Creating an Online Shopping Cart Mechanism in PHP | 2

Creating an Online Shopping Cart Mechanism in PHP [con't]

In this last section, we are going to look at the remaining three scripts of the shopping cart:

Showcart.php
Orders.php
Delete.php

On the previous page, we looked at the addtocart.php script, which basically connected the shopping front with the shopping cart. The addtocart.php script is mainly responsible for collecting items that a user wants to buy. It is closely connected with the showcart script, which shows the contents of the shopping cart. To recap, here's the code for the addtocart script:

<?php
ob_start();
include "connect.php";
//clean the data:
//1.check if bookid is numeric
//2.then escape it with mysql_escape string
//3.then test to see if a book with that id exist
if(!is_numeric($_POST['bid'])){
//Non numeric value entered. Someone tampered with the catid
$error=true;
$errormsg=" Security, Serious error. Contact webmaster: bid entered: ".$_POST['bid']."";
}else{
//book_id is numeric number
//Now, lets see if that <code>book id</code> is valid run a query
$cbID=mysql_escape_string($_POST['bid']);
}
//Now that the bookid is clean, lets test its valididty
$bidcheck = "SELECT title FROM books WHERE book_id='".$cbID."'";
$result=mysql_query($bidcheck);
if(!$result){
$err=true;
//bookid not valid, sent to index page
header("location:index.php");
}
//now, clean the other form value - quantity
//since it comes from a select-menu it is pretty secure
//but it is still worth filtering, just in case
if(!is_numeric($_POST['qty'])){
$err=true;
}else{
$cqty=mysql_escape_string($_POST['qty']);
}
if(!$err){
$PHPSESSID=session_id();
//(session_id,bid,date_added,qty)
$addtocart="INSERT INTO cart_track SET session_id='".$PHPSESSID."',bid='".$cbID."',date_added ='".$td."',qty='".$cqty."'";
mysql_query($addtocart);
//go to showcart
header("location:showcart.php");
exit;
}
ob_end_flush()
?>

Towards the end of the script, you can clearly see where the connection with the showcart script appears. Basically, the script inserts the form values that it has been sent and then immediately redirects the user to the showcart script.

Here's the code for the showcart script:

<?php
include "connect.php";
//Check if user wants to checkout or shop:
if(isset($_POST['checkout'])){
header("location:orders.php");
}
if(isset($_POST['shop'])){
header("location:index.php");
}
//retrieve items . use session_id and/or datetime
$PHPSESSID=session_id();
$showcart = "SELECT * from cart_track INNER JOIN books ON bid=book_id WHERE session_id = '".$PHPSESSID."' AND date_added='".$td."'";
$result=mysql_query($showcart);
if(!$result){
$err=true;
//i recommend writing this error to a log or some text file, for security reasons.
$errmsg=mysql_error();
}else{
$err=false;
$num=mysql_num_rows($result);
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Pleasure Reading Inc::Showcart</title>
</head>
<body>
<table width="100%" border="0">
  <tr>
    <td colspan="5"><h1>Pleasure Reading Inc. - Shopping Cart </h1></td>
  </tr>
  <tr>
    <td> </td>
    <td> </td>
    <td> </td>
    <td> </td>
    <td> </td>
  </tr>
  <?php if(!$err){ ?>
  <tr>
    <td bgcolor="#ECE9D8"><strong>Book Title</strong></td>
    <td bgcolor="#ECE9D8"><strong>Qty</strong></td>
    <td bgcolor="#ECE9D8"><strong>Price</strong></td>
    <td bgcolor="#ECE9D8"><strong>Total</strong></td>
    <td bgcolor="#ECE9D8"><strong>Action</strong></td>
  </tr>
   <?php
   $gtotal=0;
    if($num > 0){
  while($row=mysql_fetch_assoc($result)){
  ?>
  <tr>
    <td><?php echo trim(stripslashes($row['title']))?></td>
    <td><?php echo trim(stripslashes($row['qty']))?></td>
    <td><?php echo trim(stripslashes($row['price']))?></td>
    <td><?php
        $total= $row['qty'] * $row['price'];
     $ctotal=number_format($total,2);
          $gtotal = $gtotal + $ctotal;
        $_SESSION['gtotal'] = $gtotal;
        echo "$".$total;?></td>
    <td><a href="delete.php?cid=<?php echo $row['cart_id'] ?>">Remove</a></td>
  </tr>
   <?php
    }
    }else{
       ?>
    <tr>
    <td colspan="5"><p>There are no items in your shopping cart.</p></td>
   </tr>
   <?php
   }
   ?>
   <tr>
   <td></td>
   <td></td>
   <td><strong>Grand Total:</strong></td>
   <td bgcolor="#ECE9D8"><strong><?php echo "$".$gtotal;?></strong></td>
      </tr>
   <form action="showcart.php" method="post">
  <tr>
    <td><label></label></td>
    <td></td>
    <td><input type="submit" name="checkout" value="Check Out" /></td>
    <td><input type="submit" name="shop" value="Back to Shopping" /></td>
    <td> </td>
  </tr>
  </form>
  <?php
  }else{
  ?>
  <tr>
  <td colspan="5">
  <p><?php echo $errmsg;?></p>
  </td>
  </tr>
  <?php  } ?>
</table>
</body>
</html>

