Creating an Online Shopping Cart Mechanism in PHP | WebReference

Creating an Online Shopping Cart Mechanism in PHP

By Leidago Noabeb


Some of the basic requirements for building an online shopping cart are:

  • Allow the customer to add items to the cart
  • Allow for different quantities of each item
  • Allow the customer to alter the quantities of an item
  • Allow the customer to remove items from the cart

In this article, we are going to look at the scripts that make running a shopping cart possible. The sequence of events that lead up to the user adding items to the shopping cart goes as follows:

  1. The user is shown a product details page with the categories or genres that are available in our store (Pleasure Reading, Inc.).
  2. The user selects a genre to view.
  3. A list of all books in that genre is shown.
  4. The user selects a particular book to view in detail.
  5. The user is given the option to add the book to the shopping cart with the option of selecting the quantity.

When the user clicks on the "add to cart" button, the integration of the online store front with the shopping cart scripts begins. Here is a list of the scripts involved and what each does:

  • Orders.php (The first step in the checkout process) – Collects the user's personal details, such as credit card numbers and delivery address
  • Addtocart.php – Adds items to the shopping cart
  • Showcart.php – Shows the items on the shopping cart
  • Delete.php – Removes items from the shopping cart

When the user clicks on the "Add to cart" button, like on the book details page shown below, the online bookseller site's integration with the shopping cart is done.

The Book Details Page

The following code sends the form data to the addtocart.php script:

The parts marked in red clearly show where the form data is sent. Also note that the quantity and bookID are the only values that are sent to the addtocart.php script.

Now let's look at how the form data is handled. Below is the code for the addtocart script:

This script is at the heart of the application, so let's walk through it. It receives two form values:

  1. Book ID – in the form of bid
  2. Quantity – in the form of qty

Both these values are potential security vulnerabilities, because they did not originate from you. Therefore, they have to go through a "cleaning" process. This is exactly what happens in the first part of the PHP code:

The above code checks if the book ID value is numeric using the is_numeric() function. I cannot stress enough the importance of doing these checks. For the sake of security, by all means do the checks and use other methods and functions to validate. When the code verifies that the value is what it is supposed to be (i.e., it's numeric), we do further filtering by checking to see if a book with that ID exists in the database:

If we find that it does not exist, then we redirect the user to the index page:

That's all the filtering we need for the book ID value. Now we need to check the qty value. Both form values are meant to be numeric, so the only effective way of checking the validity of this value is to check if it is numeric:

Here you see that I created a new variable called $cqty. The c in the name of the variable indicates that it has been filtered and is "safe" to use in a MySQL query. You will also notice that I've used the mysql_real_escape_string() function to filter the form value. By all means, do further filtering as you see fit.

Throughout the code, I used a Boolean variable called $err, which will eventually be key to this whole script. It will help the script decide whether to insert the posted data into the data or not:

If there is no error in the script, the form data is inserted into the cart_track table. Because we started a session by calling the connect.php script, we are also able to get the session ID with the following code:

This session ID is key to identifying the user throughout the shopping process. The session ID together with the current date will make it easy for us to ID a user. Another function that I used in this script is the ob_start() and ob_end_flush() functions. These two functions make sure that we don't get the "headers already sent" error message when the script is executed.

After everything has been executed and no errors occur, the script redirects the user to the showcart page (see link below) where the contents of the shopping cart are shown together with the total.

The Showcart Page

As you can see, the showcart page provides the user with the option to remove an item from the shopping cart. This, along with the orders script, will be the subject of discussion in the next page.