3

I'm currently working on a shopping cart using PHP, and I'm trying to figure out how to add items to the cart itself using the code I have written. The items from my database are being displayed correctly, but only the last array under $item is being added to the cart. The following displays the items.

$result = mysqli_query($cxn,$sql) or die("<p class='error'>Couldn't connect to server.</p>");
while($row = mysqli_fetch_assoc($result))
{
    $product[] = $row;
}
foreach($product as $item)
{
    echo "<div class='product'><form method='post'><div class='img_spacer'><div class='image'>";
    include "images.inc";
    echo "</div></div><div class='name'><h2>".$item['product']."</h2></div>";
    echo "<div class='description'><p>".$item['description']."</p></div>";
    echo "<div class='price'><p>".$item['price']."</p></div>";
    echo "<div class='add_cart'><input type='hidden' name='add' value='yes'>
    <input type='submit' name='add_cart' value='Add to Cart'>
    </div></form></div>";
}

The following code is for the shopping cart itself. I have it currently set to print_r the sent variables so I can see what information is being posted.

<?php
if(isset($_POST['add']) and $_POST['add'] == 'yes')
{
    $selected = "select product_ID, product, price from product where product_ID='".$item['product_ID']."'";
    $result2 = mysqli_query($cxn,$selected);
    while($row2 = mysqli_fetch_assoc($result2))
    {
        print_r($row2);
    }
}
?>

I also tried adding the $item['product_ID'] variable to make the 'add' input unique, using 

<input type='hidden' name='".$item['product_ID']."_add' value='yes'>

but I couldn't figure out how to add another variable to the $_POST array. I should also mention that I'm using sessions for this project, and I'm not quite sure how to add their shopping cart to the $_SESSION variable. How can I fix this?

Jordan U.
  • 313
  • 1
  • 5
  • 16
  • You are open to SQL injection attacks because you are building SQL statements with untrusted variables. Please read this question for information about how to do your SQL queries safely. https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Andy Lester May 14 '15 at 21:05

1 Answers1

0

You'll want to add more hidden fields to your form. At least:

<input type='hidden' name='product_ID' value='".$item['product_ID']."'>

This will add another variable to the $_POST array when the user clicks Add to Cart.

At the start of each page, you should have a call to session_start();. Then, simply assign the values for your cart to session variables like so:

if(isset($_POST['add']) and $_POST['add'] == 'yes') {
    if (!isset($_SESSION['cart'])) {
        $_SESSION['cart']=array();
    }
    array_push($_SESSION['cart'], $_POST);
}

Then (when the user places the order) you would scrub the input, to prevent SQL injection, and add a new SQL query, perhaps something like;

//submit selected items
foreach ($_SESSION['cart'] as $cart_item) {
    $pid=scrub($cart_item['product_ID']);
    $amount=scrub($cart_item['amount']);
    $inserted = "INSERT INTO orders (user, product_id, amount, when) VALUES (".$uid.", ".$pid.", ".$amount.", NOW())";
    $result3 = mysqli_query($cxn,$inserted);
}

Of course, you'll have to create the function scrub to scrub your input, but that's outside the scope of the question.

Ayelis
  • 228
  • 3
  • 20