First off, the purpose of the showcart page is to show the contents of the shopping cart. To do this, it needs the session ID and the current date. Looking at the code, the very first line in the script calls the connect script that also contains code to start the session:

This is very important because the session ID is critical to identifying the user; if the session is not started, we of course will not be able to identify the user. The showcart page provides two buttons for the user: one is an option to continue shopping and the other is to check out. Both these options are dealt with in the following piece of code:

Now, we need to retrieve all the items that the user intends to buy, but there is a slight issue here. Information about books is kept in different tables so we cannot just run a straightforward query that gets all its data from the books table. So what I did here was to use a more complex query to retrieve book data:

The query uses the INNER JOIN construct to retrieve different pieces of information from two tables, and it uses the session ID and the day's date to identify the user. For a more accurate user identification, it is best to use a login script. The $td variable is stored in the connect.php script. If the query fails, then the $err variable is set to "true" and the MySQL error is stored. For security reasons, this error is not echoed. It is safer to write the errors to a log or text file:

Otherwise, the returned rows are stored in a variable:

The reason for this is that these results will be used to create a dynamic table in which the shopping cart contents related to this user will be displayed. So let's get on to the HTML code.

Within the body tags of the page, the table headers are created:

Then before creating the dynamic rows of the table, a variable called $gtotal is initialized. This variable will be the running total of the total cost of the books:

Then the dynamic rows are created:

Look at the following block of code very carefully. This is were the grand total is worked out:

What basically happens is that the quantity and price of a book is worked out and stored in the $total variable. Then the number is formatted using the number_format() function. Next, the $ctotal is added to the $gtotal variable, and then the $gtotal is stored in the session variable. These steps are taken with every iteration. The following code simply provides an option to delete an item from the cart:

If no matches are found, the user has not selected anything to buy, so an appropriate message is displayed:

Then the value of the total shopping cart is shown, together with a form that provides the user with an option to check out or continue shopping:

If an error occurred, then nothing else but that error message will be shown:

The next script we are going to look at is orders.php. The link below shows a screenshot of the checkout screen.

The Checkout Screen

Here is the code that makes the above possible:

<?php
include "connect.php";
$PHPSESSID=session_id();
if(isset($_POST['submit'])){
//clean all POST vars first
$order_name = mysql_escape_string($_POST['o_name']);
$order_address = mysql_escape_string($_POST['address']);
$order_total = mysql_escape_string($_POST['total']);
$order_shipcost = mysql_escape_string($_POST['shipcost']);
$order_date = mysql_escape_string($_POST['o_date']);
$order_status = mysql_escape_string($_POST['status']);
//Now, insert data
$addorder="INSERT INTO orders SET order_name='".$order_name."',order_address='".$order_address."',";
$addorder .="order_total='".$order_total."', order_date='".$order_date."',order_status='".$order_status."',session='".$PHPSESSID."',shipping_cost='".$order_shipcost."'";
$result =mysql_query($addorder);
if(!$result){
$msg=mysql_error();
}else{
$msg="Your order has been processed";
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<table width="100%" border="0">
  <tr>
    <td colspan="2"><h1>Pleasure Reading Inc. - Order Checkout </h1></td>
  </tr>
  <?php if(!isset($msg)) {?>
   <form action="orders.php" method="post">
  <tr>
    <td width="16%">Name</td>
    <td width="84%"><label>
      <input name="o_name" type="text" size="40" />
    </label></td>
  </tr>
  <tr>
    <td valign="top">Address</td>
    <td><label>
      <textarea name="address"></textarea>
    </label></td>
  </tr>
  <tr>
    <td>Total</td>
    <td><label>
      <input name="total" type="text" size="40" value="<?php echo $_SESSION['gtotal']?>"/>
    </label></td>
  </tr>
  <tr>
    <td>Shipping Cost </td>
    <td><label>
      <input name="shipcost" type="text" size="40" value="$20.00"/>
    </label></td>
  </tr>
  <tr>
    <td>Date</td>
    <td><label>
      <input name="o_date" type="text" size="40" value="<?php echo "$td";?>"/>
    </label></td>
  </tr>
  <tr>
    <td>Status</td>
    <td><label>
    <select name="status">
      <option>processed</option>
      <option>pending</option>
    </select>
    </label></td>
  </tr>
  <tr>
    <td><label>
      <input type="submit" name="submit" value="Send Order" />
    </label></td>
  </tr>
   </form>
   <?php
   }else{
      ?>
      <tr>
      <td>
      <?php echo $msg; ?>
      </td>
      </tr>
<?php } ?>
</table>
</body>
</html>

On the orders page, a form is displayed that collects information for the orders table. Basically, all the fields on the form will match those in the database. When the user has completed the form and submitted it, the PHP code immediately escapes them using the mysql_real_escape_string() function and then adds them to the orders table.

The delete script simply takes the session ID and cart ID, removes the records from the cart_track table, and then returns the user to the showcart page:

Conclusion

With a functioning shopping cart on your e-commerce application, you can easily start selling goods online using payment services such as PayPal, which offers a cheap payment transfer service. In upcoming articles, I will discuss how to maintain an online shop.

Read the previous articles in this series to get a complete instruction set for building an entire online store in PHP:

Creating an Online Shopping Cart Mechanism in PHP | 2

Creating an Online Shopping Cart Mechanism in PHP [con't]

Conclusion

Find a programming school near you