0

i have met a roadblock in my programming for a shoppingcart for my webstore. Here is my main code for my shopping cart. It has a session for a login and a session for the shopping cart. I have a many to many relation between my order table and pruduct table where i need to insert the product id (vare_id), product name (varenavn) and item quantity (kvantum). Most of the code is in english, but some parts are norwegian. I highly appreciate help as this has been a problem for a long time. I can also add the database if needed, but i dont see that as necessary. Thanks in advance.

<?php
// Initialize the session
session_start();

// Check if the user is logged in, if not then redirect him to login page
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true){
header("location: Login/login.php");
exit;
}
$conn = mysqli_connect("localhost", "root", "root", "mydb");  
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
if(isset($_POST["add_to_cart"]))  
{  
  if(isset($_SESSION["shopping_cart"]))  
  {  
       $item_array_id = array_column($_SESSION["shopping_cart"], "vare_id");  
       if(!in_array($_GET["vare_id"], $item_array_id))  
       {  
            $count = count($_SESSION["shopping_cart"]);  
            $item_array = array(  
                 'vare_id'               =>     $_POST["vare_id"],  
                 'varenavn'               =>     $_POST["hidden_name"],  
                 'varepris'          =>     $_POST["hidden_price"],  
                 'kvantum'          =>     $_POST["kvantum"]  
            );  
            $_SESSION["shopping_cart"][$count] = $item_array;  
       }  
       else  
       {  
            echo '<script>alert("Item Already Added")</script>';  
            echo '<script>window.location="varer.php"</script>';  
       }  
  }  
  else  
  {  
       $item_array = array(  
            'vare_id'               =>     $_POST["vare_id"],  
            'varenavn'               =>     $_POST["hidden_name"],  
            'varepris'          =>     $_POST["hidden_price"],  
            'kvantum'          =>     $_POST["kvantum"]  
       );  
       $_SESSION["shopping_cart"][0] = $item_array;  
  }  
  }  
  if(isset($_GET["action"]))  
  {  
  if($_GET["action"] == "delete")  
  {  
       foreach($_SESSION["shopping_cart"] as $keys => $values)  
       {  
            if($values["vare_id"] == $_GET["vare_id"])  
            {  
                 unset($_SESSION["shopping_cart"][$keys]);  
                 echo '<script>alert("Item Removed")</script>';  
                 echo '<script>window.location="varer.php"</script>';  
            }  
       }  
  }  
 }  


 $last_id = $conn->insert_id;

 $INSERT = "INSERT Into bestilling_has_vare (bestilling_id vare_id, varenavn, kvantum) 
 values('$last_id', 
'$_POST["vare_id"]', '$_POST["hidden_name"]', '$_POST["kvantum"]')";
 if ($conn->query($INSERT) === TRUE) {
 echo "insert compleat";
 }

 $conn->close();
 ?>
SwissCodeMen
  • 4,222
  • 8
  • 24
  • 34
Edward Alexander Evjenth
  • 1
  • Can you more clearly specify what you have a problem with? Does the inserting not work? – KIKO Software Mar 24 '20 at 22:00
  • Yeah, I can see you have trouble with your single and double quotes in the insert query. When you have double quotes inside a double quoted string you should escape it with a backward slash. It should look something like this: `, '{$_POST[\"hidden_name\"]}', `. Your code is also not secure. Look up: "PHP SQL injection". – KIKO Software Mar 24 '20 at 22:18
  • Inserting with direct values work fine, but when i try to use the array and session values it does not work. – Edward Alexander Evjenth Mar 24 '20 at 23:17
  • As @KIKOSoftware mentioned, you're open to [SQL injection](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). You should use [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. The bonus is you won't have to worry about quoting, as prepared statements do that for you. And it might solve your problem. – El_Vanja Mar 24 '20 at 23:34
  • Also check your spelling in the title of the question. "valus" -> "values". – Knut Forkalsrud Mar 25 '20 at 00:00

0 Answers0