dprnr5559 2011-11-08 18:29
浏览 44
已采纳

使用PHP将购物车详细信息插入MySQL数据库

I have a shopping cart which at this point in time sends items that are brought by the customer to the database, but now I have included a login system whereby you have to be a member before you purchase an item. I have kept the logged in user in a session and so I am trying to send the session variable to the database as well once an order has been made. At the moment, I have three tables which are customers, orders and order_detail (see the following code):

session_start();
?>
<?php
if(!isset($_SESSION["username"]))
{
    header("Location: shoppinglogin.php");
}
?>

<?
    include("includes/db.php");
    include("includes/functions.php");

    if($_REQUEST['command']=='update'){
        $name=$_REQUEST['name'];
        $email=$_REQUEST['email'];
        $address=$_REQUEST['address'];
        $phone=$_REQUEST['phone'];

        $result=mysql_query("insert into customers values('','$name','$email','$address','$phone')");
        $customerid=mysql_insert_id();
        $date=date('Y-m-d');
        $result=mysql_query("insert into order values('','$date','$customerid')");
        $orderid=mysql_insert_id();

        $max=count($_SESSION['cart']);
        for($i=0;$i<$max;$i++){
            $pid=$_SESSION['cart'][$i]['productid'];
            $q=$_SESSION['cart'][$i]['qty'];
            $price=get_price($pid);
            mysql_query("insert into order_detail values ($orderid,$pid,$q,$price)");
        }
        die('Thank You! your order has been placed!');
        session_unset(); 
    }
?>

I have changed it into the following code:

 <?php

session_start();
?>
<?php
if(!isset($_SESSION["username"]))
{
    header("Location: shoppinglogin.php");
}
?>

<?
    include("includes/db.php");
    include("includes/functions.php");

    if($_REQUEST['command']=='update'){
        $name=$_REQUEST['name'];
        $email=$_REQUEST['email'];
        $address=$_REQUEST['address'];
        $phone=$_REQUEST['phone'];

$max=count($_SESSION['cart']);
        for($i=0;$i<$max;$i++){
            $orderid=mysql_insert_id();
            $pid=$_SESSION['cart'][$i]['productid'];
            $q=$_SESSION['cart'][$i]['qty'];
            $price=get_price($pid);
            $date=date('Y-m-d');
            $user=$_SESSION['username'];
            mysql_query("insert into order values ($orderid,$pid,$q,$price,$date,$user)");
        }
        die('Thank You! your order has been placed!');
        session_unset(); 
    }
?>

the code above does not insert anything into my order table.

Thanks

  • 写回答

3条回答 默认 最新

  • dsepcxw181184853 2011-11-08 18:34
    关注

    Ugh. Database operations with absolutely NO error handling at all. Assuming a DB query succeeds only gets you into situations like this - no clue as to what's wrong.

    At absolutely bare mininum, your DB operations should look like this:

    $sql = "... query goes here ..."
$result = mysql_query($sql);
if ($result === FALSE) {
   die("Query failed!" . mysql_error() . $sql);
}

    which at least stops the script dead in its tracks, tells you that the query failed, tells you WHY it failed, and tells you what the query was.

    As well, your code is WIDE OPEN to SQL injection attacks. This is especially bad in what is obviously an e-commerce setup. I suggest you immediately SHUT DOWN this system until you've had a chance to read up on this and plug the holes.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 划分vlan后不通了
  • ¥15 GDI处理通道视频时总是带有白色锯齿
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)
  • ¥15 自适应 AR 模型 参数估计Matlab程序
  • ¥100 角动量包络面如何用MATLAB绘制
  • ¥15 merge函数占用内存过大
  • ¥15 使用EMD去噪处理RML2016数据集时候的原理
  • ¥15 神经网络预测均方误差很小 但是图像上看着差别太大