Page 2 of 2

Posted: Mon Apr 07, 2003 10:13 am
by wizzard
well i work with a company that integrated a module for security orders.
I pay monthly for the module i don't made this by my own. I only make the shopping cart till the payment processing.

I only need some help with the updating function.

Posted: Mon Apr 07, 2003 10:31 am
by McGruff
But even if you are working on just one part you could compromise the whole.

For example if you add a form and gather $_POST vars without slashing, someone could hijack a database query.

I usually do this to $_POST data:

htmlspecialchars(addslashes(trim($_POST[])))

But can you tell me why this is unsafe (grabs all post vars in one go)?

Code: Select all

<?php
foreach ($_POST as $key=>$value) {
    $$key = htmlspecialchars(addslashes(trim($value)));
}
?>
I asked last time if you wanted a form & processor script - will post one if needed.

Posted: Mon Apr 07, 2003 10:59 am
by wizzard
Can you post it or mail it to me the form & processor script?

Posted: Mon Apr 07, 2003 1:16 pm
by McGruff
double post

Posted: Mon Apr 07, 2003 1:17 pm
by McGruff
not again.. sheesh :oops:

Posted: Mon Apr 07, 2003 1:17 pm
by McGruff
Let's assume you've got four post vars and a separate html template "form.htm".

Aim the form action at this function.

Set the default values of fields to <?php echo htmlspecialschars($_POST['var1']); ?> etc

It's a little more secure if form field names are NOT the same as mysql column names

You may not need to define the code as a function - slightly more efficient if not.

I didn't test this, but at least it should show the general principle.

Code: Select all

<?php

function postPro() {
    
    #print_r($_POST); #DEBUG - turn on to check post vars
    
    // this leg displays the form if a field was not filled in or 
    // ..if it's the first time they've clicked the link to the form
    IF (!isset($_POST['var1']) OR !isset($_POST['var2']) OR !isset($_POST['var3']) OR !isset($_POST['var4'])) {
        // display form
        include('form.htm');
    
    // this leg processes the form
    } ELSE {
        // grab all the post vars in one go and add 'prefix_' to var names
        // ..if you don't, a forged form could potentially over-write any 
        // ..previously defined variables in the same scope as the foreach loop
        // Actually there aren't any free vars to overwrite in this script, but 
        // ..there could be when you've adjusted it to your needs
        // ..PARTICULARLY if you don't encapsulate the code in a function definition
        foreach ($_POST as $key=>$value) {
            ${'prefix_' . $key} = htmlspecialchars(addslashes(trim($value)));
        }
        // check for existing record (ie already have a cart)
        // I'm assuming the cookie stores a customer ID
        $mysql = "SELECT from table_name WHERE customer_id='" . $_COOKIE['cookie_name'] . "'";
        $query = mysql_query($mysql) or die("Cannot query the database.");
    
        // a cart exists with this customer ID
        IF (mysql_num_rows($query) == 1 ) {
            $mysql = "UPDATE table_name SET field1='$prefix_var1', field2='$prefix_var2', field3='$prefix_var3', field4='$prefix_var4' WHERE customer_id='" . $_COOKIE['cookie_name'] . "'";
            $query = mysql_query($mysql) or die("Cannot query the database.");
        
        // no previous cart for this customer
        } ELSEIF (mysql_num_rows($query) == 0) {
            // setcookie, do an INSERT query setting customer_id etc
        
        } ELSE {
            // this leg triggered if find more than one cart with the customer ID
            // ..shouldn't really happen but helps to check everything's working OK
        }
        echo '<a href="..etc..">Continue link'</a>;
    }
}
?>

Posted: Mon Apr 07, 2003 3:53 pm
by McGruff
er... $_COOKIE['cookie_name'] should be htmlspecialchars(addslashes($_COOKIE['cookie_name'] )) to also make it safe.

:oops:

Finally working Basket

Posted: Tue Apr 15, 2003 4:10 am
by wizzard
function Updateitem($prodid, $qty)
{

include('config.php');
$counter=0;

foreach ( $_POST as $key => $value )
{

$compare =substr ($key, 0, 6);

if($compare=='prodid')
{
$counter++;
}

}

for($i=0;$i<$counter;$i++)
{

$qty = $_POST["qty$i"];
$prodid = $_POST["prodid$i"];

@mysql_query("update cart set qty = $qty where cookieid = '" . GetCartId() . "' and prodid = '$prodid'");

}

Viewitems();

}

This is the function i had to make to update the quantity for more than one product alot of work :(