How to prevent user from bypassing the quantity using the add button

Question

In my button the user can add more quantity from his order. What I want is to prevent the user from adding more than the quantity left. The button goes into the cart table. What I want is to connect the product_qty to the cart so that the user cannot abuse the add button.

E.G. Item A ( 5 stocks left ) , User inputs 4 , but the user can abuse it using the button going from 4 to 8.

my product table consists of

productid, categoryid, product_name, product_price, product_qty, supplierid,

my cart table consists of

cartid,
userid,
productid,
qty,

This is my php file

<?php
    include('session.php');
    if(isset($_POST['add'])){
        $id=$_POST['id'];

        $query=mysqli_query($conn,"select * from cart where productid='$id'");
        $row=mysqli_fetch_array($query);

        $newqty=$row['qty']+1;

        mysqli_query($conn,"update cart set qty='$newqty' where productid='$id'");

    }

?>

Just check when the user tries to change the number, and forbid him from doing so if he reaches his limits. — Tobias F., Apr 05 '18 at 07:26
You should use prepared statements, you have an sql injection problem. — jeroen, Apr 05 '18 at 07:30
@jeroen i am new to programming , I just want to make a system even though the security is not well made , as of now I just want to make a functional system , just for me , i dont plan on releasing this — Kim, Apr 05 '18 at 07:38
Also it is not a good idea to make sql queries each time the user clicks on “Add” button. — Evgeny Ruban, Apr 05 '18 at 07:44
@EugeneR , sorry about that , i am quite new , i just want to finish my practice system — Kim, Apr 05 '18 at 08:29
@Kim, not a problem. You can also limit maximum value for input using `max` option in it. In example, ``, where `$inStock` is the variable consists your value of total stock for this item. — Evgeny Ruban, Apr 05 '18 at 08:38
@EugeneR , in my practice system , the user cannot input higher number than the quantity but can be bypass by pressing the add button. — Kim, Apr 05 '18 at 08:42
@Kim, ok, so you can add `disabled` attribute to this button if value in input area is `=>` than in stock. It easily can be done with javascript. — Evgeny Ruban, Apr 05 '18 at 08:44
Also, it looks that your project has a big architectural problems) — Evgeny Ruban, Apr 05 '18 at 08:46
@EugeneR , can you please give me example . Here is my button code ( ) — Kim, Apr 05 '18 at 08:51
@Kim, https://jsfiddle.net/ujkytwu2/6/ hope you know how to add javascript code to your page. Also, to add php variable to javascript's inStock you need to do like `var inStock = ;` — Evgeny Ruban, Apr 05 '18 at 09:16
@EugeneR can you help me modify my codes? I really am i confuse please — Kim, Apr 05 '18 at 09:41
@Kim, hm, what is not clear for you in example I provided? You just need to add ids to your input and button tags, and add this javascript code to the end of your page inside script tag, `` — Evgeny Ruban, Apr 05 '18 at 09:50
@EugeneR what should i add in my script? add this jsfiddle.net/ujkytwu2/6? — Kim, Apr 05 '18 at 09:52
@Kim, yeap, add javascript's code from it and replace inStock value as I explained above — Evgeny Ruban, Apr 05 '18 at 09:53
@EugeneR ok i will try it tommorrow , thanks again , ill try coding again tommorow. I will ask you again tommorow can I ? — Kim, Apr 05 '18 at 09:54

Rajdeep Paul · Accepted Answer · 2018-04-11T06:35:12.933

1

You have to first check whether addition of the product exceeds the total stock or not, and then perform the UPDATE operation accordingly.

