The next "if()" statement checks to see if a valid book ID was passed:

if(isset($_GET['bid'])){ //clean it up if(!is_numeric($_GET['bid'])){ //Non numeric value entered. Someone tampered with the catid $error=true; $errormsg=" Security, Serious error. Contact webmaster: bid enter: ".$_GET['bid']."";

This is also called filtering data. It basically makes sure that the data is what it is suppose to be, for example, we know that the bookID is numeric, if it is not, then the "is_numeric()" function will catch it and throw an error:

if(!is_numeric($_GET['bid'])){ //Non numeric value entered. Someone tampered with the bookid $error=true; $errormsg=" Security, Serious error. Contact webmaster: bid enter: ".$_GET['bid']."";

Here, you can also use another method to verify that the bookid is numeric; for example, regex is perfect for this kind of validation. It is very important to verify and validate any data that did not originate from you and that could possibly give an attacker control of your application. The next part of the code assumes that the bookid is numeric and that it has not been tampered with. Because this page deals with displaying all of the details about a book, and the details of all of the books in our database are held in multiple tables, we have to run a couple of queries to retrieve all of the data that is related to this particular book. For example, the authorID is stored in the books table but not the author name(it is stored in the author table), the genreID is stored in the books table but not the genre name(it is stored in the genre table) etc. This is exactly what the code does next. First it cleans the bookId that was sent by using the mysql_real_escape_string() function:

}else{ //book_id is numeric number //clean it up $cbID=mysql_real_escape_string($_GET['bid']);

and then runs the first query to retrieve the genre name and author ID:

$query ="SELECT * from books INNER JOIN genres ON genID=gen_id WHERE book_id='".$cbID."' "; $results=mysql_query($query); if($results){ $num = mysql_num_rows($results); $row=mysql_fetch_assoc($results); $authno=$row['authID'];

Once the author ID has been retrieved, it is then used to retrieve the author name, which is stored in the author's table:

//run a query to get the auth name if($authno > 0){ $query_auth ="SELECT * from author WHERE auth_id='".$authno."' "; $results_auth=mysql_query($query_auth); $row_auth=mysql_fetch_assoc($results_auth); $auth=$row_auth['auth_name']; }

Next, we store any errors in the $errormsg variable and close all the tags:

}//results else{ //there's a query error $error=true; $errormsg .=mysql_error(); }//result test }//numeric }//if isset

That is all the data we need from the database. Now, all that is left for us to do is to display the book details on the page. We want to display useful information about the book, such as the name of the author, the ISBN number of the book, date of publication and more importantly how much the book costs. It would perhaps be useful to have a field in the books table that has a short description of what the book is about, to entice the user into buying the book. All of this has to be clearly displayed for the user. That is what we will do as you can see from the code below:

<td colspan="3"><b><a href="listbooks.php?catid=<?php echo trim(stripslashes($row['gen_id']));?>&catname=<?php echo stripslashes(strtoupper($row['gen_name']));?>"><?php echo stripslashes(strtoupper($row['gen_name']));?></a> > <?php echo $row['title'];?> </b></td> </tr> <tr> <td width="12%"> </td> <td width="19%"> </td> <td width="69%"> </td> </tr> <tr> <td rowspan="5" valign="top"><img src="images/<?php echo $row['book_img'];?>" width="112" height="108" /></td> <td> </td> <td> </td> </tr> <tr> <td><strong>Price:</strong></td> <td><?php echo "£".$row['price'];?></td> </tr> <tr> <td><strong>ISBN:</strong></td> <td><?php echo $row['ISBN'];?></td> </tr> <tr> <td><strong>Publication Date: </strong></td> <td><?php echo $row['date_of_pub'];?></td> </tr> <tr> <td><strong>Author:</strong></td> <td><?php echo $auth;?></td> </tr>

As you can see, the table above shows all of the details about the book. I've highlighted the labels so you can see them for yourself. Then last but not least, we have the form that will provide the user with the option of selecting how many copies of the book he wants to buy:

<form action="addtocart.php" method="post"> <tr> <td> </td> <td><strong>Quantity</strong></td> <td><label> <select name="qty">; <?php for($i=1; $i<12; $i++) { echo '<option value='.$i.'>'.$i.'</option>'; } ?> </select> </label>

This also includes a hidden field that will send the bookid over to the "addtocart.php" script that we will discuss later:

</td> <input name="bid" type="hidden" value="<?php echo $row['book_id']?>" /></td> </tr> <tr> <td> </td> <td> </td> <td><label> <input type="submit" name="submit" value="Add to Cart" /> </label></td> </tr> </form>

That concludes the first part of our shopping front application. Next, we are going to look at how to create a shopping cart and how to integrate it into the shop front that we created here.

Find a programming school near you

Zip Code:

Subject: - Select All Subjects - Computer Applications Computer Engineering Computer Science Computer Prog. - Software Dev. Computer Game Programming Web Design Web Development Internet Systems Internet Certification Database Design and Development Information Systems Management Information Technology Project Management Network Design - Development Systems Analyst

Degree: - Select All Degrees - Associate's Bachelor's Master's Doctoral Certificates Diplomas Coursework MBA

Online Campus Both