Creating an Online Shopping Cart Mechanism in PHP

Some of the basic requirements for building an online shopping cart are:

• Allow the customer to add items to the cart
• Allow for different quantities of each item
• Allow the customer to alter the quantities of an item
• Allow the customer to remove items from the cart

In this article, we are going to look at the scripts that make running a shopping cart possible. The sequence of events that lead up to the user adding items to the shopping cart goes as follows:

1. The user is shown a product details page with the categories or genres that are available in our store (Pleasure Reading, Inc.).
2. The user selects a genre to view.
3. A list of all books in that genre is shown.
4. The user selects a particular book to view in detail.
5. The user is given the option to add the book to the shopping cart with the option of selecting the quantity.

When the user clicks on the "add to cart" button, the integration of the online store front with the shopping cart scripts begins. Here is a list of the scripts involved and what each does:

• Orders.php (The first step in the checkout process) – Collects the user's personal details, such as credit card numbers and delivery address
• Addtocart.php – Adds items to the shopping cart
• Showcart.php – Shows the items on the shopping cart
• Delete.php – Removes items from the shopping cart

When the user clicks on the "Add to cart" button, like on the book details page shown below, the online bookseller site's integration with the shopping cart is done.

The Book Details Page

The following code sends the form data to the addtocart.php script:

<?php include "connect.php"; //check if //A) a bookid has been submitted //B) the submitted value is numeric if(isset($_GET['bid'])){ //clean it up if(!is_numeric($_GET['bid'])){ //Non numeric value entered. Someone tampered with the catid $error=true; $errormsg=" Security, Serious error. Contact webmaster: bid enter: ".$_GET['bid'].""; }else{ //book_id is numeric number //clean it up $cbID=mysql_escape_string($_GET['bid']); $query ="SELECT * from books INNER JOIN genres ON genID=gen_id WHERE book_id='".$cbID."' "; $results=mysql_query($query); if($results){ $num = mysql_num_rows($results); $row=mysql_fetch_assoc($results); $authno=$row['authID']; //run a query to get the auth name if($authno > 0){ $query_auth ="SELECT * from author WHERE auth_id='".$authno."' "; $results_auth=mysql_query($query_auth); $row_auth=mysql_fetch_assoc($results_auth); $auth=$row_auth['auth_name']; } }//results else{ //there's a query error $error=true; $errormsg .=mysql_error(); }//result test }//numeric }//if isset ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Pleasure Reading Inc::Book Detail: <?php echo $row['title'];?></title> </head> <body> <table width="100%" border="0"> <tr> <td colspan="3"><h1>Pleasure Reading Inc. - Book Detail </h1></td> </tr> <tr> <td colspan="3"><b><a href="listbooks.php?catid=<?php echo trim(stripslashes($row['gen_id']));?>&catname=<?php echo stripslashes(strtoupper($row['gen_name']));?>"><?php echo stripslashes(strtoupper($row['gen_name']));?></a> > <?php echo $row['title'];?> </b></td> </tr> <tr> <td width="12%"> </td> <td width="19%"> </td> <td width="69%"> </td> </tr> <tr> <td rowspan="5" valign="top"><img src="images/<?php echo $row['book_img'];?>" width="112" height="108" /></td> <td> </td> <td> </td> </tr> <tr> <td><strong>Price:</strong></td> <td><?php echo "£".$row['price'];?></td> </tr> <tr> <td><strong>ISBN:</strong></td> <td><?php echo $row['ISBN'];?></td> </tr> <tr> <td><strong>Publication Date: </strong></td> <td><?php echo $row['date_of_pub'];?></td> </tr> <tr> <td><strong>Author:</strong></td> <td><?php echo $auth;?></td> </tr> <form action="addtocart.php" method="post"> <tr> <td> </td> <td><strong>Quantity</strong></td> <td><label> <select name="qty">; <?php for($i=1; $i<12; $i++) { echo '<option value='.$i.'>'.$i.'</option>'; } ?> </select> </label> </td> <input name="bid" type="hidden" value="<?php echo $row['book_id']?>" /></td> </tr> <tr> <td> </td> <td> </td> <td><label> <input type="submit" name="submit" value="Add to Cart" /> </label></td> </tr> </form> </table> </body> </html>

The parts marked in red clearly show where the form data is sent. Also note that the quantity and bookID are the only values that are sent to the addtocart.php script.