<?php
    include('session.php');
    if(isset($_POST['add'])){
        $id=$_POST['id'];

        $query=mysqli_query($conn,"SELECT * FROM product NATURAL JOIN cart where productid = '$id' AND userid = YOUR_USER_ID");
        if(mysqli_num_rows($query)){
            $row=mysqli_fetch_array($query);
            if(($row['qty'] + 1) <= $row['product_qty']){
                $newqty = $row['qty'] + 1;
                mysqli_query($conn,"update cart set qty='$newqty' where productid='$id'");
                // your code
            }
        }
    }
?>

Sidenotes:

It is not a good idea to call SQL query/submit form for every addition of product. Let user decide the total quantity of the product user wants and then send the accumulated value to database. Use JavaScript for this.
Learn about prepared statement because right now your queries are susceptible to SQL injection attack. Also see how you can prevent SQL injection in PHP.

edited Apr 11 '18 at 06:35

answered Apr 05 '18 at 07:55

Rajdeep Paul

16,887
3
18
37

@Kim, I've updated my answer, please test your application with the updated code snippet. Also, in the query, don't forget to replace YOUR_USER_ID with the actual userid. – Rajdeep Paul Apr 05 '18 at 09:09
@RajdeepPaul why are you joining cart table? You have a productid and you do not need anything else to get its product_qty. – Evgeny Ruban Apr 05 '18 at 09:35
@Kim, please explain *nothing happens*. Are you seeing any error? Have you changed YOUR_USER_ID with the actual userid in the query? – Rajdeep Paul Apr 05 '18 at 09:50
@EugeneR Without JOIN we would end up having 3 queries, one to get total stock, one to get current quantity from the cart(so that we could check overflow condition) and one to update the cart. – Rajdeep Paul Apr 05 '18 at 09:52
@RajdeepPaul, ah, ok. Anyway, Kim tolds that the total stock already is on the page, so this value can be taken from there. – Evgeny Ruban Apr 05 '18 at 09:57
@EugeneR OP has to confirm where exactly it's stored, is it in a variable, session etc. I'll update my answer accordingly, right now OP has to say a bit more than *nothing happens*. – Rajdeep Paul Apr 05 '18 at 10:08
@RajdeepPaul , when i click the add button , the quantity does not go up – Kim Apr 06 '18 at 06:10
@Kim That's probably because requested quantity is exceeding total stock. Paste your actual code snippet in [pastebin.com](https://pastebin.com/) and give me it's link here. Additionally, you can put couple of `echo` statements to debug this issue further, like this: [https://pastebin.com/nWw9PWAC](https://pastebin.com/nWw9PWAC) – Rajdeep Paul Apr 06 '18 at 07:27
@Kim [As I said in my comment](https://stackoverflow.com/questions/49666459/how-to-prevent-user-from-bypassing-the-quantity-using-the-add-button/49667020?noredirect=1#comment86386241_49667020), put couple of echo statements to debug this issue further, like this: https://pastebin.com/nWw9PWAC. Did you see any error message? Also, I see you didn't change YOUR_USER_ID with your actual userid in the query, change that as well. – Rajdeep Paul Apr 11 '18 at 06:07
@RajdeepPaul i did change it , it works slightly well , but now it works like this (E.G. total stocks: 5 , the user can add using the add button until 4 , it should go up to 5 but not higher than 5) – Kim Apr 11 '18 at 06:34
@Kim, Ah, I see the problem now. `if(($row['qty'] + 1) < $row['product_qty']){` should be `if(($row['qty'] + 1) <= $row['product_qty']){`, missed `=` sign there. I've updated my answer, it should work fine now. – Rajdeep Paul Apr 11 '18 at 06:36
@RajdeepPaul , sir rajdeep thank you very much , you help me big time , your the only one who answered my weird question. Thank you :) – Kim Apr 11 '18 at 06:45
@Kim, Glad I could help. :-) Please *accept* the answer to close the question, otherwise this question will be floating around as open question. [How to accept answer on Stack Overflow?](https://meta.stackexchange.com/a/5235) – Rajdeep Paul Apr 11 '18 at 06:57

How to prevent user from bypassing the quantity using the add button

1 Answers1