Page 2 of 2
Posted: Mon Apr 07, 2003 10:13 am
by wizzard
well i work with a company that integrated a module for security orders.
I pay monthly for the module i don't made this by my own. I only make the shopping cart till the payment processing.
I only need some help with the updating function.
Posted: Mon Apr 07, 2003 10:31 am
by McGruff
But even if you are working on just one part you could compromise the whole.
For example if you add a form and gather $_POST vars without slashing, someone could hijack a database query.
I usually do this to $_POST data:
htmlspecialchars(addslashes(trim($_POST[])))
But can you tell me why this is unsafe (grabs all post vars in one go)?
Code: Select all
<?php
foreach ($_POST as $key=>$value) {
$$key = htmlspecialchars(addslashes(trim($value)));
}
?>
I asked last time if you wanted a form & processor script - will post one if needed.
Posted: Mon Apr 07, 2003 10:59 am
by wizzard
Can you post it or mail it to me the form & processor script?
Posted: Mon Apr 07, 2003 1:16 pm
by McGruff
double post
Posted: Mon Apr 07, 2003 1:17 pm
by McGruff
not again.. sheesh

Posted: Mon Apr 07, 2003 1:17 pm
by McGruff
Let's assume you've got four post vars and a separate html template "form.htm".
Aim the form action at this function.
Set the default values of fields to <?php echo htmlspecialschars($_POST['var1']); ?> etc
It's a little more secure if form field names are NOT the same as mysql column names
You may not need to define the code as a function - slightly more efficient if not.
I didn't test this, but at least it should show the general principle.
Code: Select all
<?php
function postPro() {
#print_r($_POST); #DEBUG - turn on to check post vars
// this leg displays the form if a field was not filled in or
// ..if it's the first time they've clicked the link to the form
IF (!isset($_POST['var1']) OR !isset($_POST['var2']) OR !isset($_POST['var3']) OR !isset($_POST['var4'])) {
// display form
include('form.htm');
// this leg processes the form
} ELSE {
// grab all the post vars in one go and add 'prefix_' to var names
// ..if you don't, a forged form could potentially over-write any
// ..previously defined variables in the same scope as the foreach loop
// Actually there aren't any free vars to overwrite in this script, but
// ..there could be when you've adjusted it to your needs
// ..PARTICULARLY if you don't encapsulate the code in a function definition
foreach ($_POST as $key=>$value) {
${'prefix_' . $key} = htmlspecialchars(addslashes(trim($value)));
}
// check for existing record (ie already have a cart)
// I'm assuming the cookie stores a customer ID
$mysql = "SELECT from table_name WHERE customer_id='" . $_COOKIE['cookie_name'] . "'";
$query = mysql_query($mysql) or die("Cannot query the database.");
// a cart exists with this customer ID
IF (mysql_num_rows($query) == 1 ) {
$mysql = "UPDATE table_name SET field1='$prefix_var1', field2='$prefix_var2', field3='$prefix_var3', field4='$prefix_var4' WHERE customer_id='" . $_COOKIE['cookie_name'] . "'";
$query = mysql_query($mysql) or die("Cannot query the database.");
// no previous cart for this customer
} ELSEIF (mysql_num_rows($query) == 0) {
// setcookie, do an INSERT query setting customer_id etc
} ELSE {
// this leg triggered if find more than one cart with the customer ID
// ..shouldn't really happen but helps to check everything's working OK
}
echo '<a href="..etc..">Continue link'</a>;
}
}
?>
Posted: Mon Apr 07, 2003 3:53 pm
by McGruff
er... $_COOKIE['cookie_name'] should be htmlspecialchars(addslashes($_COOKIE['cookie_name'] )) to also make it safe.

Finally working Basket
Posted: Tue Apr 15, 2003 4:10 am
by wizzard
function Updateitem($prodid, $qty)
{
include('config.php');
$counter=0;
foreach ( $_POST as $key => $value )
{
$compare =substr ($key, 0, 6);
if($compare=='prodid')
{
$counter++;
}
}
for($i=0;$i<$counter;$i++)
{
$qty = $_POST["qty$i"];
$prodid = $_POST["prodid$i"];
@mysql_query("update cart set qty = $qty where cookieid = '" . GetCartId() . "' and prodid = '$prodid'");
}
Viewitems();
}
This is the function i had to make to update the quantity for more than one product alot of work