Now let's look at how the form data is handled. Below is the code for the addtocart script:

<?php ob_start(); include "connect.php"; //clean the data: //1.check if bookid is numeric //2.then escape it with mysql_escape string //3.then test to see if a book with that ID exist if(!is_numeric($_POST['bid'])){ //Non numeric value entered. Someone tampered with the catid $error=true; $errormsg=" Security, Serious error. Contact webmaster: bid entered: ".$_POST['bid'].""; }else{ //book_id is numeric number //Now, lets see if that <code>book ID</code> is valid run a query $cbID=mysql_escape_string($_POST['bid']); } //Now that the bookid is clean, lets test its validity $bidcheck = "SELECT title FROM books WHERE book_id='".$cbID."'"; $result=mysql_query($bidcheck); if(!$result){ $err=true; //bookid not valid, sent to index page header("location:index.php"); } //now, clean the other form value - quantity //since it comes from a select-menu it is pretty secure //but it is still worth filtering, just in case if(!is_numeric($_POST['qty'])){ $err=true; }else{ $cqty=mysql_escape_string($_POST['qty']); } if(!$err){ $PHPSESSID=session_id(); //(session_id,bid,date_added,qty) $addtocart="INSERT INTO cart_track SET session_id='".$PHPSESSID."',bid='".$cbID."',date_added ='".$td."',qty='".$cqty."'"; mysql_query($addtocart); //go to showcart header("location:showcart.php"); exit; } ob_end_flush() ?>

This script is at the heart of the application, so let's walk through it. It receives two form values:

1. Book ID – in the form of bid
2. Quantity – in the form of qty

Both these values are potential security vulnerabilities, because they did not originate from you. Therefore, they have to go through a "cleaning" process. This is exactly what happens in the first part of the PHP code:

ob_start(); include "connect.php"; //clean the data: //1.check if bookid is numeric //2.then escape it with mysql_escape string //3.then test to see if a book with that ID exist if(!is_numeric($_POST['bid'])){ //Non-numeric value entered. Someone tampered with the book id $error=true; $errormsg=" Security, Serious error. Contact webmaster: bid entered: ".$_POST['bid'].""; }else{

The above code checks if the book ID value is numeric using the is_numeric() function. I cannot stress enough the importance of doing these checks. For the sake of security, by all means do the checks and use other methods and functions to validate. When the code verifies that the value is what it is supposed to be (i.e., it's numeric), we do further filtering by checking to see if a book with that ID exists in the database:

//book_id is numeric number //Now, lets see if that <code>book ID</code> is valid run a query $cbID=mysql_escape_string($_POST['bid']); } //Now that the bookid is clean, lets test its valididty $bidcheck = "SELECT title FROM books WHERE book_id='".$cbID."'"; $result=mysql_query($bidcheck);

If we find that it does not exist, then we redirect the user to the index page:

if(!$result){ $err=true; //bookid not valid, sent to index page header("location:index.php"); }

That's all the filtering we need for the book ID value. Now we need to check the qty value. Both form values are meant to be numeric, so the only effective way of checking the validity of this value is to check if it is numeric:

//now, clean the other form value - quantity //since it comes from a select-menu it is pretty secure //but it is still worth filtering, just in case if(!is_numeric($_POST['qty'])){ $err=true; }else{ $cqty=mysql_escape_string($_POST['qty']); }

Here you see that I created a new variable called $cqty. The c in the name of the variable indicates that it has been filtered and is "safe" to use in a MySQL query. You will also notice that I've used the mysql_real_escape_string() function to filter the form value. By all means, do further filtering as you see fit.

Throughout the code, I used a Boolean variable called $err, which will eventually be key to this whole script. It will help the script decide whether to insert the posted data into the data or not:

if(!$err){ $PHPSESSID=session_id(); //(session_id,bid,date_added,qty) $addtocart="INSERT INTO cart_track SET session_id='".$PHPSESSID."',bid='".$cbID."',date_added ='".$td."',qty='".$cqty."'"; mysql_query($addtocart); //go to showcart header("location:showcart.php"); exit; } ob_end_flush()

If there is no error in the script, the form data is inserted into the cart_track table. Because we started a session by calling the connect.php script, we are also able to get the session ID with the following code:

$PHPSESSID=session_id();

This session ID is key to identifying the user throughout the shopping process. The session ID together with the current date will make it easy for us to ID a user. Another function that I used in this script is the ob_start() and ob_end_flush() functions. These two functions make sure that we don't get the "headers already sent" error message when the script is executed.

After everything has been executed and no errors occur, the script redirects the user to the showcart page (see link below) where the contents of the shopping cart are shown together with the total.

The Showcart Page

As you can see, the showcart page provides the user with the option to remove an item from the shopping cart. This, along with the orders script, will be the subject of discussion in the next page.

Find a programming school near you

Zip Code:

Subject: - Select All Subjects - Computer Applications Computer Engineering Computer Science Computer Prog. - Software Dev. Computer Game Programming Web Design Web Development Internet Systems Internet Certification Database Design and Development Information Systems Management Information Technology Project Management Network Design - Development Systems Analyst

Degree: - Select All Degrees - Associate's Bachelor's Master's Doctoral Certificates Diplomas Coursework MBA

Online Campus Both