Add items in shopping basket to database

Question

I am trying to insert the items in the shopping basket to the table userOrders within my database. The fields in Mysql are productId, Quantity and orderTotal I am aware that I should be using SSL.

I am relatively new to this so please be kind to me, any help would be greatly appreciated.

the shopping basket:

<h1>View Shopping Basket</h1> 

<div class="container-fluid">
<div class="row">
    <div class="col-lg-6">
            <form method="post" value="placeOrder" action="<?php echo 
htmlspecialchars($_SERVER['PHP_SELF']); ?>" autocomplete="off">
            <form method="post" value="update" action="checkout.php?
page=cart"> 

<table class="table-responsive"> 
    <thead>
    <tr> 
        <th>productId</th> 
        <th>Name</th> 
        <th>Quantity</th> 
        <th>Price</th> 
        <th>Total</th> 
    </tr> 
</thead>
    <?php 
        //select all from products where ID is in session
        $sql="SELECT * FROM products WHERE productId IN ("; 
                //for each session append ID and add comma's to seperate  
                foreach($_SESSION['cart'] as $id => $val) { 
                    $sql.=$id.","; 
                } 
                //subtract last comma from ID's & append last bracket to 
prevent error  
                $sql=substr($sql, 0, -1).") ORDER BY name ASC"; 
                $query=mysql_query($sql); 
                $totalprice=00.00;
                $quantity =0;
                $productId = 'productId';
                while($row=mysql_fetch_array($query)){ 
                    //running total
                    $subtotal=$_SESSION['cart'][$row['productId']]
['quantity']*$row['price']; 
                    //total price added with each loop
                    $totalprice+=$subtotal; 
                ?> 
                    <tbody>
                    <tr> 
                        <!--hidden productId-->
                        <td><?php echo $row['productId'] ?></td>
                            <!--display product name-->
                        <td><?php echo $row['name'] ?></td> 
                            <!--display quantity-->
                            <!--take 'productID' & 'quantity' rows, -->

                        <td><input type="text" name="quantity[<?php echo 
$row['productId'] ?>]" size="2" value="<?php echo $_SESSION['cart']
[$row['productId']]['quantity'] ?>" /></td> 
                            <!--display price-->
                        <td><?php echo $row['price'] ?>£</td> 
                            <!--products price == quantity of productID in 
session * price -->
                        <td><?php echo $_SESSION['cart'][$row['productId']]
['quantity']*$row['price'] ?>£</td> 
                    </tr> 
                <?php 

                } 
            ?>
                <tr> 
                    <td colspan="4" style="text-align:right">Total Price: <?
php echo $totalprice ?></td> 
                </tr> 
            </tbody>
        </table> 
    </div>
</div>
</div>
<br /> 
<button type="submit" value="update" name="update">Update Shopping 
Basket</button> 
<br />
<button type="submit" value="PlaceOrder" name="PlaceOrder">Place 
Order</button>

</form>  
<br /> 
<p style="text-align:center">To remove an item set its quantity to 0. </p>
<a href="shopsesh.php?page=products"><p style="text-align:left">Continue 
Shopping</a></p>

Update Quantity:

<?php 
//check form was submitted, if yes & value ==0 then unset session.
if(isset($_POST['submit'])){ 

    foreach($_POST['quantity'] as $key => $val) { 
        if($val==0) { 
            unset($_SESSION['cart'][$key]); 
        //if form was submit and value =! 0 then update quantity
        }else{ 
            $_SESSION['cart'][$key]['quantity']=$val; 
        } 
    } 

} 
?>

Insert Query:

<?php
//add items to orders table in DB
if (isset($_POST['placeOrder'])) {

    //if no error
    if( !$error ) {
        $productId = $_POST['productId'];
        $quantity = $_POST['quantity'];
        //$_POST['$totalPrice'];
        //insert order into database
        $query = "INSERT INTO userOrders(productId,quantity,orderTotal) 
VALUES('$productId','$quantity','$totalprice')";
        $res = mysql_query($query);

    if ($res) {
            $errTyp = "success";
            $errMSG = "Items added to database";

        } else {
            $errTyp = "danger";
            $errMSG = "Something went wrong, try again later...";   
        }   

    }
}
?>

Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — John Conde, Apr 06 '17 at 12:10
FYI, [you shouldn't use `mysql_*` functions in new code](http://stackoverflow.com/questions/12859942/). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [red box](http://php.net/manual/en/function.mysql-connect.php)? Learn about [*prepared statements*](https://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide which one is best for you. — John Conde, Apr 06 '17 at 12:10
You don't check for errors in your code. Never assume the code is always going to work flawlessly. Use [`mysql_error()`](http://php.net/manual/en/mysqi.error.php) to get a detailed error message from the database. — John Conde, Apr 06 '17 at 12:10
Thank you, I am aware it is depreciated, I just wanted to get this to work then I was going to research into how to convert it all over to MySQLi. — Anniee, Apr 06 '17 at 12:21

Add items in shopping basket to database

0 Answers0